Skip to main content

(Windows) Failed Revocation Check

A Certificate Revocation (CRL) is a list of revoked public key certificates created and digitally signed by a Certificate Authority (CA).

HYPR Passwordless can fail on Windows for either user registration or Windows login. During login to Windows, a user might experience “The user name or password is incorrect.” The HYPR Unlock log file will exhibit the following:

Payload: {  
  "authorizationCode": 403,  
  "message": "Authorization was rejected status=0xC000006D",  
  "sessionId": "some\_session\_id",  
  "version": 2  
}  


Response: {  
  "status": {  
  "responseCode": 403,  
  "responseMessage": "Authorization was rejected status=0xC000006D"  
  }
}

Windows will attempt by default to validate the revocation status of the X.509 certificate. If the CRL is invalid, unreachable, or otherwise results in an error, then the resulting authentication attempt will also fail.

Instructions

  1. Basic CRL checking can be done using a command prompt on the affected machine after exporting and saving the X.509 certificate on the client machine using certutil as follows:

    certutil -verify -urlfetch path\\enrolledcert.cer

  2. The CRL status will be shown in the output. Most commonly, the CRL is expired. If this is the case, work with the network team to update the CRLs for the issuing CA.

The CRL status should show as passed/failed.