Failure Codes

The AusweisApp will send failure codes indicating what went wrong and where it happened as well as how to solve it.

Helpful tips

The following tips will help you to prevent many of the failures mentioned in the next section. Also they assist you in receiving further guidance and help.

Check ID card position

Check the position of your ID card on the smartphone or card reader. Especially with smartphones, the field strength for the power supply of the ID card is not always sufficient. If you place your smartphone on your ID card, please also ensure that your surface is not electrically conductive, as this can then disrupt or prevent communication with the ID card. If all of the above does not work, please see Replace ID card of card reader.

Contact support

If the provided failure code did not help to resolve the issue, please contact the support (https://www.ausweisapp.bund.de/en/help-and-support), including the error code, situation description, and logfile, so that they can identify issues in your system configuration or AusweisApp. If you are using the AusweisApp you will find the logfile in the Help section.

Inform service provider

Directly notify the service provider if the failure code contained an incorrect TLS or service configuration. Usually the service provider contact information are available on the website on which you have started the authentication.

Fix connection problems

For any failure code that mentions connection issues in its cause, it is recommended to check your current connection. Verify an active internet connection, by opening e.g. https://www.ausweisapp.bund.de in the browser of your choice. This includes checking your firewall and antivirus configuration as well as your local network hardware. Ultimately the problem may be with your telecommunications provider, or the service provider. Please refer to the attached "Network_Error" for details. If you are using the AusweisApp, the diagnosis, which is located in the help section, may assist you in finding issues.

Replace ID card of card reader

It cannot be ruled out that your ID card is defective or, due to necessary updates, initially requires more power than your current smartphone or card reader can supply. If possible, try other card readers or smartphones. If the ID card still does not work you might need to replace it with a new one at your responsible authority.

