Let me preface this by stating that although I am well versed in PKI, I have virtually no experience with provisioning Smart Cards. We have some folks traveling to mainland China later in the year, and I was asked to look into leveraging some extra Aladdin eToken USB smartcard fobs that we have lying around to implement 2-factor authentication for these users. As an initial test, in my sandbox, I created a V2 copy of the "smartcard logon" template, gave myself read and enroll permissions against it, and then requested this type of cert through the CAPI console with my eToken attached. The request was successful, and I can see the certificate both in my CAPI store and on my eToken when looking in the Aladdin console. So, I locked my machine and re-inserted the fob. The normal username/password prompt became a PIN prompt instead. So far, so good. But then, when I entered my eToken passphrase, I received "the requested keyset does not exist on the smartcard". What is the keyset that is being requested if it's not the public/private keypair of my cert? I didn't find anything useful when Googling for that error message. I read through the "Smart Card Deployment" chapter of Brian Komar's book, and while I'm obviously not using an enrollment agent or an LRA in this case, I seem to have configured the template correctly, and the CA is definitely in the NTAuth store. Any advise would be greatly appreciated.

Check the purpose of the certificate template and if is not set to Smartcard Logon change it and request a new certificate. Paul Adare CTO IdentIT Inc. ILM MVP

Make sure if you have selected Aladdin eToken CSP in Request Handling/CSP tab and you had prompted for PIN during certificate enrollment. If not, this may be caused by Aladdin policy that allows to copy certificates from local store to a token. While by default smart card certificate private key is not exportable, only public part was copied to a smart card.http://www.sysadmins.lv

That was it. Thanks.

I am using CAPICOM with eToken Pro. I have initialized the token with a valid certificate and I can see the cert in both eToken console and the Windows cert store through IE. In my code, while I try to open the store on the eToken by the constant, CAPICOM_SMART_CARD_USER_STORE, the system gives error "Keyset Does Not Exist". Such a problem does not occur when I am using Safenet iKey2032. The error does not come when I am using CAPICOM_LOCAL_MACHINE_STORE. I would like to use the keys on the eToken only and not on the CURRENT_USER or LOCAL_MACHINE_STORE. Please reply.

You should start your own thread on this topic rather than using this thread which has been resolved for 3 months. You're also likely to get a better response in one of the MSDN forums that are dedicated to programming.

Thanks Paul. I consider it more as a configuration issue as the program works well with Safenet i2032 or even with eToken Pro if we choose local machine store. I am interested in opening smart card store only. Could you tell me how to reach to the following point? "Make sure if you have selected Aladdin eToken CSP in Request Handling/CSP tab and you had prompted for PIN during certificate enrollment."