FreeRDP session connection failed with error the requested key container does not exist on the smart card

[roman-pr-v]

Environment:

1. FreeRDP version 3.17.2-dev0 (934a4866e)
2. Windows Server 2025 VM, Standard Evaluation Version: 24H2, OS build: 26100.6584, Experience: Windows Feature Experience Pack 1000.26100.234.0
3. Server: Windows 11 VM, Enterprise Version: 22H2, OS build: 19045.6332
4. Client: macOS Tahoe 26.0; Chip Apple M1

Preconditions:

1. Windows Server 2025 VM is configured and launched:

• set up and configure Active Directory
• set up and configure DNS server
• aet up and configure Certification Authority
• set up and configure certificate template for the RDP smartcard logon
• create a user for the domain-joined machine

2. Domain-joined Windows 11 VM is configured and launched:

• join WIndows 11 to our domain
• allow RDP access
• disable NTLM to make sure that we always use Kerberos for NLA and not NTLM
• YubiKey minidriver installed

3. Smart card device (YubiKey with supporting PIV) is configured:

• set up Yubikey 5 Nano with enrolled certificate

4. macOS machine with connected smart card is configured and launched:

• macOS with libykcs11.dylib installed
• set up environment variables:
  SSPI_PKCS11_MODULE_PATH - <path/to/libykcs11.dylib module>
  SSPI_KDC_URL -
  SSPI_LOG_LEVEL - trace
  SSPI_LOG_PATH - <path/to/logfile>
  SSPI_SCARD_TYPE - system
  WINSCARD_USE_SYSTEM_SCARD - true
  WINSCARD_SMARTCARD_CONTAINER_NAME -
  WINSCARD_CERTIFICATE_FILE_PATH - <path/to/smartcard/certificate>

Steps:

1. Open terminal on the macOS machine
2. Launch FreeRDP session using command:
   ./sdl-freerdp /v:DP11PRO.qaexample.com /u:joemoon /d:qaexample.com /p:123456 /smartcard-logon /sec:nla /cert:ignore /log-level:TRACE /auth-pkg-list:!ntlm,kerberos /sspi-module:/Users/user/Desktop/sspi-rs/18-09-2025_macps_system_scard_support/libsspi.dylib /kerberos:pkcs11-module:"/opt/homebrew/lib/libykcs11.2.7.2.dylib" /winscard-module:/Users/user/Desktop/sspi-rs/18-09-2025_macps_system_scard_support/libsspi.dylib > rdp.out.log

Actual Result: FreeRDP session connection failed with error the requested key container does not exist on the smart card, see video, sspi.log and rdp.out.log in attach: FreeRDP-failed-requested key-container-not-exist.mov, sspi.log, rdp.out.log

sspi.log
rdp.out.log

Expected Result: The FreeRDP connection should be established successfully. The user should be granted access to the system, and the system should proceed to the user's desktop. You can see the remote screen.

FreeRDP-failed-requested.key-container-not-exist.mov

[thenextman]

Interested in your thoughts on this @TheBestTvarynka because I've noticed the same thing. However I think on my side it's something weird in the environment:

• Possibly "solved" by uninstalling the YubiKey Minidriver on the server (although, we would like the driver to be installed in case it's needed)
• Perhaps certificate is not propagated to certificate store on server side?

I think it could also be the case if the smartcard reader was "disconnected" (whether actually disconnected, or just a disconnection triggered by the server - maybe Smartcard service not running? - or something weird in FreeRDP)