Codes

  • User_Cancelled
    The user canceled the workflow. In the SDK case, the user can also be a third-party application that has disconnected from the SDK.
    Possible Solutions: Complete the workflow without canceling.
  • Card_Removed
    Possible causes for this failure are:
    1 Unstable NFC connection
    2 Removal of the ID card
    3 Removal of the card reader
    4 Cancellation of the remote access
    Possible Solutions:
    1 Check ID card position
    2 The ID card has to be present on the reader during the whole workflow
    3 The card reader has to be attached during the whole workflow
    4 You must not cancel the remote access during the whole workflow
  • Parse_TcToken_Invalid_Url
    An authentication was started according to TR-03124-1 section 2.2.1.1. However, no valid tcTokenURL was transmitted.
    Possible Solutions: Inform service provider.
  • Parse_TcToken_Missing_Url
    An authentication was started according to TR-03124-1 section 2.2.1.1. However, the query “tcTokenURL” is missing.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Invalid_Url
    An authentication was started according to TR-03124-1 section 2.2.1.1. However, no valid tcTokenURL using the https scheme was transmitted.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Invalid_Redirect_Url
    The tcTokenURL call was answered with a redirect. The URL provided there is invalid or does not use the https scheme.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Invalid_Certificate_Key_Length
    The TLS certificate transmitted by the server when retrieving the tcToken uses an insufficient key length.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Invalid_Ephemeral_Key_Length
    The ephemeral key length generated by the TLS handshake to get the tcToken is insufficient.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Invalid_Server_Reply
    The server responded to the request for the tcToken neither with content nor with a forwarding.
    Possible Solutions: Inform service provider.
  • Get_TcToken_ServiceUnavailable
    The server intended for providing the tcToken is temporarily unavailable.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Server_Error
    A server error 5xx occurred on requesting the tcToken.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Client_Error
    A client error 4xx occurred on requesting the tcToken.
    Possible Solutions: Contact support.
  • Get_TcToken_Empty_Data
    The server responded to the request for the tcToken with empty content.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Invalid_Data
    The server responded to the request for the tcToken with content that does not comply with TR-03124-1 section 2.6.
    Possible Solutions: Inform service provider.
  • Get_TcToken_Network_Error
    A network error occurred while retrieving the tcToken.
    Possible Solutions: Fix connection problems.
  • Certificate_Check_Failed_No_Description
    TR-03112-7 section 3.6.4.1 requires a description of the service provider certificate. However, this was not transmitted by the service provider in the EAC1InputType.
    Possible Solutions: Inform service provider.
  • Certificate_Check_Failed_No_SubjectUrl_In_Description
    TR-03124-1 section 2.7.3 requires that the service provider’s URL is included in the description of the certificate. The URL does not exist.
    Possible Solutions: Inform service provider.
  • Certificate_Check_Failed_Hash_Mismatch
    TR-03124-1 section 2.7.3 requires that the hash of the certificate description matches that stored in the certificate. These don’t match.
    Possible Solutions: Inform service provider.
  • Certificate_Check_Failed_Same_Origin_Policy_Violation
    TR-03124-1 section 2.7.3 requires that the tcTokenUrl has the same origin as the service provider’s URL from the certificate description. This condition is not met.
    Possible Solutions: Inform service provider.
  • Certificate_Check_Failed_Hash_Missing_In_Description
    TR-03124-1 Section 2.7.3 requires that the hashes of all TLS certificates used are included in the description of the service provider certificate. This condition is not met.
    Possible Solutions: Inform service provider.
  • Pre_Verification_No_Test_Environment
    Occurs when the development mode of AusweisApp is activated and a genuine ID card is used.
    Possible Solutions: Disable developer mode. The use of genuine ID cards is not permitted with activated developer mode, as this is only intended to facilitate the commissioning of services with test ID cards.
  • Pre_Verification_Invalid_Certificate_Chain
    A certificate chain was sent from the server that is unknown to AusweisApp.
    Possible Solutions: Inform service provider.
  • Pre_Verification_Invalid_Certificate_Signature
    At least one signature in the certificate chain used by the server is incorrect.
    Possible Solutions: Inform service provider.
  • Pre_Verification_Certificate_Expired
    The certificate chain used by the server is currently not valid.
    Possible Solutions: Make sure your system time is set correctly. If the problem persists, see Inform service provider.
  • Extract_Cvcs_From_Eac1_No_Unique_At
