The AusweisApp2 will send failure codes indicating what went wrong and where it happened as well as how to solve it.
The following tips will help you to prevent many of the failures mentioned in the next section. Also they assist you in receiving further guidance and help.
Check the position of your ID card on the smartphone or card reader. Especially with smartphones, the field strength for the power supply of the ID card is not always sufficient. If you place your smartphone on your ID card, please also ensure that your surface is not electrically conductive, as this can then disrupt or prevent communication with the ID card. If all of the above does not work, please see :ref:`failure_code_replace_card_or_card_reader`.
If the provided failure code did not help to resolve the issue, please contact the support (https://www.ausweisapp.bund.de/en/help-and-support), including the error code, situation description, and logfile, so that they can identify issues in your system configuration or AusweisApp2. If you are using the AusweisApp2 you will find the logfile in the Help section.
Directly notify the service provider if the failure code contained an incorrect TLS or service configuration. Usually the the service provider contact information are available on the website on which you have started the authentication.
For any failure code that mentions connection issues in its cause, it is recommended to check your current connection. Verify an active internet connection, by opening e.g. https://www.ausweisapp.bund.de in the browser of your choice. This includes checking your firewall and antivirus configuration as well as your local network hardware. Ultimately the problem may be with your telecommunications provider, or the service provider. Please refer to the attached "Network_Error" for details. If you are using the AusweisApp2, the diagnosis, which is located in the help section, may assist you in finding issues.
It cannot be ruled out that your ID card is defective or, due to necessary updates, initially requires more power than your current smartphone or card reader can supply. If possible, try other card readers or smartphones. If the ID card still does not work you might need to replace it with a new one at your responsible authority.
User_CancelledThe user canceled the workflow. In the SDK case, the user can also be a third-party application that has disconnected from the SDK.Possible Solutions: Complete the workflow without canceling. Card_RemovedPossible causes for this failure are:1 Unstable NFC connection2 Removal of the ID card3 Removal of the card reader4 Cancellation of the remote accessPossible Solutions:2 The ID card has to be present on the reader during the whole workflow3 The card reader has to be attached during the whole workflow4 You must not cancel the remote access during the whole workflow Processing_Send_Status_FailedOccurs if the browser could not be told to wait longer to prevent a timeout.Possible Solutions: Change the browser. If the problem persists, :ref:`failure_code_contact_support`. Parse_TcToken_Invalid_UrlAn authentication was started according to TR-03124-1 section 2.2.1.1. However, no valid tcTokenURL was transmitted.Possible Solutions: :ref:`failure_code_inform_service_provider`. Parse_TcToken_Missing_UrlAn authentication was started according to TR-03124-1 section 2.2.1.1. However, the query "tcTokenURL" is missing.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Invalid_UrlAn authentication was started according to TR-03124-1 section 2.2.1.1. However, no valid tcTokenURL using the https scheme was transmitted.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Invalid_Redirect_UrlThe tcTokenURL call was answered with a redirect. The URL provided there is invalid or does not use the https scheme.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Invalid_Certificate_Key_LengthThe TLS certificate transmitted by the server when retrieving the tcToken uses an insufficient key length.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Invalid_Ephemeral_Key_LengthThe ephemeral key length generated by the TLS handshake to get the tcToken is insufficient.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Invalid_Server_ReplyThe server responded to the request for the tcToken neither with content nor with a forwarding.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Empty_DataThe server responded to the request for the tcToken with empty content.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Invalid_DataThe server responded to the request for the tcToken with content that does not comply with TR-03124-1 section 2.6.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_TcToken_Network_ErrorA network error occurred while retrieving the tcToken.