Smart Card Logon Over RDP Fails with "Requested Key Container is not Available"


Issue

If your smart card login works normally when you are physically at a workstation, but you receive the "The requested key container is not available on the smart card" error when using a smart card over RDP, that indicates that the YubiKey Smart Card Minidriver is loaded on the local system but not on the destination you are connecting to. To confirm this, follow the steps below.

  1. RDP to the server or workstation.
  2. Open Command Prompt.
  3. Run: certutil -scinfo
  4. Verify the output shows the Card as "Identity Device (NIST SP 800-73 [PIV])".

Resolution

With the YubiKey Minidriver MSI

Installing the YubiKey Minidriver MSI via the command line tool also provides an option to create a legacy node, so that the YubiKey Minidriver is loaded on the system without the need to physically plug a YubiKey in to it.

  • The command line install is:
    msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi INSTALL_LEGACY_NODE=1
  • For unattended mode - progress bar only:
    msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi INSTALL_LEGACY_NODE=1 /passive
  • For quiet mode, no user interaction:
    msiexec /i YubiKey-Minidriver-4.1.1.210-x64.msi INSTALL_LEGACY_NODE=1 /quiet

 

Manual Resolution

First, ensure that you have the YubiKey Smart Card Minidriver installed on the remote destination. Then, start the Plug and Play service on your destination and ensure it is set to start automatically. If the issue persists, you can use the Add Hardware option to trigger Windows to change the driver.

  1. RDP to the server or workstation.
  2. Open the Run prompt (Windows Key + R).
  3. Run: hdwwiz.exe
  4. Click Next.
  5. Select Install the hardware that I manually select and click Next.
  6. Select Smart Cards and click Next.
  7. Select Yubico from the Manufacturer section, YubiKey Smart Card Minidriver from the Model section, and click Next.
  8. Click Next again.
  9. Click Finish to exit the wizard.
  10. Disconnect and RDP to the server or workstation again to test.

Note: You may want to use Group Policy to standardize the Plug and Play settings across your organization.