2 Web Service error codes

2978

Please check your configuration. If the problem occurs again, contact your administrator.

An attempt has been made to cancel a Device Identity and the user does not have permissions to create the Cancel Device Identity job.

Check that the user has the (Devices) group in their administrative groups.

Device Identity Management

10304

Invalid Entry

A certificate used during mobile provisioning contains invalid or corrupted data.

The certificate is unusable. The PFX file that the certificate was imported from is probably invalid. Source a valid PFX file and import it again.

Identity Agent Provisioning

21629

Already Issued

Issuing the current device has been prevented because the device is already issued.

If the device should not be issued to anyone, it can be canceled using the Cancel Credential workflow or Remote Cancel Credential. The Audit Reporting workflow will give details of the user that the device is already issued to.

Credential Issuance

21642

Incompatible

Issuing the current device has been prevented because the device is incompatible. It may be that a virtual smart card was selected for a credential profile that is restricted to physical smart cards, or that the inserted smart card does not support a data model assigned to the credential profile.

Try selecting a different credential profile, or using a different device. See the Audit Reporting workflow for further details.

Credential Issuance

21643

Insufficient Space

Issuing the current device has been prevented because the device has insufficient space for the required number of certificates.

Provide the user with a device that has capacity for the chosen credential profile. If the credential profile was chosen in error, request a different credential profile with fewer certificates on it. See the Audit Reporting workflow for further details.

Credential Issuance

21644

Incorrect Device

Issuing to the current device has been prevented because the request is bound to a different device.

Provide the user with the correct device, and ensure that it is this device the user is attempting to issue. See the Audit Reporting workflow for further details about the device the user used.

Credential Issuance

21645

Unsuitable Device

Issuing the current device has been prevented because the device is unsuitable.

It may be that a virtual smart card was selected for a credential profile that is restricted to physical smart cards, or that the inserted smart card does not support a data model assigned to the credential profile. Check that the selected credential profile is suitable for the device the user is trying to issue. See the Audit Reporting workflow for further details.

Credential Issuance

21646

Job Invalid

Issuing the current device has been prevented because the request is in an invalid state. Repeating the issuance may help. See the Audit Reporting workflow for further details.

Canceling the job in the Job Management workflow and repeating the issuance process should resolve this. If it does not, see the Audit Reporting workflow for further details as to the cause.

Credential Issuance

21647

Not Imported

The issuance requires that the device being issued has already been imported into the system. The presented device is unknown to the system.

The user may be attempting to issue the credentials to a foreign card. Check that device the user is attempting to issue to. Details of the device can be found in the Audit Reporting workflow.

Credential Issuance

21648

GUID is not valid.

The GUID for the provisioning job has been corrupted.

Check the email template is sending it correctly. Details can be found in the mobile documentation. If the provisioning was using a Derived Credential kiosk, try scanning the code again. If this fails, contact Intercede Support.

Identity Agent Provisioning

21776

Authentication is required to continue. Your card's issuance profile is not configured to require one.

Self-service credential activation must be configured to require at least one form of authentication. If none are configured, any attempt to self activate the credential will be blocked.

Authentication requirements can be configured in the Credential Profiles workflow.

Credential Issuance

21777

This job can not be collected as a self-service operation as it requires countersigning.

You have attempted a self-service collection of a job that requires another operator to be present for countersigning.

Select a different job, or ask an operator to collect the job with the assistance of a another operator to countersign.

Credential Issuance

30021

Adjudication requires fingerprint samples captured using a 10-Slap enrollment device. Check that you have captured new fingerprints before submitting for adjudication

Pending biometric samples that were captured using a 10-Slap enrollment device could not be found for the person.

This error may also occur if the Fingerprints identification check enabled configuration option (on the Biometrics page of the Operation Settings workflow) is not set.

Ensure that the person has pending biometric samples that were captured using a 10-Slap enrollment device, then try the action again.

Adjudication

50038

The selected credential profile is not allowed because the person that requested the job was not allowed to request this credential profile.

Validation failed because the operator does not have the correct permissions to make a request with the selected credential profile.

Try another credential profile for which the operator does have permission to create requests, or grant the operator permissions to use the credential profile. Permissions are set in the Credential Profiles workflow in MyID Desktop.

See the Working with credential profiles section in the Administration Guide for further details.

Adjudication

50039

You cannot action your own adjudications.

MyID prevents an operator from carrying out actions on their own adjudications.

Ask another operator who has the correct permissions to carry out the required actions on the adjudication for your account.

Adjudication

50041

This action cannot be performed because the user has outstanding adjudications.

MyID prevents you from carrying out this action on people who have outstanding adjudications.

Ensure that the person has adjudication records that have decision statuses that are either "Approved" or "Not Required".

Adjudication

50042

External adjudication server has not been configured

You must configure the connection to the adjudication system before you can carry out adjudication actions.

Use the External Systems workflow to create an external system entry for the adjudication server. See the Adjudication Integration Guide for details.

Adjudication

82369

The capacity limit has been reached for the system.

The action would exceed the current license capacity.

Cancel existing users or devices or obtain additional licenses.

Credential Issuance

82373

You are unable to request a replacement card, please contact your administrator.

An attempt to request a replacement card failed.

This could be due to the credential profile having prerequisite data requirements that the user doesn't fulfill.

Check that the user meets all the requirements of the credential profile.

Credential Issuance

82450

Invalid auth code for the specified job.

The presented authentication code is incorrect.

Check that the code was entered correctly. The input device may have caps lock enabled, or be set to an incorrect region. A new authentication code can be requested using the Request Auth Code workflow.

Authentication

82452

SAM Account not found

There has been a problem identifying the user's Windows credentials.

Retry the current process. If the problem persists, and there have been no changes to the network infrastructure, contact Intercede Support.

Authentication

82501

The specified mobile does not have any issued devices.

A request has been attempted to replace an Identity Agent device that contains no valid keystores. This attempt has been blocked.

The Identity agent device is in an errored state and should be re-issued. Use the Cancel Credential and Request ID workflows to achieve this. If the problem persists, contact Intercede Support.

Credential Issuance

82502

Only Identity Agent mobiles are supported.

A request has been attempted to replace a non-Identity Agent in a workflow specifically intended for Identity Agent devices. This attempt has been blocked.

Non-Identity Agent devices can be canceled using the Request Replacement Card workflow.

Credential Issuance

85080

Open Platform Keys are not defined for this device

This usually occurs when a configured GlobalPlatform keyset cannot be found in the database, or a keyset has not been configured.

Ensure GlobalPlatform keys are correctly configured for the device being issued.

Global Platform Security

85118

The 9B key for this device has not been configured or has been configured incorrectly. This needs to be corrected before issuance can continue.

The 9B key for this device has not been configured or has been configured incorrectly.

The 9B key can be configured using the Key Management workflow.

Credential Issuance

85119

The 9B key specified for this device are incorrect. This needs to be corrected before issuance can continue

The 9B key for this device has not been configured or has been configured incorrectly.

The 9B key can be configured using the Key Management workflow.

Credential Issuance

85120

The 9B key specified for this device are incorrect. This needs to be corrected before issuance can continue

The 9B key for this device has not been configured or has been configured incorrectly.

The 9B key can be configured using the Key Management workflow.

Credential Issuance

85121

The 9B key specified for this device are incorrect. Please ensure that the correct Encryption Type has been selected. This needs to be corrected before issuance can continue

The 9B key for this device has not been configured or has been configured incorrectly.

The 9B key can be configured using the Key Management workflow.

Credential Issuance

85122

The GlobalPlatform keys for this card are missing or incorrect. These need to be corrected before issuance can continue

The GlobalPlatform keys for this device have not been configured or have been configured incorrectly.

The GlobalPlatform keys  can be configured using the Manage Global Platform Keys workflow.

Credential Issuance

85123

The GlobalPlatform keys for this card are missing or incorrect. Please verify the key version. These need to be corrected before issuance can continue

The GlobalPlatform keys for this device have not been configured or have been configured incorrectly.

The GlobalPlatform keys  can be configured using the Manage Global Platform Keys workflow.

Credential Issuance

85124

There is no CHUID signing certificate configured. Please consult the product documentation

The CHUID signing certificate for this device has not been configured or has been configured incorrectly.

The certificate location is configured in the Registry of the Application server.