    The server submitted a certificate chain that contained more than one terminal certificate.
    Possible Solutions: Inform service provider.
  • Extract_Cvcs_From_Eac1_No_Unique_Dv
    The server transmitted a certificate chain containing more than one DV certificate.
    Possible Solutions: Inform service provider.
  • Extract_Cvcs_From_Eac1_At_Missing
    The server transmitted a certificate chain that does not contain a terminal certificate.
    Possible Solutions: Inform service provider.
  • Extract_Cvcs_From_Eac1_Dv_Missing
    The server transmitted a certificate chain that does not contain a DV certificate.
    Possible Solutions: Inform service provider.
  • Connect_Card_Connection_Failed
    In order to communicate with the ID card, a connection must first be established. This process failed.
    Possible Solutions: Check ID card position.
  • Connect_Card_Eid_Inactive
    The PIN of the card is deactivated. The card can currently only be used with the CAN for on-site reading.
    Possible Solutions: When your ID card was issued, the online ID card function (the PIN) was not activated or you had the function deactivated afterwards. You can have the function activated at the citizens’ office (Bürgeramt) or activate it with the CAN at https://www.pin-ruecksetzbrief-bestellen.de.
  • Prepace_Pace_Smart_Eid_Invalidated
    The attempt to establish a connection with a PIN to a Smart-eID failed, because all PIN-attempts have been used.
    Possible Solutions: The PIN is permanently disabled after 3 failed attempts. Please set up your Smart-eID again.
  • Establish_Pace_Channel_Basic_Reader_No_Pin
    An attempt was made to establish a PACE-channel with a basic reader. However the PIN, CAN, or PUK could not be taken over after the user-input.
    Possible Solutions: Contact support.
  • Establish_Pace_Channel_Puk_Inoperative
    An attempt was made to set up a PACE channel with the PUK to unlock the PIN. However, the PUK can no longer be used because it has already been used 10 times.
    Possible Solutions: The PIN can be unlocked with the PUK after three incorrect entries. However, this is only possible ten times and you have reached that limit. However you can set a new PIN at the citizens’ office (Bürgeramt) or let it be set with the CAN at https://www.pin-ruecksetzbrief-bestellen.de.
  • Establish_Pace_Channel_Unknown_Password_Id
    The establishment of a PACE channel was finished. However, an unsupported password type was used (PIN, CAN, PUK are supported).
    Possible Solutions: Contact support.
  • Establish_Pace_Channel_User_Cancelled
    The user canceled the workflow on a comfort USB reader or a smartphone as a card reader with keyboard mode enabled.
    Possible Solutions: Complete the workflow without canceling.
  • Maintain_Card_Connection_Pace_Unrecoverable
    An error occurred while setting up the PACE channel that was not due to user error.
    Possible Solutions: The connection to the ID card could not be established with the PIN, CAN, or PUK. The entered passwords have no influence on this. Please note Check ID card position.
  • Did_Authenticate_Eac1_Card_Command_Failed
    The 4th card command of the terminal authentication according to TR-0110-3 section B.3 failed.
    Possible Solutions: Check ID card position.
  • Process_Certificates_From_Eac2_Cvc_Chain_Missing
    When setting up the PACE channel with PIN or CAN, the ID card communicated which certificate it knew. However, the server sent a certificate chain that does not contain this certificate.
    Possible Solutions: Inform service provider.
  • Did_Authenticate_Eac2_Invalid_Cvc_Chain
    When setting up the PACE channel with PIN or CAN, the ID card communicated which certificate it knew. However, the server sent a certificate chain that does not contain this certificate.
    Possible Solutions: Inform service provider.
  • Did_Authenticate_Eac2_Card_Command_Failed
    A terminal or chip authentication card command according to TR-0110-3 sections B.2 and B.3 failed.
    Possible Solutions: Check ID card position.
  • Generic_Send_Receive_Paos_Unhandled
    A message was sent by the server in the PAOS communication during authentication, that could not be completely processed.
    Possible Solutions: Contact support.
  • Generic_Send_Receive_Network_Error
    A network error has occurred in the PAOS communication during authentication.
    Possible Solutions: Fix connection problems.
  • Generic_Send_Receive_Tls_Error
    An authentication error occurred in the PAOS communication during the TLS handshake. The TLS certificate is incorrect.
    Possible Solutions: Inform service provider.
  • Generic_Send_Receive_Service_Unavailable
    The server intended for the PAOS communication during authentication is temporarily unavailable.
    Possible Solutions: Inform service provider.
  • Generic_Send_Receive_Server_Error
    A server error 5xx occurred in the PAOS communication during authentication.
    Possible Solutions: Inform service provider.
  • Generic_Send_Receive_Client_Error
    A client error 4xx occurred in the PAOS communication during authentication.
    Possible Solutions: Contact support.