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Certificate_Check_Failed_No_DescriptionTR-03112-7 section 3.6.4.1 requires a description of the service provider certificate. However, this was not transmitted by the service provider in the EAC1InputType.Possible Solutions: :ref:`failure_code_inform_service_provider`. Certificate_Check_Failed_No_SubjectUrl_In_DescriptionTR-03124-1 section 2.7.3 requires that the service provider's URL is included in the description of the certificate. The URL does not exist.Possible Solutions: :ref:`failure_code_inform_service_provider`. Certificate_Check_Failed_Hash_MismatchTR-03124-1 section 2.7.3 requires that the hash of the certificate description matches that stored in the certificate. These don't match.Possible Solutions: :ref:`failure_code_inform_service_provider`. Certificate_Check_Failed_Same_Origin_Policy_ViolationTR-03124-1 section 2.7.3 requires that the tcTokenUrl has the same origin as the service provider's URL from the certificate description. This condition is not met.Possible Solutions: :ref:`failure_code_inform_service_provider`. Certificate_Check_Failed_Hash_Missing_In_DescriptionTR-03124-1 Section 2.7.3 requires that the hashes of all TLS certificates used are included in the description of the service provider certificate. This condition is not met.Possible Solutions: :ref:`failure_code_inform_service_provider`. Pre_Verification_No_Test_EnvironmentOccurs when the development mode of AusweisApp2 is activated and a genuine ID card is used.Possible Solutions: Disable developer mode. The use of genuine ID cards is not permitted with activated developer mode, as this is only intended to facilitate the commissioning of services with test ID cards. Pre_Verification_Invalid_Certificate_ChainA certificate chain was sent from the server that is unknown to AusweisApp2.Possible Solutions: :ref:`failure_code_inform_service_provider`. Pre_Verification_Invalid_Certificate_SignatureAt least one signature in the certificate chain used by the server is incorrect.Possible Solutions: :ref:`failure_code_inform_service_provider`. Pre_Verification_Certificate_ExpiredThe certificate chain used by the server is currently not valid.Possible Solutions: Make sure your system time is set correctly. If the problem persists, see :ref:`failure_code_inform_service_provider`. Extract_Cvcs_From_Eac1_No_Unique_AtThe server submitted a certificate chain that contained more than one terminal certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Extract_Cvcs_From_Eac1_No_Unique_DvThe server transmitted a certificate chain containing more than one DV certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Extract_Cvcs_From_Eac1_At_MissingThe server transmitted a certificate chain that does not contain a terminal certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Extract_Cvcs_From_Eac1_Dv_MissingThe server transmitted a certificate chain that does not contain a DV certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Connect_Card_Connection_FailedIn order to communicate with the ID card, a connection must first be established. This process failed.Possible Solutions: :ref:`failure_code_card_position`. Connect_Card_Eid_InactiveThe PIN of the card is deactivated. The card can currently only be used with the CAN for on-site reading.Possible Solutions: When your ID card was issued, the online ID card function (the PIN) was not activated or you had the function deactivated afterwards. You can have the function activated at the citizens' office (Bürgeramt) or activate it with the CAN at https://www.pin-ruecksetzbrief-bestellen.de. Prepace_Pace_Smart_Eid_InvalidatedThe attempt to establish a connection with a PIN to a Smart-eID failed, because all PIN-attempts have been used.Possible Solutions: The PIN is permanently disabled after 3 failed attempts. Please set up your Smart-eID again. Establish_Pace_Channel_No_Active_PinAn authentication was aborted by a card reader in order to replace the five-digit Transport PIN.Possible Solutions: The AusweisApp2 automatically leads the user to the PIN change to set a six-digit PIN. If this error occurs in a third-party app, you have to start a PIN change on your own. Establish_Pace_Channel_Basic_Reader_No_PinAn attempt was made to establish a PACE-channel with a basic reader. However the PIN, CAN, or PUK could not be taken over after the user-input.Possible Solutions: :ref:`failure_code_contact_support`. Establish_Pace_Channel_Puk_InoperativeAn attempt was made to set up a PACE channel with the PUK to unlock the PIN. However, the PUK can no longer be used because it has already been used 10 times.Possible Solutions: The PIN can be unlocked with the PUK after three incorrect entries. However, this is only possible ten times and you have reached that limit. However you can set a new PIN at the citizens' office (Bürgeramt) or let it be set with the CAN at