7.1 Troubleshooting

This section provides troubleshooting information.

7.1.1 Checking the status of the TPM

The TPMInterrogator utility is provided with the MyID software; this utility interrogates the TPM and provides information about its current status.

Instructions are provided in the documentation supplied with the utility. This will report the status of the flags that determine the status of the TPM.

The most important flags to be checked are:

• IsReady: True
• IsEnabled: True
• IsOwned: True

If any of these flags return false, it indicates the TPM will not be able to receive VSC. (But see also the information on "reduced functionality" in section 3.2.1, Preparing the TPM for use.)

Additional flags are also reported by this utility, but interpretation of these flags is more complex. If you continue to receive errors when issuing VSCs, and these flags are set correctly, include the information provided by the utility in support requests to Intercede.

7.1.2 Checking MyID Audit and System Event records

During issuance of a VSC, MyID will record information about the process within the Audit trail. This will include details of the TPM status checks made, and the status of actions taken during the issuance process.

Information about a specific issuance process can be found by searching the audit using the devices full computer name as search criteria, in the ‘Extended Details’ search field.

7.1.3 Reduced functionality

If you have enabled the Allow virtual smart card creation with TPM reduced functionality configuration option, MyID will attempt to issue VSCs to TPMs with a status of "reduced functionality". See section 3.2.1, Preparing the TPM for use for details.

If you experience any problems issuing or managing VSCs on TPMs with this status, or if TPMs are reporting different statuses in the MyID Audit trail, contact customer support quoting reference SUP-269.

7.1.4 Diagnosing problems occurring during issuance

• MyID or the client has not been configured to issue VSCs

  If MyID has not been configured to issue VSCs, or you are attempting to use a client operating system that is not supported for issuing VSCs, you may see the following generic error in the Self-Service App:

  Virtual Smart Card issuance is not allowed. Issuance cannot continue.

  The MyID audit trail provides additional information to identify the reason for the error.

• Root Transaction Error

  If you see an error similar to the following:

  <ErrorCode>-2147164158</ErrorCode><Message>The root transaction wanted to commit, but transaction aborted (Exception from HRESULT: 0x8004E002)</Message>

  This error may be caused by a timeout issue. As a workaround, you can increase the COM timeouts. See section 6.6, Setting the COM+ transaction timeout for details.

• Error caused by witnessing

  If you see an error similar to the following:

  You do not have permissions to witness this operation

  when canceling a VSC, this is caused by having the Validate cancellation option set in the credential profile. Currently, you cannot use a credential profile for VSCs if it has the Validate cancellation option set. See section 6.4, Setting up a credential profile for VSCs for details of setting up a credential profile for VSCs.

• Error caused by incorrect Active Directory schema or insufficient privileges

  If a client group policy is set to backup the TPM to Active Directory but the Active Directory schema is incorrect or the client does not have permissions to manipulate its own record, you may see the following error.

  <Error> <number>-2147467259</number> <description>TPM not ready 0x00044000 ------------------------- Exception raised in function: Tpm::Check::Exists In file .\Check.cpp at line 64 </description> </Error><TPM>0</TPM>

  To give the client permission to manipulate its own Active Directory record:

  1. In the Active Directory Users & Computers console, select the appropriate domain and find the Windows client under the Computers node.
  2. Open the properties dialog for the client machine and click the Security tab.
  3. Under Group or user names, select SELF.
  4. Under Permissions for SELF, select Full control.

  To correct the Active Directory schema, see the Schema Extensions for Windows Server 2008 R2 to support AD DS backup of TPM information from Windows 8 clients article on Microsoft TechNet.

• The client does not support VSC issuance

  You may see the following client message in the MyID audit trail if an attempt has been made to collect a VSC on a client that does not have appropriate middleware installed:

  No service provider found

• Removing Windows 10 VSCs left behind by aborted issuance

  If you click the Abort button on the Confirm Details screen when collecting a VSC, or the issuance fails for some other reason, the VSC is created on your device but is not known to MyID. This means you cannot use MyID to manage or delete the VSC. You must remove the VSC drivers to remove the partially-issued VSC. For more information, contact customer support, quoting reference SUP-192.

