I can't enroll certificate on a Smart Card


Monica M.

When I attempt to use the Windows 2003 Microsoft Certificate Services
Smart Card Enrollment Station to request a certificate on behalf of
another user, I receive the following error message after I click

An unexpected error occurred. Error: Please insert the user's smart

If I insert the card and click OK, I receive the same error message.
This error message is displayed even if I'm using the Gemplus GemSAFE
Card CSP version 1.0 Cryptographic Service Provider (CSP) or
Schlumberger Cryptographic Service Provider.

My card is Schlumberger Cryptoflex 8K v2 with:
ATR: 3B 95 15 40 FF 68 01 02 02 04
Running Gemplus SmartDiag v2.0, I see that it's available for use and
corrently not powered.

Reading this microsoft article:
I see that Gemplus GemSAFE Card CSP version 1.0 is not the correct CSP
for the card. The correct CSP is Gemplus GemSAFE Card CSP. Do you
think that I need this Gemplus GemSAFE Card CSP? If so, can you send
me Gemplus GemSAFE Card CSP?

Another simptoms is that I can't register my card by Gemplus SmartDiag
v2.0, because I receve the following error: impossible to correctly
interpret some of the supplied parameters.

Please help me, because I need urgently to enroll smart card using
Windows 2003 Microsoft Certificate Services Smart Card Enrollment
Station and I'm inexpert.

Thank you!

Monica M.

David Cross [MS]

are you running this from a 2000 client or an XP client?

do you have q323172 installed on both client and server?

are you running as a local admin on the client?


Did you ever get an answer to this question?? I am having the sam
difficulty with the Cryptoflex 8K and googled for some help.

Let me know if you have a solution.


(e-mail address removed)

Oct 11, 2009
Reaction score

I encountered the same problem while trying to enroll a schlumberger smartcard on microsoft certificate services.I infortunately didn't find any solution over the web, But now that I found it lets share it together:

The idea (for the beginers of you,just like me) is that you need to configure and personalize your smart card before enrolling it.
After gaining access to the smartcard using the schlumberger cyberflex access sdk you should:
1.Verify Access Keys:

Click the Key Manager button on the Smart Card Toolkit window toolbar,

then select the File System option, or select Tools ¡ú Key Manager ¡ú

File System
from the menu bar. The Key Manager dialog box appears.

2 Click Verify Key. The Verify Key dialog box appears.Open Platform Cyberflex Access card ¡ª The keys you must verify to establish

a secure channel are the AUTH, MAC, and KEK keys. You have ten chances

to verify these keys correctly.Cryptoflex card ¡ª The transport key is verified using the AUT1 identify. By

verifying the transport key, you gain full access rights to the default master file

(MF) on a new card. You have three chances to present the transport key

correctly.Each card has a counter that tracks the number of failed verification

attempts. If you enter the key incorrectly until the counter reaches its

minimum value, the key is blocked. If you enter the key correctly, the

counter value is reset to the maximum value.

If you block the key, you can no longer communicate with the card. You

cannot unblock a blocked card.

Cyberflex Access Software Development Kit User¡¯s Guide

You can use the Verify Key dialog box to prove that you have the transport key

or to verify other keys (see ¡°Verifying Keys¡± on page 91). Follow these steps to

verify the transport key on a new Cryptoflex card:

Select AUT1 from the drop-down Identity list, as shown in this example.

The key name you selected sets the Verify Key command to attempt to

satisfy the AUT access condition.

To insert a key value in the Key box, click Select Key.

The Select Key dialog box appears, with a list of defined keys that have

been pre-seeded in the Key Manager database.

Examine the list of defined keys and select the transport key for your card.

For example, if you are using a Cryptoflex 16K card, select Cryptoflex

16K Transport Key

Click OK.

The Verify Key dialog box now displays the key whose value will be sent

with the verification command (in this case, the Cryptoflex 16K Transport

Key). The key values appear as asterisks.

You also have the option to manually type the hexadecimal value for the

transport key in the Key text box. Because the characters do not display

as you type them (values are replaced by asterisks), be very careful if you

elect this option. You have only three chances to verify the transport key

before the card becomes blocked and unusable.

5 Click Verify.

2.Configure your smart card from ¡°COVE ADMIN¡± tool for the Schlumberger SDK Menu:

Insert your card and enter your PIN, you will be provided with the default PIN:

Customizing the smartcards to contain usernames and passwords:

Display the Personalize tab in COVE and make these changes:

Select the check box next to GINA. Specify the number of GINA users who will be included on the card in the Number of User IDs field. If you want to allow encrypted data, check the box for Encrypt Data on Card. Enter a user PIN and unblock PIN and enter the card¡¯s transport key and click Personalize.

Now go the ¡°GINA¡± tab. Choose how you want the system to behave when the user removes the smart card from the reader: Logout means the user will be logged out but the system will remain available to other users, Lock workstation means the user will be logged out, the workstation will be locked, and a user will have to log in again to regain access, Do nothing means the user will not be logged out and the system will remain available. Choose ¡°Logout¡± since it is more appropriate for our application. If you want to let the user choose another one of these options after login, check the box next to Allow user to reset. If you want the system to be accessible only through a smart card GINA login, check the box to ¡°Require smartcard for login¡±. This prevents the alternative of password logins through ¡°Ctr+Alt+Del¡± if the secure login fails for some reason. This setting takes effect when you reboot the host system. Use the Add User button on the lower part of the GINA tab to specify the user or users who will have GINA logins. When you click the Add User button, the following dialog box appears: Enter the user name and password (twice to confirm) for each user that you plan to include on the card. These entries must conform to Windows NT/2000/XP name and password requirements, and must match the normal login name and password for the user. In the Domain box for each user, choose the domain for the user to log in. The list shows all the domains in the local network that are known to the host system. You can choose a domain that enables the user to log in from any system in the network, you can restrict the user to the domain on the host machine, or you can enter another domain in the editable field.
Now every thing should work fine in the Smart Card Certificate Enrollment Station, just don't forget to select Schlumberger Cryptographic
Service Provider
Enjoy it
Last edited:

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question