Smart Card issues

Hey. Came across a computer issue at work and wanted the opinion of some guys who deal with computer security often.

I work for "Uncle Sam" and as part of my job I use a Smart Card to log onto my workstation. This card contains several certificates I used for authentication when accessing certain government sites, and for sending emails. When I left work last Thursday everything was fine. Coming into work on Friday my system read my card at the logon screen and told me "no valid certificates found". This puzzled me, so I tried my card in the other external reader, (all our system have two USB connected readers) and it also proclaimed my card was empty. Hopping into the cube next to me I was able to log on and work just fine. It read all my certs when I checked the card with our software we use called ActivClient. It showed all my certs.

Anyone else can use their cards through either reader on my original system and get on with no issues. While they were on I put my card in the free reader and my original machine once again showed no certs in ActivClient. After fiddling with it for ten minutes the guy from IT said they would have to reimage it. (Their most common fix to problems they can't explain or don't understand is to wipe and redo) Given that I have multiple certifications, and am just as smart as the IT guy, (my job involves tech support phone calls) I decided to see if I could figure out wjhy my machine is boycotting my card. I'm looking for any thought, no matter how valid.

I have not modified the registry or added any software. (most of this is blocked to us, since a person in our call center did something he shouldn't have and we all got restricted because of it). All I do between calls is write and make spreadsheets for stuff I do outside of work.

Thanks for suggestions,

Find more posts tagged with

Comments

colemic

Common Access Card (CAC) Information for home use is the definitive, quasi-official site for troubleshooting CACs and the like.

I don't work for DoD anymore so I can't really help but I am 100% sure miltarycac has seen this before...

5502george

In active client GUI try to go to tools>advanced>publish certificates to windows & pub to GAL

bermovick

My CAC frequently gives me errors first thing in the morning, or after I've been away for a while - either the 'no certificates found' or some type of 'not a valid card' error. I've never had it fail a second time after removing and re-inserting it though, so I always assumed it just didn't read correctly.

cruwl

Could be the hardware, try swapping a good known reader and plug it into your system. Had to do this several times when i use to TS CACs.

The_Riskbreaker

Some notes from the past few days.

We took the CAC reader from the machine I currently use and hooked it up. It still says my card has no valid certs. (Again, my card works to log onto any other machine in my call center) The local IT guy has wiped my profile from the machine and eliminated any trace of my user. Yet it still gives the error to my card and not others. If you log in with another person's card and put my card in the other reader ActivClient shows no certs on the card. It appears as if there is some registry entry or file somewhere that is telling the machine if Johnny Q. Bravo's CAC is inserted to give this error or display nothing. Said IT guy is one step away from reimaging the pc. But the possiblity that two other machines in here are showing signs of this error coming up.

And yes, we're like a million reboots into it, and we reinstalled ActivClient with no change. And I published my certs to the GAL when I first started to use the machine a year ago.

colemic

So, from what you have said so far:

on your machine, doesn't work for you, does for other users -> not the card reader

your card works on other systems -> not your card

all that leaves is something hosed on the profile.

Can you hook up a 2nd reader, have someone else log on, and then look at the card in active client and see if it recognizes the certs? Or is that what you already tried?

I know we aren't helping much but we are trying...

The_Riskbreaker

You guys are more helpful than you know. It's like Dr. House, who uses his interns to bounce ideas off of them to come up with a solution.

If someone else logs in and then we use the pc's second card reader (which has been tested and shown to work) to read my card, ActivClient shows nothing on it. It believes the card is empty, just like the error at login says. The local IT guy and me believed as you do that it is a profile issue, so he's been wiping every trace of me from the system. To my knowledge he wiped my profile. Yet it still gives the error. So we're thinking it's a file somewhere that we don't know about causing the issue.

The_Riskbreaker

I got logged onto my machine, in a sort-of-working way. It fails to load my user profile. (we use network profiles for desktop icons, documents, etc...) Sometimes I cannot log on because it says the user profile service failed to start and it brings back the logon screen. If I get in Windows says it logged me on with a temporary profile. I never get a "Users" folder created on the C drive, nor does it load any profile settings. The mapped drive this stuff is on is visible and can be accessed with no issues. Me and the IT guy are still trying to crack it out.

redz

This may be a stupid question, and I apologize in advance if it is, but have you taken a look at the Microsoft knowledge base?