Credential Issuance

85125

The private key for a server signing certificate is not available. Please consult the product documentation

The server signing certificate (CHUID signing certificate or OPACITY CVC signing certificate) for this device has been configured incorrectly.

The certificate location is configured in the registry of the MyID application server. See the Setting up OPACITY section of the Smart Card Integration Guide for more details.

Credential Issuance

85126

The FASCN is invalid. Card issuance can not continue

The system has attempted to generate an identifier for the user and failed. This is usually a PIV compliant FASCN

If a FASCN is expected, the user lacks mandatory data. Please enroll the user again. Details of the missing data will be highlighted in the Audit Report. If a FASCN is not required, change the node BuildFASCN from 1 to 0 in the relevant CardProperties file.

Credential Issuance

85127

Some of the data provided is invalid. This could either be attributes of the Applicant or the Agency. Please review the details.

The system has attempted to generate an identifier for the user and failed. This is usually a PIV compliant FASCN

If a FASCN is expected, the user lacks mandatory data. Please enroll the user again. Details of the missing data will be highlighted in the Audit Report. If a FASCN is not required, change the node BuildFASCN from 1 to 0 in the relevant CardProperties file.

Credential Issuance

85128

The user's biometrics are not valid. Please check server version

The system has attempted to write biometric data to a card, but the biometric data is invalid.

Please enroll the user again. Details for each supported biometric matching library are available with this release. If the problem persists, contact Intercede Support.

Credential Issuance

85143

The card is locked and requires activation.

The system has attempted to write to a locked device

Activate the device using either the Activate Card process, or Assisted Activation workflow. Alternatively, if the card is no longer required, use the Erase Card workflow to unlock and erase the device.

Credential Issuance

85167

The key for this device has not been configured or has been configured incorrectly. This needs to be corrected before issuance can continue

The 9B key for this device has not been configured or has been configured incorrectly.

The 9B key can be configured using the Key Management workflow.

Credential Issuance

85182

The Global Platform keys for this card are missing or incorrect. These need to be corrected before issuance can continue.

The Global Platform keys for this device have not been configured or have been configured incorrectly.

The Global Platform keys  can be configured using the Manage Global Platform Keys workflow.

Credential Issuance

85184

Could not determine Windows logon credentials.

MyID is attempting to determine the Windows logon name for the connected user, but is failing to do so.

Ensure the client and the server are in the same Windows Domain

Run the following script on the web server to enable IIS to determine the identity of the connecting client:

ConfigureWindowsAuthentication.ps1

This script is installed to the Utilities folder on the MyID web server; by default, this is:

C:\Program Files\Intercede\MyID\Utilities\

Update My Device

85187

There has been a problem updating your account.

MyID has encountered an error performing the User Sync action during the Update My Device workflow.

Further details about the specific error are available in the Audit Reports workflow.

Common causes include requesting a credential profile that the user does not have permissions to receive, and requesting a credential profile that does not exist.

Update My Device

85188

Unable to connect to the authentication server

An attempt by the Process Driver web service to connect to the authentication server web service failed

This error may occur if you are using a load balancer or have multiple web servers.

In this case, carry out the following:

1. Set the IssuerUri option in the web.oauth2 application settings file.

   See the Setting the issuer in web.oauth2 section in the MyID Operator Client guide.

2. Configure a shared JWT signing key so that all instances of web.oauth2 use the same signing key.

   See the Load balancing section in the MyID Operator Client guide.

   Instead of setting the shared JWT signing key, as an alternative you can set the AuthServerUrl option in the ProcessDriver myid.config file; see the MyID Operator Client pass-through authentication with a load balancer section in the MyID Operator Client guide.

Authentication

410039

Authentication Failed

The data supplied to Logon either contained invalid data, or was missing essential data.

Further details will be available in the Audit Reporting workflow.

Authentication

410072

You cannot collect this device because your original device has expired.

A renewal cannot be collected because the device has expired.

Cancel the credential and issue a new one, or use the Request Replacement Credential workflow to request a replacement credential.

Credential Issuance

410073

Event not found

An Identity Agent Provisioning job is missing or has an invalid status.

Retry the current process. If the problem persists, and there have been no changes to the network infrastructure, contact Intercede Support.

Identity Agent Provisioning

410074

Job is invalid

An Identity Agent Provisioning job has an invalid status.

Retry the current process. If the problem persists, and there have been no changes to the network infrastructure, contact Intercede Support.

Identity Agent Provisioning

410076

The specified DN is not valid.

The DN for the user is not in a valid format and cannot be processed.

If you believe the DN is valid, you can bypass validation by setting ValidateDN to a value of false in the myid.config file, or update the user's DN.

See the DN validation section in the Web Service Architecture guide.

Credential Issuance

410077

Unable to process the DN.

The DN for the user cannot be processed into a format expected by the certificate authority.

Update the user's DN.

Credential Issuance

420000

User cannot be issued with certificates.

The system is attempting to issue a credential with X509 certificates on it to a user with no Distinguished Name. A Distinguished Name is required for certificate issuance.

The Distinguished Name can be set using a number of processes. It is set when an account is imported from an LDAP. It is set when a user is assigned to a group or agency. It can be set using Lifecycle API. Ensure that the user has a Distinguished Name set and then retry the process.

Credential Issuance

500041

You cannot renew this device at this time.

Cards can only be renewed when they are about to expire. The number of days before expiry is controlled by the configuration flag CARD RENEWAL PERIOD. The device has more days remaining than this value.

Wait until the device is within the renewal period and retry the operation. Alternatively, if the configured period is unsuitable, change the Card Renewal Period option (on the Devices page of the Operation Settings workflow) then retry the process.

Credential Issuance

500042

Existing Card found - You can not renew this device

Cards can only be renewed if there are no outstanding credential requests for a user.

Collect all outstanding requests for the user, then repeat this process. If the requests are not required, they can be canceled using the Job Management workflow. A list of the IDs can be found in the Audit Reporting workflow.

PIV Credential Issuance

500048

You cannot renew expired devices.

Cards can only be renewed when they are valid. This device has expired.

Request a replacement credential specifying a reason that is not Renewal.

PIV Credential Issuance

503000

The system could not generate a unique FASCN for this device

An attempt has been made to issue a PIV-compatible device. There was an error encountered while trying to create the FASCN. The user account may not be in a suitable state to receive a PIV-compatible credential.

Ensure that the user account has all mandatory fields and that the user is approved for card issuance. If the problem persists, contact customer support.

Credential Issuance

503001

The system could not generate a credential number for this person.

An attempt has been made to issue a PIV-compatible device. There was an error encountered while trying to create the Credential Number. The user account may not be in a suitable state to receive a PIV‑compatible credential.

Ensure that the user account has all mandatory fields and that the user is approved for card issuance. If the problem persists, contact customer support.

Credential Issuance

503002

Failed to update FASCN or credential number

An attempt has been made to update the FASCN or Credential Number on a user's record, but the logged on user lacks the relevant permissions.

This is usually caused when multiple PIV compatible cards are requested for a user, then that user collects them using a self service mechanism. If this is a use case that is required, contact Intercede Support for details on how to resolve this issue.

Credential Issuance

800528

Biometric logon is not allowed.

An attempt has been made to authenticate with biometrics, and this logon mechanism is not enabled.

Biometric logon is currently used only for resetting PINs.

See the Self-service PIN reset authentication section in the Operator's Guide.

Authentication

800529

Integrated windows logon is not allowed.

An attempt has been made to authenticate with Windows Integrated authentication, and this logon mechanism is not enabled.

Logon mechanisms are configured in the Edit Roles workflow. The logon mechanisms that you can use depend on which options you have selected on the Logon Mechanisms page of the Security Settings workflow.

See the Logon mechanisms section in the Administration Guide for details.

Authentication

800530

Token logon is not allowed.

An attempt has been made to authenticate with an OTP token, and this logon mechanism is not enabled.

Logon mechanisms are configured in the Edit Roles workflow. The logon mechanisms that you can use depend on which options you have selected on the Logon Mechanisms page of the Security Settings workflow.

See the Logon mechanisms section in the Administration Guide for details.

Authentication

800531

Device logon is not allowed.

An attempt has been made to authenticate with credentials stored on a device, and this logon mechanism is not enabled.

Logon mechanisms are configured in the Edit Roles workflow. The logon mechanisms that you can use depend on which options you have selected on the Logon Mechanisms page of the Security Settings workflow.