https://www.pin-ruecksetzbrief-bestellen.de. Establish_Pace_Channel_User_CancelledThe user canceled the workflow on a comfort USB reader or a smartphone as a card reader with keyboard mode enabled.Possible Solutions: Complete the workflow without canceling. Maintain_Card_Connection_Pace_UnrecoverableAn error occurred while setting up the PACE channel that was not due to user error.Possible Solutions: The connection to the ID card could not be established with the PIN, CAN, or PUK. The entered passwords have no influence on this. Please note :ref:`failure_code_card_position`. Did_Authenticate_Eac1_Card_Command_FailedThe 4th card command of the terminal authentication according to TR-0110-3 section B.3 failed.Possible Solutions: :ref:`failure_code_card_position`. Process_Certificates_From_Eac2_Cvc_Chain_MissingWhen setting up the PACE channel with PIN or CAN, the ID card communicated which certificate it knew. However, the server sent a certificate chain that does not contain this certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Did_Authenticate_Eac2_Invalid_Cvc_ChainWhen setting up the PACE channel with PIN or CAN, the ID card communicated which certificate it knew. However, the server sent a certificate chain that does not contain this certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Did_Authenticate_Eac2_Card_Command_FailedA terminal or chip authentication card command according to TR-0110-3 sections B.2 and B.3 failed.Possible Solutions: :ref:`failure_code_card_position`. Generic_Send_Receive_Paos_UnhandledA message was sent by the server in the PAOS communication during authentication, that could not be completely processed.Possible Solutions: :ref:`failure_code_contact_support`. Generic_Send_Receive_Network_ErrorA network error has occurred in the PAOS communication during authentication.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Generic_Send_Receive_Tls_ErrorAn authentication error occurred in the PAOS communication during the TLS handshake. The TLS certificate is incorrect.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Send_Receive_Server_ErrorA server error 5xx occurred in the PAOS communication during authentication.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Send_Receive_Client_ErrorA client error 4xx occurred in the PAOS communication during authentication.Possible Solutions: :ref:`failure_code_contact_support`. Generic_Send_Receive_Paos_UnknownAn unknown message was sent by the server in the PAOS communication during authentication.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Send_Receive_Paos_UnexpectedAn unexpected message was sent by the server in the PAOS communication during authentication.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Send_Receive_Invalid_Ephemeral_Key_LengthThe symmetric key generated by the TLS handshake for PAOS communication is not long enough.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Send_Receive_Certificate_ErrorThe TLS certificate for PAOS communication uses key lengths that are too small or is not included in the description of the service provider certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Send_Receive_Session_Resumption_FailedFailed to resume TLS session during PAOS communication.Possible Solutions: :ref:`failure_code_contact_support`. Transmit_Card_Command_FailedDuring authentication, card commands transmitted in PAOS communication could not be correctly transmitted to the card.Possible Solutions: :ref:`failure_code_card_position`. Start_Paos_Response_MissingThe message "StartPaosResponse" from the server could not be evaluated because it does not exist.Possible Solutions: :ref:`failure_code_contact_support`. Start_Paos_Response_ErrorThe "StartPaosResponse" message from the server returned an error. The AusweisApp2 or the ID card did not behave as expected by the server.Possible Solutions: :ref:`failure_code_contact_support`. Check_Refresh_Address_Fatal_Tls_Error_Before_ReplyAn error occurred during the TLS handshake when checking the return address after a successful authentication. The TLS certificate is incorrect.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_Invalid_Ephemeral_Key_LengthThe symmetric key generated by the TLS handshake when calling the return address is not long enough.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_Service_UnavailableThe return address cannot be reached.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_Service_TimeoutThe call to the return address did not provide an answer within 30 seconds.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Check_Refresh_Address_Proxy_ErrorA proxy server was configured by the operating system or the settings of AusweisApp2. This didn't work for checking the return address.