Let me preface this by stating that although I am well versed in PKI, I have virtually no experience with provisioning Smart Cards.
We have some folks traveling to mainland China later in the year, and I was asked to look into leveraging some extra Aladdin eToken USB smartcard fobs that we have lying around to implement 2-factor authentication for these users.
As an initial test, in my sandbox, I created a V2 copy of the "smartcard logon" template, gave myself read and enroll permissions against it, and then requested this type of cert through the CAPI console with my eToken attached. The request was successful, and I can see the certificate both in my CAPI store and on my eToken when looking in the Aladdin console.
So, I locked my machine and re-inserted the fob. The normal username/password prompt became a PIN prompt instead. So far, so good. But then, when I entered my eToken passphrase, I received "the requested keyset does not exist on the smartcard". What is the keyset that is being requested if it's not the public/private keypair of my cert?
I didn't find anything useful when Googling for that error message. I read through the "Smart Card Deployment" chapter of Brian Komar's book, and while I'm obviously not using an enrollment agent or an LRA in this case, I seem to have configured the template correctly, and the CA is definitely in the NTAuth store.
Any advise would be greatly appreciated.