See the Logon mechanisms section in the Administration Guide for details.

Authentication

800532

Password logon is not allowed.

An attempt has been made to authenticate with passphrases, and this logon mechanism is not enabled.

Logon mechanisms are configured in the Edit Roles workflow. The logon mechanisms that you can use depend on which options you have selected on the Logon Mechanisms page of the Security Settings workflow.

See the Logon mechanisms section in the Administration Guide for details.

Authentication

800533

Unknown Device Inserted

A user has attempted a self-service operation with a device that was not issued by the system.

Issue the user a new device and repeat the process.

Biometric Logon

800538

Passphrase Logon is not allowed.

An attempt to authenticate to MyID with passphrases whilst passphrase authentication is disabled. This attempt has been blocked.

Ask the user to authenticate with a device instead of passphrases.

Authentication

800540

An error occurred attempting to retrieve data from the MyID Server

The system has reported that there are no enabled authentication mechanisms available for self-service operations.

Contact Intercede Support.

PIV Self Service

800548

Your card has not been issued and can't be used to logon.

The device that is attempting to logon has not been issued.

The user may not have collected their issuance job yet. If no issuance job exists, or it has been canceled, a new request can be made using the Request Card workflow.

Authentication

800549

Your card is disabled and can't be used to logon.

The device that is attempting to logon has been disabled.

Use the Enable / Disable Credential workflow to enable it. If this is unexpected, see the Audit Reporting workflow for the initial issuance of the device, or the Identify Credential workflow for a history of actions against the device.

Authentication

800550

You do not have sufficient privileges to perform this operation.

Please contact your administrator.

An attempt has been made to start an operation to which you have not been granted permissions.

Use the Edit Roles workflow to grant the appropriate permissions to the required workflow.

All

800551

Logon Denied.

An attempt has been made to log in and that attempt has failed.

Ensure the correct passphrases have been entered. By default passphrases are case sensitive. If the authentication was with a device, ensure the device is enabled.

This situation may also occur on an upgraded MyID system where users have SHA1 passwords and the administrator has set the Use Security Phrase algorithm version 2 configuration option. In this case, follow the instructions for Upgrading security phrase security in the Installation and Configuration Guide.

This error may also occur if the user attempts to log on with an expired smart card or logon code, or attempts to log on with a disabled user account.

This error may also occur if you are using Integrated Windows Logon and your system is not configured correctly; for example, if the SystemAccounts.Domain field has not been updated from LDAP.

This error may also occur if you have a misconfigured UDL file for database connectivity.

This error may also occur if you have attempted to use Integrated Windows Logon with a user in the Active Directory group Protected Users.

As this error may have a variety of causes, you are recommended to try using the System Interrogation Utility to investigate further.

Authentication

800552

You cannot logon using this card.

An attempt has been made to log in with a disabled device. This attempt has been blocked.

This may also occur if the card has been issued without MyID Logon capabilities.

Details of the disabled device can be found in the Audit Reporting workflow. Devices can be enabled using the Enable / Disable Credential workflow.

Authentication

800554

Activation requires assistance.

The credential profile is set up for assisted activation. You cannot use self-service activation for this device.

If the device is intended to be activated using a self-service method, you must edit the device's credential profile to allow self collection.

If the device is intended to be activated using assisted activation, use the Assisted Activation workflow to activate the device.

Authentication

800560

Self-Service Unlock not allowed

A self-service PIN reset has been initiated and the instance of the MWS server is not configured to allow self-service operations.

This applies only to PIV installations.

PIV Self Service

800564

Self-Service Unlock not allowed

A self-service PIN reset has been initiated and MyID is not configured to allow self-service operations.

This error may also occur if the card has been assigned, but not yet issued, and the cardholder attempts to reset the PIN.

See the Allowing self-service unlocking section in the Operator's Guide for details of setting up your system for self-service unlocking.

Make sure the card has been issued before attempting to reset the PIN.

Self Service

800590

The Certificate Policy is disabled and cannot be issued.

An attempt has been made to issue a disabled certificate policy.

Select an alternate credential profile that does not contain a disabled certificate policy. This error may occur when attempting to issue a new instance of an unmanaged certificate. Unmanaged certificates should be set for historic recovery only in the Credential Profiles workflow.

Credential Issuance

800591

The Certificate Policy is Unmanaged and the user has not had a corresponding certificate imported.

An attempt has been made to issue a Credential Profile to a user that contains an unmanaged certificate. The user has no valid imported unmanaged certificates.

If the credential profile uses the Use Existing option, check that the unmanaged certificate has not expired; this configuration requires a valid certificate.

Either issue a different Credential Profile (one without an unmanaged certificate, or, in the case where the certificate has expired, with the Historic Only option selected for the unmanaged certificate, which will not check the expiry date) or upload a valid certificate for the user; you can use the Upload PFX Certificates workflow to upload a certificate.

Identity Agent Provisioning

800600

iOS OTA Organisation is mandatory

An attempt has been made to issue an iOS device, but the Organisation field has not been configured.

This can be set in the Operation Settings workflow, under the Certificates tab. See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

Identity Agent Provisioning

800601

iOS OTA Credential Profile is mandatory

An attempt has been made to issue an iOS device, but the OTA Credential Profile has not been configured.

This can be set in the Operation Settings workflow, under the Certificates tab. See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

Identity Agent Provisioning

800602

iOS OTA Credential Profile not found

An attempt has been made to issue an iOS device, but the configured OTA credential profile is either incorrect, or the user lacks permissions to retrieve.

This can be set in the Operation Settings workflow, under the Certificates tab. The value is case sensitive. See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

Identity Agent Provisioning

800603

iOS OTA Credential Profile has to be MachineIdentity

An attempt has been made to issue an iOS device using an OTA Credential Profile that is not configured to have the Device Identity capability.

The credential profile can be modified in the Credential Profiles workflow. See the Setting up iOS OTA provisioning section in the Mobile Identity Management document for details.

Identity Agent Provisioning

800610

The requested image was not found: {0}

An image that is present in a card layout cannot be found.

Ensure the value in Image Upload Server on Operation Settings on the Video tab is resolvable by both the client and the server, and is correct. If it is, check to see if the image is actually in the location specified, and restore it if it is not.

Identity Agent Provisioning

800630

Biometrics are required

An attempt has been made to collect a device update for a credential profile that requires biometric authentication, but the device owner has no credentials enrolled.

To collect the update, the user must enroll biometrics. Alternatively, configure the credential profile to have a biometric requirement of either Never or Preferred.

Authentication

800611

The requested image timed out: {0}

There has been a network issue retrieving an image used in a card layout.

Ensure the value in Image Upload Server on Operation Settings on the Video tab is resolvable by both the client and the server, and is correct. If it is, check to see if the image is actually in the location specified, and restore it if it is not.

Identity Agent Provisioning

881043

User account is disabled

A user with a disabled account has attempted to perform a security phrase logon to the system. This attempt has been blocked.

User accounts can be enabled using the Edit Person workflow.

Authentication

881044

The user account is locked.

A user without security phrases set has attempted to perform a security phrase logon to the system. This attempt has been blocked.

This error may also occur if you have attempted to use Integrated Windows Logon, and this has failed (possibly because the user is in the Active Directory group Protected Users, or because the fields SAMAccountName and Domain are not be stored in MyID) and MyID has attempted to fall back to logon with security phrases, which is not configured for use.

Security phrases can be set either using the Change Security Phrases or Change My Security Phrases workflows.

See the Logon using security phrases and Integrated Windows Logon sections in the Administration Guide for details of configuring logon with security phrases and Integrated Windows Logon.

Authentication

881045

User not found.

The attempt to retrieve a users details, possibly from a connected LDAP system, has failed.

Check that the user exists in the database. The account may have been removed during a process. If the account is linked to an LDAP, check the LDAP permissions for the MyID system accounts. The Audit Reporting workflow may be able to assist with diagnosing the problem.

User Management

881046

Biometrics configuration problem

The libraries for biometric matching on the server have failed to load.

Ensure the software is installed and the correct library selected in the Operation Settings workflow. Details for each supported biometric matching library are available in the integration guides provided with MyID.

Authentication

881048

User has no devices.

An operation has been initiated to perform an action on a user's credential. The selected user does not have any credentials.