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Check_Refresh_Address_Fatal_Tls_Error_After_ReplyWhen checking the return address after successful authentication, the TLS handshake could not be completed successfully.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Check_Refresh_Address_Unknown_Network_ErrorA unknown error occurred when checking the return address after successful authentication.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Check_Refresh_Address_Invalid_Http_ResponseThe call to the return address did not result in forwarding.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_EmptyThe call to the return address led to a redirect but no URL was supplied.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_Invalid_UrlThe call to the return address led to a redirect, but no correct URL was supplied.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_No_Https_SchemeThe call to the return address led to a redirect, but delivered an URL without https scheme.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_Fetch_Certificate_ErrorThe server certificate could not be obtained after tracing all redirects.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Check_Refresh_Address_Unsupported_CertificateThe check of the return address after a successful authentication was interrupted because the server uses a TLS certificate with unsupported algorithms or key lengths.Possible Solutions: :ref:`failure_code_inform_service_provider`. Check_Refresh_Address_Hash_Missing_In_CertificateThe server certificate of the return address is not included in the description of the service provider certificate.Possible Solutions: :ref:`failure_code_inform_service_provider`. Redirect_Browser_Send_Error_Page_FailedLike Redirect_Browser_Send_Redirect_Failed. However, this only applies to desktop systems, as the AusweisApp2 only generates an error page there if no error address is available for forwarding by the service provider. On mobile systems, the error details are displayed in the AusweisApp2.Possible Solutions: If the problem occurs repeatedly and changing the browser does not help, please :ref:`failure_code_contact_support`. Redirect_Browser_Send_Redirect_FailedOn desktop systems, the web browser waits for a response from AusweisApp2 after starting authentication. However, for unknown reasons, the web browser did not wait long enough for the response to be sent. On mobile systems it was not possible to open the answer in a web browser.Possible Solutions: If the problem occurs repeatedly and changing the browser does not help, please :ref:`failure_code_contact_support`. Generic_Provider_Communication_Network_ErrorA network error occurred while communicating with a service provider. This only applies to services that are started from AusweisApp2, such as self-authentication.Possible Solutions: :ref:`failure_code_fix_connections_problems`. Generic_Provider_Communication_Invalid_Ephemeral_Key_LengthWhen communicating with a service provider, the symmetric key generated by the TLS handshake is not long enough. This only applies to services that are started from AusweisApp2, such as self-authentication.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Provider_Communication_Certificate_ErrorWhen communicating with a service provider, the TLS certificate uses key lengths that are insufficient. This only applies to services that are started from AusweisApp2, such as self-authentication.Possible Solutions: :ref:`failure_code_inform_service_provider`. Generic_Provider_Communication_Tls_ErrorAn error occurred during the TLS handshake when communicating with a service provider. The TLS certificate is incorrect. This only applies to services that are started from AusweisApp2, such as self-authentication.Possible Solutions: :ref:`failure_code_inform_service_provider`. Get_SelfAuthData_Invalid_Or_EmptyThe authentication for the self-authentication was completed successfully, but the server then did not transmit the read data correctly.Possible Solutions: :ref:`failure_code_inform_service_provider`. Change_Pin_No_SetEidPinCommand_ResponseThe AusweisApp2 sent a PIN change command to its core, but received an answer for a different command.Possible Solutions: :ref:`failure_code_contact_support`. Change_Pin_Input_TimeoutWhen changing a PIN, the user took too long to set the new PIN. Timeouts are currently only known from card readers with a PIN pad, which also affects smartphones as card readers with activated keyboard mode.Possible Solutions: Enter the PIN within 60 seconds. Change_Pin_User_CancelledThe user canceled the PIN change after entering the current valid PIN. Can only occur with card readers with a PIN pad, which also affects smartphones as card readers with activated keyboard mode.Possible Solutions: Carry out the PIN change without abortion. Change_Pin_New_Pin_MismatchWhen changing a PIN, the user entered an incorrect