Re: ThinkPad T14s Gen 2i (20WM00A8GE) - Problems w...

Yautja76 · ‎01-26-2023

Hello Community,

I am experiencing a strange phenomenon on some of our Thinkpad T14s:

when we want to log in via VMware Horizon Client (Version 2209 / Build 8.7.0 (20649873)) with PKI card,

an error message appears instead of the PKI PIN dialogue (the current driver Alcor Micro USB Smart Card Reader Driver (1.9.17.2308) is installed, however):

This error is reproducible and occurs with every version >8.4.1.

These errors are written to the event log:

With regard to this event ID, Microsoft refers to an eSIM (in the WWAN chip) possibly misinterpreted by the system as a smart card:

However, deactivating the WWAN chip via the BIOS did not change anything and the error still occurs

Strangely enough, the above error message disappears immediately as soon as I downgrade to VMware Horizon Client 8.4.1 - then, with the same PKI card in the same smart card reader, the PKI PIN dialogue appears reliably as expected and the user can authenticate...I am soon despairing, as Lenovo is alternatively blaming Microsoft or VMware for the error, as the error on the unchanged hardware disappears with the downgrade.

Thanks in advance for the really, really much needed support!

Many greetings,

Yautja76

hongshengl · ‎02-06-2023

Translate the words from German to English:

Windows security

smart card

Select smart card device

Smart card error Microsoft UICC ISO Reader 8ca5e2a2 1

The smart card requires drivers that are not present on this system.

Try a different smart card or contact your administrator.

The smart card requires drivers that are not present on this system.

Try a different smart card or contact your administrator.

More options Smart card error

Microsoft UICC ISO Reader 8ca5e2a2 1

Personal - Siemens CardOS V4.4 Alcorlink USB Smart Card Reader 0

OK Interrupt

This dialog is popup by windows system which required by VMware Horizon product. It looks like the smart card driver is not present for the smart card user selected on the system.

Could you please use the certmgr.msc to delete all the local cached personal certificates? Then plugin the reader again and select the right certificate that belongs to the physical card.

hongshengl · ‎02-07-2023

you can enable the UseCryptoAPI to use legacy CAPIs by setting the regkey

HKLM(HKCU)\SOFTWARE\Policies\VMware, Inc.\VMware VDM\Client\UseCryptoAPI to true (REG_SZ)

then check the status.

Anyway, could you please enable detail log by setting the regkey HKLM\SOFTWARE\VMware, Inc.\VMware VDM\TraceEnabled to true (REG_SZ)

and collect windows client log?

Yautja76 · ‎02-28-2023

Hello hongshengl,

thank you also for this tip, which I will gladly try out.
I do know how to set the registry key active for detailed logging, but I am not sure where I can then find the log files you requested.

Many greetings and thanks in advance for the help

Yautja76

Yautja76 · ‎02-28-2023

Hello hongshengl,

thank you for your reply - please excuse the late response from me, unfortunately the notification mail was retained by the spam filter.

The driver for the smart card reader should definitely be installed, as Lenovo does not offer a more recent version of the driver "Alcor Micro USB Smart Card Reader Driver" than the one in the installed version 1.9.17.2308.

Strangely enough, as soon as I downgrade to version 8.4.1 of the VMware Horizon Client, the same laptop with the same PKI card of the same user works immediately without the above error message....

I will try the workaround you recommended in the next few days by deleting the personal certificates stored locally on the computer.

Are there any documentations / best practices for this problem scenario?

Many greetings and thanks in advance for the help!

Yautja76

All

ThinkPad T14s Gen 2i (20WM00A8GE) - Problems with VMware Horizon and PKI Cards - URGENT