<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
AD-Joined Passwordless Login on ASA Failing with Error "The revocation status of the smart card certificate used for authentication could not be determined"
Aug 29, 2025
Advanced Server Access
Overview

When attempting to Remote Desktop Protocol (RDP) to an Active Directory (AD)-joined Advanced Server Access (ASA) server with a passwordless login, the login fails with the following error:

The revocation status of the smart card certificate used for authentication could not be determined.
 

Error message

 

Applies To
  • Advanced Server Access (ASA)
  • AD-joined passwordless login
Cause

This error occurs because ASA uses Smart Card login for the AD-joined passwordless feature. On the Windows side, for Smart Card login, it is a general requirement that the authenticating Domain Controller can reach the CRL Distribution Point (CDP) location (where CRL is the Certification Revocation List).


ASA sets the CDP on the certificates for passwordless login to the app.scaleft.com platform. As such, the Domain Controllers must be able to reach app.scaleft.com over the internet.

Solution
Configure the network accordingly such that the Domain Controllers can reach the app.scaleft.com platform over the internet.

Recommended content

Still looking for help?
Loading
AD-Joined Passwordless Login on ASA Failing with Error "The revocation status of the smart card certificate used for authentication could not be determined"