The user's credentials may have been canceled prior to this operation. Check the Audit Reporting workflow for a history of the user's credentials.

Credential Maintenance

881055

You have no devices. Please contact your administrator.

The user has requested a self-service operation on a credential they own. They do not have any credentials.

The user's credentials may have been canceled prior to this operation. Check the Audit Reporting workflow for a history of the user's credentials.

Self Service Operations

881056

You have no devices that are available for replacement. Please contact your administrator.

The user has requested that a credential they own be replaced. They do not have any credentials.

The user's credentials may have been canceled prior to this operation. Check the Audit Reporting workflow for a history of the user's credentials.

Self Service Operations

881057

The user account is locked.

A user with a locked account has attempted to perform a password logon to the system. This attempt has been blocked.

User accounts can be unlocked using the Unlock Security Phrases workflow.

Authentication

881058

Target is not approved to issue a Machine Identity.

The credential profile is configured to require that the recipient is approved before issuance can occur.

For information on approving users, see the Setting the User Data Approved flag section in the Administration Guide. Alternatively, this restriction can be removed using the Credential Profiles workflow.

Device Identity Management

881059

The user account data must be approved before credentials can be issued or updated. Please contact an Administrator.

The credential profile is configured to require that the recipient is approved before issuance can occur.

For information on approving users, see the Setting the User Data Approved flag section in the Administration Guide. Alternatively, this restriction can be removed using the Credential Profiles workflow.

Credential Issuance

881061

The person has no activate authentication code configured.

An Activation code is required, but there are no activation codes assigned to the user.

Activation codes can be requested using the Request Auth Code workflow.

Authentication

881062

The person has no unlock authentication code configured.

An unlock code is required, but there are no unlock codes assigned to the user.

Unlock codes can be requested using the Request Auth Code workflow.

Authentication

881063

The person has no logon code configured.

A logon code is required, but there are no logon codes assigned to the user.

Authentication and Unlock codes can be requested using the Request Auth Code workflow.

Authentication

881064

User has no Logon Code.

An attempt has been made by a user to perform a Logon Code authentication, but the account has no logon codes assigned to it.

Logon Codes can only be used once. If new codes are required, the workflow Request Auth Code can be used to handle this. Alternatively, repeat the process.

Logon

881065

You have insufficient security phrases configured.

An attempt has been made by a user to perform a Passphrase based authentication, but the account has insufficient passphrases to meet the current security setting. Additionally, the user does not have access to the configured workflow allowing them to set additional passphrases.

If the intent is to allow the user to authenticate, and then set their own passphrases, ensure the user has permissions to Change My Security Phrases then change the Set Security Phrase at Logon option (on the Logon tab of the Security Settings workflow) to 1,110.

Authentication

881068

Your authentication code has expired.

The user's authentication code has expired and so they cannot authenticate.

The user will need to be issued a new authentication code.

Authentication

881100

Virtual smart card issuance cannot continue

An attempt has been made to issue a virtual smart card on a system but one of the following may apply:

• Virtual smart card support is disabled on the system.
• Attempt to generate the virtual smart card has failed.
• The client operating system is not supported for VSCs.

To issue the device you must:

• Enable virtual smart card support in the Operation Settings workflow.
• Ensure that the TPM on the device is in a state to allow generation of a virtual smart card.
• Make sure the client operating system meets the requirements in the Intercede VSC documentation.
• The number of smart cards connected to the device does not exceed the maximum limit of 10.

Credential Issuance

881101

Credential profile can only be issued to a virtual smart card. Issuance cannot continue.

The selected credential profile can only be issued to a virtual smart card. The user has presented a device that is not a virtual smart card.

Review your issuance process. Credential profile restrictions can be managed in the Credential Profiles workflow.

Credential Issuance

881102

Credential profile cannot be issued to a virtual smart card. Issuance cannot continue.

The selected credential profile cannot be issued to a virtual smart card. The user has presented a virtual smart card.

Review your issuance process. Credential profile restrictions can be managed in the Credential Profiles workflow.

Credential Issuance

881104

There has been an error deleting the virtual smart card.

An attempt to delete a virtual smart card remotely has failed

Contact Intercede Support.

Credential Termination

881106

Virtual smart card support is disabled, cancellation cannot continue.

An attempt has been made to cancel a virtual smart card on a system that has virtual smart card support disabled

To cancel the device you must enable virtual smart card support in the Operation Settings workflow.

Credential Termination

881116

Failed to sign the terms and conditions.

You have attempted to recover certificates to a device with terms and conditions that need to be signed, but the device does not already contain a signing certificate. You must have a signing certificate to allow you to sign the terms and conditions.

If you want to issue a new device with recovered certificates, and have Terms and Conditions cryptographically signed in the same process, you can use the following workaround:

1. Issue a new device for the purpose of key recovery, using a credential profile that contains a signing certificate first (with no key recovery specified).

2. Follow the process to request key recovery to an existing card.

3. Collect the key recovery to the device you have just issued. You can now sign the acceptance of the terms and conditions using the signing certificate already on the device.

Credential Issuance

881117

Virtual smart card creation failed, please contact your administrator.

An attempt has been made to issue a virtual smart card on a system but one of the following may apply:

• Attempt to generate the virtual smart card has failed.
• The client operating system is not supported for VSCs.

See the Audit Report workflow for further details.

To issue the device you must:

• Make sure that the TPM on the device is in a state to allow generation of a virtual smart card.
• Make sure the client operating system meets the requirements in the VSC integration guide.
• Make sure the number of smart cards connected to the device does not exceed the maximum limit of 10.

Credential Issuance

890019

Temporary card profile not found in configuration

A fixed temporary credential profile has been configured, but the configuration references a credential profile that does not exist.

Use the Operation Settings workflow to ensure that the value specified in the Temporary Credential Profile Name matches the intended temporary credential profile exactly. The match is not case sensitive.

Credential Issuance

890020

Insufficient permissions to access card profile.

The system has been configured to use a single, static credential profile for temporary replacement actions, but the user does not have permission to receive it.

Use the Credential Profiles workflow to configure the roles that are allowed to receive the temporary credential profile.

Credential Issuance

890042

This action cannot be performed on your device.

The job about to be actioned is not suitable for the target device, for example, collecting an Identity Agent credential profile onto a smart card.

Ensure a suitable credential profile has been requested for the user. Details about the credential presented can be found in the Audit Reporting workflow.

Credential Issuance

890053

Approval is needed.

An attempt has been made to issue a credential with a request that has not yet been validated.

Requests can be validated in the Validate Request workflow. Alternatively, if validation is not required, this requirement can be removed in the Credential Profiles workflow. Previous requests made when validation was required will still require validation. These requests can be canceled using the Job Management workflow.

Credential Issuance

890054

Action no longer available

An attempt has been made to issue a credential with a request that is not in a valid state. It may be that the request has been suspended or canceled.

The status of requests can be reviewed using the Job Management workflow.

Credential Issuance

890055

You are not authorized to complete this action

An attempt has been made to issue a credential by a user that lacks permission to that credential.

Credential profile permissions can be managed using the Credential Profiles workflow.

Credential Issuance

890100

You have no card profiles available.

There are no suitable credential profiles available to the user.

Availability of credential profiles can be changed in the Credential Profiles workflow. See the Audit Reporting workflow for further details.

Credential Issuance

890110

No suitable credential profiles available.

While attempting to replace the device, no suitable card profiles were found. This is probably due to user permission changes since the initial issuance of the device.

Permissions can be edited in the Edit Roles workflow. Credential Profile permissions can be edited using the Credential Profiles workflow.

Credential Issuance

890467

Unable to authenticate card. Unlocking your own card is not allowed.

An attempt has been made to perform a self-service PIN unlock. The card in question does not have a card authentication certificate in container 5FC101, and so cannot be validated. The process has been blocked

If the card was issued by this system, then the credential profile needs to be updated to ensure a card authentication certificate is included in the correct container. Any previously issued devices will need to be updated before they can perform self service operations. This can be performed using the Update Card or Request Card Update workflows.

PIV Self Service

890468

This version has been disabled.

This is usually encountered when attempting to access ProcessDriver with an obsolete client.

Update the client software to be the latest version. If the problem persists, contact Intercede Support.

Authentication

890477

Notification creation has failed.

The system attempted to send a notification to another system, but this process has failed.