• An enabled TPM is required to continue

  MyID performs a pre-check to verify that the client is correctly configured to be able to issue the VSC. The above generic error is displayed if this pre-check fails. Check the audit log to identify the reason for the check failure:

  • Could not establish a connection to the Windows Integrated Service

    Check that the MyID Windows Integrated Service is running.

  • Check TPM Failed. TPM is not enabled

    The client does not have a TPM device or the TPM is disabled. Use the MyID TPM Interrogator Utility to check the TPM status on the client.

  • Check TPM Failed. TPM has not reached reduced functionality state

    The TPM on the client is enabled but it is not in a state to be able to issue a VSC. See section 3.2.1, Preparing the TPM for use for details.

  • Pipe is broken

    This error may be raised if the MyID Windows Integrated Service has been installed using an unsuitable user account. Check that the user account used has Log on as Service privilege.

7.1.5 General troubleshooting

• A VSC is not shown on the Windows logon screen or the MyID select card screen

  If you are cannot see your issued VSC when you try to log into Windows or into MyID, there is likely to be a driver issue.

  As a workaround, try restarting your PC or disabling and re-enabling the Virtual Smart card reader.

• TPM fails to recover on waking up device from sleep mode

  On some devices, the TPM module does not recover after the device has been woken up from sleep state. This issue has been observed particularly on devices using STM 1.2 TPM. When the TPM is in this state, an unexpected error may be reported for any operation requiring TPM access; for example, creating, deleting, or authenticating with a VSC.

  If an unexpected error is reported during a VSC operation, check the state of the TPM by running tpm.msc (with elevated privilege) to verify that the TPM is available. Restart the device if the TPM is not available.

• Authenticating with the Windows Integration Service

  If you see an error similar to the following:

  Failed to authenticate with service

  this means that the Windows Integration Service could not authenticate the application that is attempting to communicate with the service. The Windows Integration Service must be able to authenticate the application's digital signature before accepting a request. For more information, contact customer support quoting reference SUP-260.

• VSC issuance fails with TPM error code 54

  This error may occur if the TPM module supports Legacy FIPS and not WIN8 FIPS. Dell Latitude Exx40 laptops with STM TPM modules are known to be configured with such TPM modules, and this issue has also been seen with ATMEL TPM modules. This configuration setting is built into the TPM module in the TPM system manufacturing process and cannot be changed.

  Generation of a Microsoft VSC supports only TPMs that are configured for WIN8 FIPS; you cannot use devices in which the TPM module is configured for Legacy FIPS.

• Intermittent error when recovering a certificate to a Microsoft Virtual Smart Card

  You may see an intermittent error when recovering an archived certificate to a Microsoft Virtual Smart Card on Windows 10. This is due to an issue within the Microsoft operating system that prevents some certificates from being imported to the TPM.

  The issue was reported to Microsoft, and has been resolved in Windows 10 Anniversary update. The required minimum Windows 10 version is Build 14352.

• Symptoms of TPM hardware failure

  If you attempt to change the VSC PIN, but the Self-Service App just returns to the main screen without making any changes to the VSC, or if you attempt to reset the VSC PIN in MyID Desktop, but the Continue button in the Reset Card PIN workflow does nothing, you may be experiencing the symptoms of a TPM hardware failure. If the problem continues, you may have to replace your TPM hardware or motherboard.

• Problems when the computer DNS has changed

  During collection of the certificates, MyID records the computer DNS and stores this information within the MyID database. This forms part of the audit record, and also is used to check for updates to the certificates on the computer, as the user may have credentials on other computers as well.

  If the DNS of the computer changes, identification of any pending updates fails and no notification is received by the user. In this case, you must cancel and reissue the credentials on the computer. If you require further assistance when this occurs, contact Intercede quoting SUP-330.