I found this article on there right off: You receive a "The User Profile Service failed the logon

Nolnoc

I know this thread is a few years back, but I have hit the exact same problem at work. My card works fine in every computer accept mine, does not register on mine if someone else logs on and we use an external card reader (verified to log me on to another computer before moving to mine)...

I see that originally you found a way to get onto your system, mostly right now I am looking to just backup my C: drive before they take my computer away for replacement.

Any suggestions much appreciated, no matter how backdoor or boondogle.

MTciscoguy

Nolnoc wrote: »

I know this thread is a few years back, but I have hit the exact same problem at work. My card works fine in every computer accept mine, does not register on mine if someone else logs on and we use an external card reader (verified to log me on to another computer before moving to mine)...

I see that originally you found a way to get onto your system, mostly right now I am looking to just backup my C: drive before they take my computer away for replacement.

Any suggestions much appreciated, no matter how backdoor or boondogle.

Are you trying to do this covertly? or is it within company rules to back your own computer up before replacement? When I worked in the Military, we used to disable the card readers on many computers so people couldn't back them up, there were only certain people authorized to retrieve data from many of the computers. If I were in your position, I would nose around and figure out if I was breaking any rules by taking the data off of the business computer, because the data on that computer belongs to the company.

You should never use a business owned computer for personal data.

xmarine2847

I realize this post is three years old, but I had to add my 2 cents.

Your card isn't/wasn't reading because it has been corrupted or the PKI chip is/was damaged.
It worked in another reader once or twice (if at all) because reasons... (anomaly, cached credentials, Dr. Pepper was spilled on your PKI chip corroding the smudges just enough to temporarily allow a reader to work before completely crapping out).
The smart card needs to be replaced, it is not a machine issue.
You logged into a TEMP profile after the initial deletion of your User profile from the machine because the folder was removed but the registry key for your profile (HKLM\Software\Microsoft\WindowsNT\CurrentVersion\ ProfileList) wasn't deleted.
The above causes the same issue w/ the User Profile service failing the logon error.

Have a nice day.

scaredoftests

Try swapping the reader. Sometimes I have issues with my card(s). Especially in the mornings..

surf89

I know this is old but has popped up a couple of times. I found a fix today.

Problem: User could not login to his machine Error message: "no valid certificates found"
Customer is able to use his CAC on any other system. Other users can login to this system without any issues. ID Cards said card was fine.

Solution: Login with admin account, open active client, tools, advanced, forget state of all cards.

User with problem ID card can now login.

Hope this saves someone time in the future.

ITSpectre

Another way to fix it is have the certificates re loaded onto the card then try to login... I have seen that happen where once they reload the certs it allows them to login.

ITSpectre

5502george wrote: »

In active client GUI try to go to tools>advanced>publish certificates to windows & pub to GAL

I cant tell you how many times I have had to do this.... and also when you re-publish to the GAL you want to remove all the certs from IE then republish to windows and the GAL

and when you re-publish to the GAL you want to make sure that the security and the digital ID are the right ones and then you are good

SaSkiller

OP, occasionally CACs do get jacked up and "loose" their certs, just go to your local PKI authority and they will diagnose the issue and restore your certs or have you go to the CAC center.

ITSpectre

AND not only do they loose their certs... people will add new certs and forget to take the old certs off. So they have about 7 certs on their CAC....

ITSpectre

In my experience of this problem (dont work with the DoD anymore but its still in my head)

You may as well get a new machine or have your machine reimaged. If you can log on on different machines and have no issues, then its not a CAC problem, it is a PC problem. You also stated you tried different card readers and that did not work. The next step would be to have your certs put on your card again at DEERS... if that did not work but you were still able to have your CAC registered on different PC's but only your PC would not read your CAC, then its a machine issue... not a CAC issue. If it was a CAC issue then you would not be able to login to ANY PC at all.... also you are able to login so your account in ADUC is enabled and your DoD ID # is already registered in ADUC. So the best course of action is to get your PC reimaged.

suttonX

I know this is a dated topic but there's a pretty easy fix to this, you don't have to go into the weeds as some other replies have suggested.

Issue: one specific computer says no valid certificates for one specific user. All other users and computer combinations are fine, so it's not an issue with the reader or the user's CAC.

Fix: any other user that is able to log on to the specific device (admin not required) should do so. Once they are in, they should open ActivClient Agent via the system tray. Then they should click Tools -> Advanced -> Reset Optimization Cache.

They can then log out and the user's card will be recognized.

Source: I am a Navy/Marine Corps Intranet Field Services Technician that routinely does this fix for this very issue