The Audit Reporting workflow may be able to assist with diagnosing the problem. If it does not, contact Intercede Support.

Notifications

890478

An unexpected problem has occurred, please wait a short while then try again.

There has been an underlying error in COM+. It may be that the COM+ settings are invalid, or the service has become unavailable.

If this is a consistent problem, permissions for the MyID system accounts may have changed. If it is an intermittent problem, the Windows Event Log may offer the cause of the authentication issues.

Authentication

890480

Unable to register the device.

An attempt to register a Trusted Platform Module with the system has failed.

The Audit Reporting workflow may be able to assist with diagnosing the problem.

Credential Issuance

890482

Invalid response to the Client Action.

The client has responded to the MWS with either a blank or invalid response.

This is usually caused by an unexpected client side error. The Audit Reporting workflow may be able to assist with diagnosing the problem.

All

890483

There are no jobs for this device.

An attempt was made to activate a device which does not have a corresponding job.

The Audit Reporting workflow may be able to assist with diagnosing the problem.

Credential Issuance

890488

The card is not issued.

An attempt was made to change the PIN for a credential that was not issued by the system.

Ensure that the user is using the correct device.

Self Service Operations

890489

The card is disabled.

An attempt has been made to reset the user PIN for a device that is currently disabled.

Details of the disabled device can be found in the Audit Reporting workflow. Devices can be enabled using the Enable / Disable Credential workflow.

Self Service Operations

890490

The card is not recognized or the user does not have permissions to use it.

A device has been selected that the user does not have permissions to view or manipulate.

Typically, this occurs during self service operations where a process is initiated with one card but, mid process, an alternative card is switched-in. It can also occur when an Auth Code that is tied to a device is used against another device. New authentication codes can be requested from the Request Auth Code workflow.

Authentication

890491

An unknown error has occurred trying to capture biometrics.

An unexpected error has occurred validating biometric data.

The System Events log may give further advice.

Authentication

890493

An unknown error has occurred.

An unexpected low level error has occurred.

The error is usually caused by low level exceptions being thrown by components. This can be caused by such things as:

• The card layout assigned to the mobile credential profile having an image that was missing from the system.
• A Content Signer Certificate not being correctly configured on the App Server.
• Card access failure.
• Other low level failure conditions.

If you experience this error when attempting to issue a smart card set up for OPACITY, see the Troubleshooting OPACITY smart cards section in the Smart Card Integration Guide.

If you are attempting to issue a Windows Hello credential, this may be caused by selecting a certificate that is not suitable for Windows Hello. See the Certificate policies section in the Windows Hello for Business guide.

Details of the issue will be available in the Audit Reporting and System Events workflows. If the problem persists, contact Intercede Support.

All

890495

The job specified has not been found or is invalid.

An attempt has been made to access a job, but the details for the job are incorrect.

Ensure that the job details are valid.

All

890496

Attempted to execute un-approved command

An unsolicited command has been attempted against a card.

Stop using the issuing workstation or device immediately and contact Intercede Support.

Credential Issuance

890497

Your session has expired, please try again.

The action cannot be completed because the user did not complete the workflow in a reasonable time.

Ask the user to repeat the action. You can configure the duration using the Task Number Timeout setting on the Process tab of the Security Settings workflow. The default is 30 minutes.

All

890499

The card profile does not support encryption and therefore can not be used for key recovery

The system was asked to recover a certificate to a device that cannot protect the private key for that certificate. This attempt was blocked.

Ensure the credential profile is configured correctly. Any device that is to receive an archived certificate must be configured for MyID signing. This is usually a certificate policy of type Signature configured for signing within MyID. If you require further assistance, contact Intercede Support.

Credential Issuance

890500

This card does not support biometric match from card.

A request for a derived credential has been made from a card that does not support biometric matching.

If it is not the intention to perform biometric matching during the request for derived credentials (for example, if you are using VSCs), set the Require fingerprints for derived credentials option to No.

Credential Issuance

890501

No Captured Sample

The client has returned no biometric data.

Ensure that the correct client software is installed and that a suitable biometric capture device is connected to the client.

Authentication

890502

No Sample From Card

A card that we expected to have biometric data on it does not.

Canceling and re-issuing the device may help. The Audit Reporting workflow will show whether biometric data was written to the card during issuance.

Authentication

890503

Security Phrases do not match

The user has entered an incorrect security phrase during credential issuance, so the process has been aborted.

Repeat the process entering the correct security phrase. Security phrases can be reset either using the Change Security Phrases or Change My Security Phrases workflows.

Authentication

890504

This device does not support the use of generic encryption keys

This device does not support the use of generic keys for encryption. Issuance cannot continue.

The selected credential does not support the use of generic keys for encryption. You must select a certificate for encryption in the Credential Profiles workflow.

Credential Issuance

890505

This device does not support the use of certificates for encryption.

The selected credential does not support the use of certificates for encryption.

The Credential Profiles workflow can be used to control how a credential authenticates to MyID. Contact Intercede Support for further details.

Credential Issuance

890506

This device does not support the use of generic signing keys

The selected credential does not support the use of generic keys for signing. Issuance cannot continue.

You must select a certificate for signing in the Credential Profiles workflow.

Credential Issuance

890507

This device does not support the use of certificates for signing

The selected credential does not support the use of certificates for signing. Issuance cannot continue.

The Credential Profiles workflow can be used to control how a credential authenticates to MyID. Contact Intercede Support for further details.

Credential Issuance

890509

The card cannot hold recovered certificates.

An attempt has been made to recover certificates to a credential that does not support certificate recovery.

Provide the user with a credential that is capable of recovering certificates. Details of the presented credential can be found in the Audit Reporting workflow.

Certificate Recovery

890510

PIV: Card recipient not authorized

The selected user is either disabled, or has not been approved for card issuance.

For information on approving users, see the Setting the User Data Approved flag section in the Administration Guide. Alternatively, this restriction can be removed using the Credential Profiles workflow.

Credential Request

890511

Insufficient data to issue card

There is insufficient data to either build the FASCN or generate a UUID required for issuing this credential.

Details of the missing data will be available in the Audit Reporting and System Events workflows. If the problem persists, contact Intercede Support

PIV Credential Issuance

890512

numberOfAttempts

Biometric validation has been attempted multiple times, and has failed each time. The retry limit has been reached and so the process is aborting.

If biometric authentication is proving to have a high number of false negatives, the number of retries and the matching threshold can be configured in the Operation Settings workflow. If the problem is restricted to a subset of individuals, those individuals should re-enroll their biometric data.

Authentication

890513

The captured fingerprints did not match those held on the card.

Validation of a user's fingerprints against the biometric data stored on their card has failed.

The number of retries and the matching threshold can be configured in the Operation Settings workflow.

Authentication

890516

Asset was not found in LDAP

The Asset Name reported by the client software does not match an entry in the domain.

Ensure the workstation is joined to the domain and repeat the process. If the problem persists, contact Intercede Support.

Virtual Smart Card Issuance

890517

An error occurred when checking the machines DNS

The Asset Name reported by the client software does not match an entry in the domain.

Ensure the workstation is joined to the domain and repeat the process. Check the DNS entry for the workstation. If the problem persists, contact Intercede Support.

Virtual Smart Card Issuance

890518

An error occurred when checking the machines DNS

The Asset Name reported by the client software does not match an entry in the domain.

Ensure the workstation is joined to the domain and repeat the process. Check the DNS entry for the workstation. If the problem persists, contact Intercede Support.

Virtual Smart Card Issuance

890519

This job is not being collected on the correct asset

An attempt has been made to delete a virtual smart card from an incorrect machine.

Repeat the process from the correct machine. If the deletion request is no longer required, it can be canceled from the Job Management workflow.

Credential Termination

890520

There has been an error generating the virtual smart card

There has been an error creating a VSC remotely on the client workstation.

The Audit Reporting workflow will contain details of the error. Ensure your system is configured for virtual smart card issuance as detailed in the Microsoft VSC Integration Guide, and that the client workstation is joined to the domain.

Credential Issuance

890522

There has been an error generating the virtual smart card

There has been an error creating a VSC remotely on the client workstation.

The Audit Reporting workflow will contain details of the error. Ensure your system is configured for virtual smart card issuance as detailed in the Microsoft VSC Integration Guide, and that the client workstation is joined to the domain.

