Docs Blog Downloads Pricing Support
Portal
Knowledge BaseTroubleshooting › Signing Fails in Service Mode

Signing Fails in Service Mode

Apr 5, 2026 · 3 views

Problem

Signing works from the GUI but fails when running as a Windows service. Error: "Cannot access USB token" or "PIN dialog cannot be displayed."

Cause

Windows services run in Session 0 (isolated session), which has no desktop and cannot display UI dialogs. USB token CSP/KSP drivers often require a desktop session to display the PIN prompt.

Solution

OneSigner uses UserSessionSigner to automatically spawn a signing process in the active user's desktop session. For this to work:

1. Ensure User is Logged In

  • A Windows user must have an active desktop session
  • Lock screen is OK — the session is still active
  • Logged off = no active session = signing will fail

2. Configure Auto-Logon

For unattended 24/7 signing servers:

  1. Open hAutoSignerConfig.exe → General tab
  2. Click Configure Auto-Logon
  3. Enter username and password
  4. Windows will automatically log in after restart

3. Service Must Run as LocalSystem

The service must run as LocalSystem account (default). This is required for WTSQueryUserToken to work — the API that allows spawning processes in other users' sessions.

4. Configure PIN in Advance

Set the USB token PIN in the signing profile configuration. The PIN is stored encrypted with DPAPI. This prevents the CSP from showing a PIN dialog.

© 2019 One Sign Pte. Ltd. · Home · Portal · support@onesign.sg