  • Generic_Send_Receive_Paos_Unknown
    An unknown message was sent by the server in the PAOS communication during authentication.
    Possible Solutions: Inform service provider.
  • Generic_Send_Receive_Paos_Unexpected
    An unexpected message was sent by the server in the PAOS communication during authentication.
    Possible Solutions: Inform service provider.
  • Generic_Send_Receive_Invalid_Ephemeral_Key_Length
    The symmetric key generated by the TLS handshake for PAOS communication is not long enough.
    Possible Solutions: Inform service provider.
  • Generic_Send_Receive_Certificate_Error
    The TLS certificate for PAOS communication uses key lengths that are too small or is not included in the description of the service provider certificate.
    Possible Solutions: Inform service provider.
  • Generic_Send_Receive_Session_Resumption_Failed
    Failed to resume TLS session during PAOS communication.
    Possible Solutions: Contact support.
  • Transmit_Card_Command_Failed
    During authentication, card commands transmitted in PAOS communication could not be correctly transmitted to the card.
    Possible Solutions: Check ID card position.
  • Start_Paos_Response_Missing
    The message “StartPaosResponse” from the server could not be evaluated because it does not exist.
    Possible Solutions: Contact support.
  • Start_Paos_Response_Error
    The “StartPaosResponse” message from the server returned an error. The AusweisApp or the ID card did not behave as expected by the server.
    Possible Solutions: Contact support.
  • Check_Refresh_Address_Fatal_Tls_Error_Before_Reply
    An error occurred during the TLS handshake when checking the return address after a successful authentication. The TLS certificate is incorrect.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Invalid_Ephemeral_Key_Length
    The symmetric key generated by the TLS handshake when calling the return address is not long enough.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Service_Unavailable
    The server providing the return address is temporarily unavailable.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Server_Error
    A server error 5xx occurred on requesting the return address.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Client_Error
    A client error 4xx occurred on requesting the return address.
    Possible Solutions: Contact support.
  • Check_Refresh_Address_Service_Timeout
    The call to the return address did not provide an answer within 30 seconds.
    Possible Solutions: Fix connection problems.
  • Check_Refresh_Address_Proxy_Error
    A proxy server was configured by the operating system or the settings of AusweisApp. This didn’t work for checking the return address.
    Possible Solutions: Fix connection problems.
  • Check_Refresh_Address_Fatal_Tls_Error_After_Reply
    When checking the return address after successful authentication, the TLS handshake could not be completed successfully.
    Possible Solutions: Fix connection problems.
  • Check_Refresh_Address_Unknown_Network_Error
    A unknown error occurred when checking the return address after successful authentication.
    Possible Solutions: Fix connection problems.
  • Check_Refresh_Address_Invalid_Http_Response
    The call to the return address did not result in forwarding.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Empty
    The call to the return address led to a redirect but no URL was supplied.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Invalid_Url
    The call to the return address led to a redirect, but no correct URL was supplied.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_No_Https_Scheme
    The call to the return address led to a redirect, but delivered an URL without https scheme.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Fetch_Certificate_Error
    The server certificate could not be obtained after tracing all redirects.
    Possible Solutions: Fix connection problems.
  • Check_Refresh_Address_Unsupported_Certificate
    The check of the return address after a successful authentication was interrupted because the server uses a TLS certificate with unsupported algorithms or key lengths.
    Possible Solutions: Inform service provider.
  • Check_Refresh_Address_Hash_Missing_In_Certificate
    The server certificate of the return address is not included in the description of the service provider certificate.
    Possible Solutions: Inform service provider.
  • Browser_Send_Failed
    On desktop systems, the web browser waits for a response from AusweisApp after starting authentication. However, for unknown reasons, the web browser connection to the browser is lost and the answer cannot be sent.
    Possible Solutions: If the problem occurs repeatedly and changing the browser does not help, please Contact support.
  • Generic_Provider_Communication_Network_Error
    A network error occurred while communicating with a service provider. This only applies to services that are started from AusweisApp, such as self-authentication.
    Possible Solutions: Fix connection problems.
  • Generic_Provider_Communication_Invalid_Ephemeral_Key_Length