Credential Issuance

890524

Maximum biographic retries exceeded

The user has entered incorrect data too many times and the process has been aborted.

Retry the process with the correct biographic details. If the problem persists, contact Intercede Support

Kiosk Biographic Logon

890527

Device not assigned to a user

The current device is expected to be issued, but it is not. The Audit will contain more details.

The user is probably trying to use a device that has not been issued by MyID. It may be required to issue the user a credential. The Audit Reporting workflow will contain more details about the inserted device.

Credential Issuance

890534

The supplied card is not a temporary card

A workflow that requires a temporary credential to be provided to it has had a permanent credential supplied. The workflow is not allowed to interact with this credential and so terminates

Ensure the correct credential was presented. The Audit Reporting workflow will give details of the presented credential.

Credential Lifecycle

890535

The supplied card is not assigned to the user

A self-service workflow that requires a temporary credential to be provided to it has had a different user's credential supplied. The workflow is not allowed to interact with this credential and so terminates.

Ensure the correct credential was presented. The Audit Reporting workflow will give details of the presented credential.

Credential Lifecycle

890537

The device is unsuitable for the profile specified.

The presented device is not suitable for the selected credential profile.

Details of why issuance was denied can be found in the Audit Reporting workflow. The usual cause is the device having insufficient space for the configured certificates.

Credential Issuance

890540

The content defined in the card profile is not currently supported by this issuance method. Please contact your system administrator

The action being performed is not supported by the client being used. For example, SSA cannot issue credentials with generic signing keys.

Select an appropriate client to perform the intended action.

Credential Issuance

890543

User not logged in

The current session is unauthenticated. This can happen if a client loses its cookie collection mid-process or a process has timed out. It can also happen if using a web farm that is not session aware. The error may also occur when entering an incorrect auth code.

Retry the current process. If entering an auth code, make sure you have entered the correct auth code (this error may be caused by a person having two auth codes for different purposes and using the wrong one for the current task). The timeout duration can be managed in IIS. If the problem persists, and there have been no changes to the network infrastructure, contact Intercede Support.

Authentication

890547

No TPM Found

The client workstation has reported that it has no Trusted Platform Module available. A TPM is required to perform Attested Device Identity issuance.

The client workstation is unsuitable to receive the credentials requested for it. Issuance cannot continue.

Credential Issuance

890550

Error with TPM

The client workstation has reported that it has no Endorsement Key Hash available. An Endorsement Key is required to perform Attested Device Identity issuance.

The client workstation is unsuitable to receive the credentials requested for it. Issuance cannot continue.

Credential Issuance

890551

The machine specified has not been registered.

A workstation can only receive an Attested Device Identity if it has been registered beforehand. This workstation has not been registered.

The workstation may have changed its DNS entry or ID since last being registered. Workstations can be registered using the Register Credential workflow.

Credential Issuance

890555

This mobile identity has previously been fully or partially provisioned. To provision it again, the mobile identity must be canceled on the server and a new request made.

The mobile provisioning has got into a state that cannot be recovered from automatically.

Cancel the device using the Cancel Credential workflow and repeat the issuance process.

Identity Agent Provisioning

890556

Multiple matches

The mobile provisioning has got into a state that cannot be recovered from automatically. There are multiple outstanding requests and the correct one cannot be determined.

Cancel the device and repeat the issuance process. The status of jobs can be checked in the Job Management workflow.

Identity Agent Provisioning

890557

This mobile identity has previously been fully or partially provisioned. To provision it again, the mobile identity must be canceled on the server and a new request made.

An earlier issuance process for this device has previously failed. The system can automatically recover from most fail conditions but some are unrecoverable.

Cancel the device and repeat the issuance process. The status of jobs can be checked in the Job Management workflow.

Identity Agent Provisioning

890558

The server has requested more security questions than we can provide.

Server side authentication has failed.

If this occurs during Identity Agent provisioning, it means the Mobile user has been updated, and the account no longer works.

Identity Agent Provisioning

890561

Your user account does not have permission to complete the request. Please contact your administrator

The user does not have suitable permissions to complete the issuance process, or does not have access to the Credential Profile being requested.

If this occurs during the provisioning of a mobile device, the user must have access to Collect My Updates (workflow operation ID 242) for device logon. Permissions can be edited in the Edit Roles workflow. Credential profile permissions can be edited using the Credential Profiles workflow. See the Granting access to the workflows section in the Mobile Identity Management document for details.

Credential Issuance

890562

This device cannot be provisioned at this time. The request on the server has expired. You will need to request the provisioning again.

The provisioning job is no longer valid.

Cancel the device and repeat the issuance process. The status of jobs can be checked in the Job Management workflow.

• IKB-280 – Misleading error message text for error 890562

  This error may also occur if you attempt to collect the job before it has been validated, in which case you do not need to cancel the job and repeat the issuance process, but must validate the job and then attempt to collect it again.

Credential Issuance

890564

User is not suitable for certificate issuance

The system is attempting to issue a credential with X509 certificates on it to a user with no Distinguished Name. A Distinguished Name is required for certificate issuance.

The Distinguished Name can be set using a number of processes. It is set when an account is imported from an LDAP. It is set when a user is assigned to a group or agency. It can be set using Lifecycle API. Ensure that the user has a Distinguished Name set and then retry the process.

Credential Issuance

890565

There is no suitable card profile

An attempt has been made to issue a MIM-Badge style mobile device, but configuration is incomplete. There are no credential profiles with a suitable configuration

Create a suitable credential profile. See the Setting up the Identity Agent credential profiles section in the Mobile Identity Management document for details.

Identity Agent Issuance

890566

This device is not the one specified in the job.

The request is for a different device to the one being presented.

Either use the correct device, or request a new provisioning for the presented device.

Identity Agent Provisioning

890568

This device belongs to a different user than the one specified in the job.

The device you are attempting to issue is already allocated to someone else.

Provide the user with a different device. If the device is a mobile device, you could use the Cancel Credential workflow to disassociate the device with the previous owner. If the device is a smart card, you could use the Cancel Credential or Erase Card workflow to cancel the device. After cancellation, the issuance can be re-attempted.

Identity Agent Provisioning

890569

This mobile identity has previously been fully or partially provisioned. To provision it again, the mobile identity must be canceled on the server and a new request made.

The mobile provisioning has got into a state that cannot be recovered from automatically.

Cancel the device and repeat the issuance process.

Identity Agent Provisioning

890570

The device must be specified to provision this credential profile.

The issuance is restricted to a sub-set of eligible devices. The device being issued is not part of that subset.

Restrictions are managed in the Credential Profiles workflow.

Identity Agent Provisioning

890571

This device must be assigned to a user to provision this credential profile.

The issuance is restricted to a sub-set of eligible devices. The device being issued is not part of that subset.

Restrictions are managed in the Credential Profiles workflow.

Identity Agent Provisioning

890572

There has been a configuration error. There is insufficient data available to provision this device.

The system has attempted to generate an identifier for the user and failed. This is usually a PIV compliant FASCN.

If a FASCN is expected, the user lacks mandatory data. Please enroll the user again. Details of the missing data will be highlighted in the Audit Report. If a FASCN is not required, change the node BuildFASCN from 1 to 0 in the relevant CardProperties file.

Identity Agent Provisioning

890573

The system is at capacity. Issuance cannot continue.

The action would exceed the current license capacity.

Cancel existing users or devices. Alternatively, obtain additional licenses.

Credential Issuance

890574

Your card was issued by an agency that does not allow derived credentials from this kiosk

An attempt was made to request a derived credential from a card issued by an untrusted source. The issuance was blocked.

The Cards Allowed For Derivation flag in the Operation Settings workflow determines which devices are allowed to request derived credentials. Details of the presented device can be found in the Audit Reporting workflow.

Derived Credential Issuance

890575

Invalid Credential Profile. Cannot issue new unmanaged certificates.

The credential profile is set to issue a new instance of the "Unmanaged" certificate profile. This is invalid.

Edit the credential profile to issue "Historic Only" certificates of this policy. This can be performed in the Credential Profiles workflow.

Credential Issuance

890578

The mailer component was unable to send the mail to the specified SMTP server

There has been a problem with the email server or settings.

Verify the SMTP server settings in the External Systems workflow. See the Setting up email section in the Advanced Configuration Guide for details.

Credential Issuance

890579

The job specified is being used by another operator.