confirmation of the new PIN. Can only occur with USB card readers with a PIN pad. Smartphone as a card reader with activated keyboard mode does not allow this behavior.Possible Solutions: Confirm the new PIN correctly. Change_Pin_New_Pin_Invalid_LengthWhen changing a PIN, the user entered a new PIN with an incorrect length. Can only occur with USB card readers with a PIN pad. However, there is no known device/case that allows this possibility. Smartphone as a card reader with activated keyboard mode does not allow this behavior.Possible Solutions: :ref:`failure_code_contact_support`. Change_Pin_Unexpected_Transmit_StatusThe command to change the PIN has been transmitted and answered. However, the answer is blank, unknown, or unexpected.Possible Solutions: :ref:`failure_code_card_position`. Change_Pin_Card_New_Pin_MismatchLike Change_Pin_New_Pin_Mismatch but at a higher protocol level.Possible Solutions: Confirm the new PIN correctly. Change_Pin_Card_User_CancelledLike Change_Pin_User_Cancelled but at a higher log level.Possible Solutions: Carry out the PIN change without abortion. Start_Ifd_Service_FailedThe IFD service according to TR-03112-6 appendix "IFD Service" could not be started. Either no suitable TLS certificate could be found/generated or the start of the TLS server failed. This applies to both remote access and the local service of AusweisApp2 on Android that is used through the SDK.Possible Solutions: :ref:`failure_code_contact_support`. Prepare_Pace_Ifd_UnknownThe establishment of a PACE channel was requested by the client on a smartphone as a card reader with activated keyboard mode. However, an unsupported password type was requested (PIN, CAN, PUK are supported).Possible Solutions: :ref:`failure_code_contact_support`. Establish_Pace_Ifd_UnknownThe establishment of a PACE channel was requested by the client on a smartphone as a card reader with activated keyboard mode. However, an unsupported password type was requested (PIN, CAN, PUK are supported).Possible Solutions: :ref:`failure_code_contact_support`. Enter_Pace_Password_Ifd_User_CancelledOccurs when the user canceled entering the PIN, CAN, or PUK on a smartphone acting as a card reader with keyboard mode enabled.Possible Solutions: :ref:`failure_code_contact_support`. Enter_New_Pace_Pin_Ifd_User_CancelledOccurs when the user has canceled entering the new PIN during a PIN change on a smartphone acting as a card reader with keyboard mode enabled.Possible Solutions: :ref:`failure_code_contact_support`. Transmit_Personalization_Size_MismatchIs not yet included in the product and will only be relevant with version 2.0.0. Start_Paos_Response_Personalization_EmptyIs not yet included in the product and will only be relevant with version 2.0.0. Start_Paos_Response_Personalization_InvalidIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_User_CancelledIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_Status_Call_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_Installation_LoopIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_Installation_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_UnavailableIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_Delete_Personalization_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_UpdateInfo_Call_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Prepare_Applet_Delete_Smart_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Insert_Card_No_SmartReaderIs not yet included in the product and will only be relevant with version 2.0.0. Insert_Card_Multiple_SmartReaderIs not yet included in the product and will only be relevant with version 2.0.0. Insert_Card_Unknown_Eid_TypeIs not yet included in the product and will only be relevant with version 2.0.0. Insert_Card_HW_KeystoreIs not yet included in the product and will only be relevant with version 2.0.0. Insert_Card_Invalid_SmartReaderIs not yet included in the product and will only be relevant with version 2.0.0. Insert_Card_Missing_CardIs not yet included in the product and will only be relevant with version 2.0.0. Initialize_Personalization_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Get_Session_Id_InvalidIs not yet included in the product and will only be relevant with version 2.0.0. Get_Challenge_InvalidIs not yet included in the product and will only be relevant with version 2.0.0. Finalize_Personalization_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Change_Smart_Pin_FailedIs not yet included in the product and will only be relevant with version 2.0.0. Check_Status_UnavailableIs not yet included in the product and will only be relevant with version 2.0.0. Check_Applet_ErrorIs not yet included in the product and will only be relevant with version 2.0.0. Check_Applet_UnavailableIs not yet included in the product and will only be relevant with version 2.0.0.