Troubleshooting

Hideez Authenticator - Troubleshooting

Issues After Changing Domain

If you have changed the domain of your computer (for example, joined it to Azure AD and then reverted it to an on-premises AD domain) and encounter an error when registering the device in the domain, follow these steps:

Run certmgr.msc as an administrator on your computer.
Navigate to Trusted Root Certification Authorities → Certificates.
Check for multiple certificates from your domain server. Keep only the root certificate from the Certification Authority, removing any extras.

Lack of Connection to the Certification Authority (CA) Role Service

If you encounter error 0x800706BA, it indicates that the Certification Authority (CA) server is unavailable. To resolve this issue, follow these steps:

Check CA Server Availability
- Ensure the CA server is powered on and running properly.
- Verify that there are no network issues preventing access to the server.
Test Connectivity to the CA Server
- Run the following command in Command Prompt (cmd) to check if the CA server is reachable:
  powershellCopyEditping <CA_Server_Hostname>
- If the server is reachable, test connectivity to the CA RPC service by running:
  powershellCopyEditcertutil -ping
- If you receive a timeout or connection error, there may be firewall rules or network policies blocking access.
Check Windows Firewall & Network Settings
- Ensure that RPC (Remote Procedure Call) and DCOM are not blocked by a firewall.
- Open the required ports for CA communication (typically TCP 135 for RPC).
Restart the CA Service
- Open Services (services.msc) on the CA server.
- Find Active Directory Certificate Services and restart it.
- Alternatively, restart the service via PowerShell:
  powershellCopyEditRestart-Service certsvc
Verify CA Role Installation
- Run the following command to check if the CA role is installed:
  powershellCopyEditGet-WindowsFeature -Name AD-Certificate
- If the CA role is missing, reinstall it using:
  powershellCopyEditInstall-WindowsFeature -Name AD-Certificate -IncludeManagementTools

If the issue persists, check event logs (Event Viewer > Applications and Services Logs > CertificateServicesClient) for detailed error messages.

If the registration is successful but you cannot log in, run the following command in PowerShell as an administrator:

certutil -pulse

If the QR code does not appear on the Windows login screen, check if this option is enabled in Hideez Client.

Connection Issues Between Hideez Authenticator and Hideez Enterprise Server (No Connection to Server)

If you encounter a "No connection to server" or "Operation timeout" issue during Single Sign-On to the web application or unlocking your computer, ensure that the port and server address for Hideez are open to the network where the smartphone with the Hideez Authenticator app is located.

To Check the Connection Between Your Smartphone and Hideez Server, Follow These Steps:

Open a browser on your smartphone (Chrome, Safari, or any other).
Enter the address of your Hideez server. This could be the local or public address of the Hideez Enterprise Server.
Check the connection status. If the server is available and the configuration is correct, you will see a page confirming access to the server or a prompt for authorization credentials.

View Installed Smart Cards or Passwordless Unlock Accounts on Your Computer's TPM

To check registered smart cards or passwordless login accounts using PowerShell, execute the following command:

Get-CimInstance -ClassName Win32_PnPEntity | Where-Object { $_.DeviceID -like "*smartcardreader*" } | Select-Object DeviceID

If your computer has smart cards registered as login methods or accounts for passwordless unlocking via the Hideez Authenticator app, the corresponding command or query will return something like this:

Remove Installed Smart Cards from Your Computer's TPM Module

To remove installed smart cards or passwordless login accounts saved in the TPM 2.0 module on your computer using PowerShell, you can use the following command:

tpmvscmgr destroy /instance <name_of_smartcard>

The result of the command for removing smart cards or accounts from the TPM module or through the virtual smart card management utility may look something like this:

Check the Status and Properties of TPM on Your Computer

To check the status and properties of TPM 2.0, you can use the following command in PowerShell:

Get-TPM

If the TPM (Trusted Platform Module) on your computer is enabled, the Get-TPM command in PowerShell will return information similar to this:

PreviousService operations NextHelp

Last updated 1 month ago