An attempt has been made to action a job that is currently being actioned by another user of the system. This attempt has been blocked.

Sometimes this can occur if a session is forcibly closed mid-process and the job re-attempted. If this is the case, the lock should clear within 60 minutes.

Credential Issuance

890580

There was a problem generating the Terms and Conditions. This process cannot continue.

The required Terms and Conditions document for the credential issuance could not be created. As such, the issuance has been prevented.

The usual cause for this is a missing mapped field. This could be either a form element that has not been completed, or a user attribute that has no value.

Correct the terms and conditions document in the ServerDocuments table of the database and try again. If the problem persists, contact customer support.

Credential Issuance

890581

User PIN not supported in Batch Process

Credentials that require a manual PIN to be set are not appropriate for batch issuance, and so the issuance of the credential has been prevented.

Default filters usually prevent these credential profiles from being selectable. Do not remove these filters when selecting jobs. Use Collect Card for jobs that require the User PIN to be chosen.

Credential Issuance

890585

Disabled devices cannot sign Terms and Conditions

The workflow requires that Terms and Conditions be signed in order to continue. It is not possible to sign with the presented credential as it is disabled. The workflow will not continue.

Enable the device and repeat the workflow.

Credential Issuance

890586

Disabled users cannot sign Terms and Conditions

The workflow requires that Terms and Conditions be signed in order to continue. It is not possible to sign with the presented credential because the user account associated with it is disabled. The workflow will not continue.

Enable the user account and repeat the workflow.

Credential Issuance

890588

The request has not been approved yet. Try again later.

An attempt has been made to action a job that is awaiting validation.

If you want to carry out this job, use the Validate Request workflow in MyID Desktop or the Approve Request option in MyID Operator Client to approve it. Otherwise, you can use the Job Management workflow to cancel the job.

Identity Agent Provisioning

890594

You have no authentication mechanisms that are suitable for this operation.

The user has either no self service authentication mechanisms available, or has failed to authenticate with all of their authentication mechanisms. They cannot perform the desired action.

If the user has configured authentication mechanisms, repeat the process, passing the correct values. It may be necessary to unlock the user's security phrases.

If this error is encountered while attempting a self service unlock operation, it may be because the configuration option Verify fingerprints during card unlock is enabled and the user does not have fingerprints enrolled.

For self-service unlock operations using the Self-Service App or the Self-Service Kiosk, this error may also occur if the user does not have a role that has access to the Unlock My Card workflow.

If the user has no means to authenticate themselves then the process cannot continue.

Authentication

890596

Your account is not eligible to receive this credential.

An attempt has been made to collect a credential for a user whose account lacks the required attributes to receive that credential.

The credential profile selected specifies requisite user data; the user does not have the required attributes populated. Either populate these attributes for the user, or select a credential profile that does not have these requirements.

Check the audit, which may contain additional information about the missing attributes.

Credential Issuance

890597

The specified user cannot be found.

The user account identity is determined using either the UPN from the current Windows logon session or the value held in the MYID_USERNAME environment variable but cannot be found within MyID.

To correct this issue:

• Check that the user account exists in MyID.
• UPN matching is case-sensitive – check that the value used by Windows matches the case of the stored UPN in MyID.
• Check that the value in MYID_USERNAME is set to the correct value for the MyID user account.

For further details about how a user account is associated to MyID, see the Specifying the target user section in the Web Service Architecture guide.

Authentication

890598

A problem has been reported by Windows (<error>). Check the Microsoft documentation for further details.

The Windows Hello for Business enrollment failed due to a problem with your system, and Windows reported an error; for example, 0x80070015.

Check the Windows event log. If you have a persistent issue, see the MyID Client Components section in the Configuring Logging guide for information on how to enable MyID client logging for the WHfB component.

Windows Hello

890599

Failed to detect the Windows Hello reader

Enrollment was reported as completing successfully, but MyID could not detect the Windows Hello device.

Check the Windows event log. If you have a persistent issue, see the MyID Client Components section in the Configuring Logging guide for information on how to enable MyID client logging for the WHfB component.

Windows Hello

890600

An unknown error occurred with Windows Hello for Business

This error is unexpected.

Check the Windows event log. If you have a persistent issue, see the MyID Client Components section in the Configuring Logging guide for information on how to enable MyID client logging for the WHfB component.

Windows Hello

890601

Cannot perform this operation over a remote desktop connection

Windows Hello for Business is not supported over RDP.

Make sure you are logged on directly to the PC you want to work with.

Windows Hello

890700

You cannot reset your Windows Hello PIN using this application.

Resetting a Windows Hello PIN is managed by Windows and may be dependent on Windows Hello group policy configuration.

Check the Microsoft documentation for details.

Windows Hello

890701

You cannot change your Windows Hello PIN using this application.

Changing a Windows Hello PIN is managed by Windows and may be dependent on Windows Hello group policy configuration.

Check the Microsoft documentation for details.

Windows Hello

890703

The attempt to assign a device has been rejected. The device assignment end date for the group that this person is associated with has passed.

The issuance of the device would place it in a group that has expired.

Update the group to expire in the future and repeat the collection.

See the Controlling device assignments for groups section in the Administration Guide for details.

Credential Issuance

890704

The attempt to assign a device has been rejected. The maximum number of assigned devices for the group that this person is associated with has been exceeded.

The issuance of the device would cause the device limit for the group to be exceeded and so has been prevented.

Increase the group device limit and repeat the collection.

See the Controlling device assignments for groups section in the Administration Guide for details.

Credential Issuance

890705

This request must be collected by the user account named in the request

To collect a key recovery request, you must be the target of the request.

Ensure that you are the target of key recovery request that you want to collect.

Credential Issuance

890800

Token validation failed.

The OAuth2 authentication token passed through from Operator Client to ProcessDriver failed validation.

See the MyID Operator Client advanced configuration section in the MyID Operator Client guide.

The Process Driver log may include additional information on the specific validation check that failed.

Authentication

890801

Issuer validation failed.

The OAuth2 authentication token passed through from the MyID Operator Client to ProcessDriver failed validation due to an Issuer mismatch.

See the Setting the issuer for load-balanced systems section in the MyID Operator Client guide.

Authentication

890811

Unable to determine server address

You have attempted to carry out authentication using an external identity provider but your system is misconfigured.

Check that the AllowedHosts setting is correct. The setting must match the URL used for the MyID web server.

See the Configuring the MyID web services for external identity providers section in the MyID Authentication Guide guide.

Authentication

890812

Unable to continue, invalid authenticated user

You have attempted to carry out authentication using an external identity provider, but the user account with which you have authenticated is not the target user for the job.

Try the authentication again, and authenticate using the correct user account for the job.

See the Using an external identity provider section in the Self-Service App guide.

Authentication

891014

Your mobile device is not compatible with biometric authentication.

The credential profile you are attempting to collect on a mobile device is configured to require biometric authentication, and the device is not capable of capturing that data.

If biometric authentication is not required, review the configuration of the credential profile using the Credential Profiles workflow, under Issuance Settings. The global values are editable in the Operation Settings workflow.

Credential Issuance

891448

The PIN on this device is not locked. You can only unlock this device when it is locked.

An attempt has been made to unblock the PIN of a device that can only be unblocked when the user PIN is actually locked.

Enter the PIN incorrectly until the user PIN is blocked, then try again.

Credential Issuance

891449

The PIN on this device is permanently locked. You will need to cancel and re-issue the device to be able to use it.

An attempt has been made to unblock the PIN of a device that has had its PIN permanently blocked.

Unblocking the PIN on the device is not possible. To continue to use the device it will need to be canceled and re-issued.

Credential Issuance

892001

The MyID license has expired.

The current MyID license has expired and needs to be renewed.

Run the Licensing workflow to request a new license.

Licensing

892002

The MyID license is invalid.

There is something wrong with the current MyID license.

Run the Licensing workflow to request a new license.

Licensing

892012

This system is not configured to allow issuance of this type of credential. Please contact your administrator.

You have attempted to collect a card, but the system configuration does not allow you to collect it. For example, you may be trying to collect a smart card that requires customer GlobalPlatform keys, but the Enable Customer GlobalPlatform Keys option (on the Device Security tab of the Security Settings workflow) is set to No.

Check that you have configured your system to issue this type of credential.

Credential Issuance

892015

Card update failed due to non-compliance with T&C signing requirements.