    When communicating with a service provider, the symmetric key generated by the TLS handshake is not long enough. This only applies to services that are started from AusweisApp, such as self-authentication.
    Possible Solutions: Inform service provider.
  • Generic_Provider_Communication_Certificate_Error
    When communicating with a service provider, the TLS certificate uses key lengths that are insufficient. This only applies to services that are started from AusweisApp, such as self-authentication.
    Possible Solutions: Inform service provider.
  • Generic_Provider_Communication_Tls_Error
    An error occurred during the TLS handshake when communicating with a service provider. The TLS certificate is incorrect. This only applies to services that are started from AusweisApp, such as self-authentication.
    Possible Solutions: Inform service provider.
  • Generic_Provider_Communication_ServiceUnavailable
    The server of the service provider is temporarily unavailable.
    Possible Solutions: Inform service provider.
  • Generic_Provider_Communication_Server_Error
    A server error 5xx occurred in the communication with the service provider.
    Possible Solutions: Inform service provider.
  • Generic_Provider_Communication_Client_Error
    A client error 4xx occurred in the communication with the service provider.
    Possible Solutions: Contact support.
  • Get_SelfAuthData_Invalid_Or_Empty
    The authentication for the self-authentication was completed successfully, but the server then did not transmit the read data correctly.
    Possible Solutions: Inform service provider.
  • Change_Pin_No_SetEidPinCommand_Response
    The AusweisApp sent a PIN change command to its core, but received an answer for a different command.
    Possible Solutions: Contact support.
  • Change_Pin_Input_Timeout
    When changing a PIN, the user took too long to set the new PIN. Timeouts are currently only known from card readers with a PIN pad, which also affects smartphones as card readers with activated keyboard mode.
    Possible Solutions: Enter the PIN within 60 seconds.
  • Change_Pin_User_Cancelled
    The user canceled the PIN change after entering the current valid PIN. Can only occur with card readers with a PIN pad, which also affects smartphones as card readers with activated keyboard mode.
    Possible Solutions: Carry out the PIN change without abortion.
  • Change_Pin_New_Pin_Mismatch
    When changing a PIN, the user entered an incorrect confirmation of the new PIN. Can only occur with USB card readers with a PIN pad. Smartphone as a card reader with activated keyboard mode does not allow this behavior.
    Possible Solutions: Confirm the new PIN correctly.
  • Change_Pin_New_Pin_Invalid_Length
    When changing a PIN, the user entered a new PIN with an incorrect length. Can only occur with USB card readers with a PIN pad. However, there is no known device/case that allows this possibility. Smartphone as a card reader with activated keyboard mode does not allow this behavior.
    Possible Solutions: Contact support.
  • Change_Pin_Unexpected_Transmit_Status
    The command to change the PIN has been transmitted and answered. However, the answer is blank, unknown, or unexpected.
    Possible Solutions: Check ID card position.
  • Change_Pin_Card_New_Pin_Mismatch
    Like Change_Pin_New_Pin_Mismatch but at a higher protocol level.
    Possible Solutions: Confirm the new PIN correctly.
  • Change_Pin_Card_User_Cancelled
    Like Change_Pin_User_Cancelled but at a higher log level.
    Possible Solutions: Carry out the PIN change without abortion.
  • Change_Pin_Unrecoverable
    The change PIN workflow encountered an error, which prevents the continuation of the workflow. This often indicates a problem with the card connection.
    Possible Solutions: Check ID card position.
  • Start_Ifd_Service_Failed
    The IFD service according to TR-03112-6 appendix “IFD Service” could not be started. Either no suitable TLS certificate could be found/generated or the start of the TLS server failed. This applies to both remote access and the local service of AusweisApp on Android that is used through the SDK.
    Possible Solutions: Contact support.
  • Prepare_Pace_Ifd_Unknown
    The establishment of a PACE channel was requested by the client on a smartphone as a card reader with activated keyboard mode. However, an unsupported password type was requested (PIN, CAN, PUK are supported).
    Possible Solutions: Contact support.
  • Establish_Pace_Ifd_Unknown
    The establishment of a PACE channel was requested by the client on a smartphone as a card reader with activated keyboard mode. However, an unsupported password type was requested (PIN, CAN, PUK are supported).
    Possible Solutions: Contact support.
  • Enter_Pace_Password_Ifd_User_Cancelled
    Occurs when the user canceled entering the PIN, CAN, or PUK on a smartphone acting as a card reader with keyboard mode enabled.
    Possible Solutions: Contact support.
  • Enter_New_Pace_Pin_Ifd_User_Cancelled
    Occurs when the user has canceled entering the new PIN during a PIN change on a smartphone acting as a card reader with keyboard mode enabled.
    Possible Solutions: Contact support.