The current workflow is incapable of performing the Terms and Conditions step, but system configuration dictates that this step is mandatory for the selected update.

If Terms and Conditions are required, use an alternative workflow to collect the update or contact Intercede Support. Terms and Conditions requirements can be configured in the Credential Profiles workflow.

Credential Issuance

892016

Server authentication not enabled, please contact your administrator.

ProvisionDevice relies on a secure server side authentication process. This process has either not been configured or has been disabled.

Contact Intercede Support. MyID 9.0 systems may require a patch to enable this feature.

Identity Agent Provisioning

892021

Finger print biometrics have expired.

The biometrics captured for the user have expired.

Capture fresh biometrics and try again.

Authentication

892022

Facial biometrics have expired.

The biometrics captured for the user have expired.

Capture fresh biometrics and try again.

Authentication

892023

Iris biometrics have expired.

The biometrics captured for the user have expired.

Capture fresh biometrics and try again.

Authentication

892024

Biometrics have expired.

The biometrics captured for the user have expired.

Capture fresh biometrics and try again.

Authentication

892025

Facial biometrics have not been found.

There are no facial biometrics for the user.

Capture fresh biometrics and try again. If there is no requirement for facial biometrics, disable the need for facial biometrics in the credential profile.

Authentication

892026

The server content signing certificate will expire before the device expires. Please contact your system administrator.

The server content signing certificate will expire before the device expires.

Issue a new content signing certificate.

Credential Issuance

892101

You do not have access to any workflows.

The account that has authenticated does not have access to any workflows available to the client.

Permissions can be configured in the Edit Roles workflow.

Authentication

892102

Invalid session.

The content of the data used to perform a logon has become corrupt.

Restart the client and try again.

Authentication

892103

The system hasn't been configured to allow PFX files to be issued.

An attempt to issue PFX certificates to an iOS based Identity Agent using Safari has failed

The account the web service is running as does not have write permissions to the Generated folder on the Web server.

Identity Agent Issuance

892106

System configuration error

This is usually encountered as soon as the client application loads, and means that the server has been incorrectly configured. For example, the Web Services user does not have permission to activate the COM components.

Each COM+ application on the MyID application server needs to have the Web_Role enabled in the Security tab.

Run the System Interrogation Utility to help you identify the issue; see the System Interrogation Utility guide for details.

All

892110

Card label mapping is invalid

The Card label mapping setting is not set to a valid attribute.

Make sure that the attribute is formatted correctly, and that it is valid. This can be checked and changed in the Operation Settings workflow, under the Devices tab.

See the Devices page (Operation Settings) section in the Administration Guide for details.

Credential Issuance

9007124

Card type must match the card stock

The credential does not match the credential type of the credential stock for the credential profile selected.

Make sure the credential inserted or selected matches the credential type of the credential stock on the required credential profile.

Credential Issuance

9000511

Logon Failed: Incorrect credentials supplied.

An attempt to authenticate to MyID with incorrect credentials was attempted. This attempt has been blocked.

This is usually due to a user entering incorrect Security Phrases. Security Phrases can be set either using the Change Security Phrases or Change My Security Phrases workflows.

Authentication

9001004

The terms and conditions signed envelope could not be validated.

The approval of the Terms and Conditions has failed to validate.

The credential being issued should be canceled. The Audit Reporting workflow may be able to assist with diagnosing the problem.

Credential Issuance

9001005

The terms and conditions certificate could not be validated.

Note: This error is often only visible via the audit.

Terms and Conditions have been signed with a certificate using MyID Desktop. The validity of that cannot be verified against the CA. This is usually due to a firewall blocking access to the Certificate Revocation List (CRL) from the MyID application server.

The Audit Reporting workflow may be able to assist with diagnosing the problem.

Configure the application server to allow it to validate certificates issued by the CA. Often this involves granting access to the CRL, or ensuring that the root CA is in the application server's trusted root store.

On a Microsoft CA, you can determine whether the application server can verify the certificate chain using the certutil utility on the application server:

certutil -f -urlfetch -verify <issuing CA certificate.cer>

Authentication

9001400

Access Denied

You have attempted to initiate a workflow you do not have permissions to.

Permissions can be edited in the Edit Roles workflow.

Authentication

9002020

Invalid Asset Selected

The identity the connecting client has reported is either blank, or does not match an existing entry in the database.

Device information can be entered either using the Import Device workflow or using the DWS web service.

Credential Issuance

9002021

Failed to add asset

An attempt to add device identity information to the system has failed.

Check the data is valid and try again. If the problem persists, contact Intercede Support.

Credential Issuance

9003348

This card profile requires that the recipient has a photograph captured

The credential profile being issued enforces the user to have a photograph captured.

Photographs can be captured either using the Edit Person workflow or using Lifecycle API. Alternatively, this requirement can be relaxed in the Credential Profiles workflow.

Credential Issuance

9003400

No biometric data captured

The client has returned no biometric data.

Ensure that the correct client software is installed and that a suitable biometric capture device is connected to the client.

Authentication

9004028

You do not have permission to access this workflow

An attempt has been made to start a workflow the user does not have permissions to.

Check that the user has access to the required workflow. Permissions can be edited in the Edit Roles workflow.

The user's role must have access to the required workflow, and must also have the appropriate logon method.

This error may also occur if a system role has been edited and an essential workflow removed; for example, if you want to carry out self activation processes, the system role "Activation User" must have access to the Activate Card workflow, or to import a PIV card, the Server Credentials role must be given access to the Import from PIV Card operation.

Note: Any role that you want to receive mobile identities must have the Issue Device option selected in the Cards category in the Edit Roles workflow.

Authentication

9007084

Operator may not issue this device

An attempt has been made to collect a credential. This issuance was prevented because the operator does not have a suitable role to access this workflow.

Check that the operator has access to the required credential collection workflow. You can edit permissions in the Edit Roles or the Credential Profiles workflows. The user's role must also have the appropriate logon method.

Credential Issuance

9007085

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the Card Applicant does not have a suitable role to collect this credential.

The Card Applicant lacks the roles required to receive this credential.

Credential Issuance

9007086

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the Operator requested the job.

Have a different operator collect the credential

Credential Issuance

9007087

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because you cannot collect your own card in this workflow.

Have a different operator collect the credential.

Credential Issuance

9007088

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because you cannot collect a job that you have validated.

Have a different operator collect the credential.

Credential Issuance

9007089

Card Applicant must have Facial Biometrics captured to continue.

An attempt has been made to issue a credential. This issuance was prevented because the Card Applicant must have Facial Biometrics captured.

Enroll facial biometrics and try again.

Credential Issuance

9007090

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the Card Applicant must have an image captured to continue.

Enroll a user photograph and try again.

Credential Issuance

9007091

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the Card Applicant must have their user data approved.

Approve the Card Applicant and try again.

Credential Issuance

9007092

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the Job is configured for bureau issuance.

This job cannot be issued using MyID. If this is unexpected, contact customer support.

Credential Issuance

9007093

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the card layout specified for this job is no longer valid.

The job cannot be issued in its current state.

Credential Issuance

9007094

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the expiry date of this card has passed.

The job cannot be issued. Request a new credential for the user.

Credential Issuance

9007095

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the lifetime of this card will be less than the minimum allowed.

The job cannot be issued. Request a new credential for the user.

Credential Issuance

9007096

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because it is a Virtual Smart Card request. The target device is not compatible with Virtual Smart Card Issuance.

Collect the job using the self service application on an appropriate machine. If the problem persists, contact customer support.

Credential Issuance

9007097

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the card cannot be used with MyID.

The card is incompatible with MyID. If this is unexpected, contact customer support.

Credential Issuance

9007098

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the card has been disposed or lost and unable to be reissued.

Repeat the process with a different device.

Credential Issuance

9007099

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the credential must be issued to a known Serial Number.

Either use a device that was imported, or modify the credential profile to not require the target card to have been previously imported.

Credential Issuance

9007100

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because it must be a known proximity card.

Either use a device that was imported, or modify the credential profile to not require the target card to have a contactless component that has been previously imported.

Credential Issuance

9007101

This card cannot be used in its current state

An attempt has been made to issue a credential. This issuance was prevented because the system is not set up to issue this card.

The card is incompatible with MyID. If this is unexpected, contact customer support.

Credential Issuance

9007102

This card cannot be used in its current state