Symptom fingerprint
The exact strings, error codes, and UI surfaces that map to this issue:
| UI message | Surface | Code |
|---|---|---|
| Token not present | SafeNet Authentication Client tray icon | — |
| No reader detected | SAC Tools → Advanced View | — |
| Unknown USB Device (Device Descriptor Request Failed) | Device Manager | — |
What SAC is actually doing
SafeNet Authentication Client (now Thales Authentication Client) is the middleware that exposes Aladdin/SafeNet eToken hardware to the operating system as both a CAPI Cryptographic Service Provider and a PKCS#11 module. If SAC fails to load, every signing application — DocuSign, Adobe, Windows logon — sees nothing.
Windows vs macOS — what differs
Windows 10 / 11
- SAC 10.8 R10 and later supports Windows 11 23H2/24H2. Older 10.x builds intermittently fail on USB 3.0 ports.
- SAC installs both a CSP (for legacy CAPI) and a KSP (for CNG). Some apps prefer one; never disable either.
- Conflict guaranteed if Gemalto Classic Client is also installed — uninstall one fully and reboot.
macOS Sonoma / Sequoia
- Thales SafeNet Authentication Client for macOS Sonoma requires the notarised 10.8 R10+ pkg; older builds fail silently on Apple Silicon.
- Loads a .dylib under /usr/local/lib/libeTPkcs11.dylib — verify with 'ls -l /usr/local/lib/libeTPkcs11.dylib'.
- Must be granted Full Disk Access in System Settings → Privacy & Security for certain Keychain operations.
Browser-specific behaviour
Chrome
Uses CAPI/Keychain — once SAC is loaded and the cert propagates, Chrome sees it automatically.
Firefox
Load eTPKCS11.dll (Windows) or libeTPkcs11.dylib (macOS) via Settings → Privacy & Security → Security Devices.
Diagnostic sequence
Run each step in order. Stop at the first failing expectation — that's where the root cause lives.
1. Open SAC → Advanced View
Expected: Token name and serial appear under Tokens. If absent, OS isn't surfacing the device to SAC.
2. Device Manager (Windows) → Smart card readers
Expected: 'Microsoft Usbccid Smartcard Reader' present with no caution icon.
3. Move token to a rear USB 2.0 port
Expected: Often resolves Device Descriptor Request Failed errors caused by underpowered hubs.
4. Test PKCS#11 directly
pkcs11-tool --module eTPKCS11.dll --list-slots
Expected: Slot 0 contains 'eToken' with non-empty serial.
5. Verify Certificate Propagation
Get-ChildItem Cert:\CurrentUser\My
Expected: Certificate from token present with HasPrivateKey = True. Absent = CertPropSvc didn't run; restart it.
Frequently asked questions
I have SAC installed but the tray icon never appears.
SAC's UI process can fail to launch on locked-down profiles. Check Task Manager for 'SAC.exe'; if absent, run %ProgramFiles%\SafeNet\Authentication\SAC\x64\SAC.exe manually and add to startup.
Does the new Thales build replace SafeNet builds in place?
Yes — Thales rebranded but kept the installer paths. Upgrading from SafeNet 10.7 → Thales 10.8 R10 is in-place and preserves cached certificates.
Can I run SAC alongside Microsoft Authenticator hardware?
Yes, but only if the second device uses a different CCID reader instance. Two PKCS#11 modules claiming the same physical reader will race.
Related services
Explore the consulting hub for this issue, or review session pricing.
Still seeing this error?
If these steps don't isolate the root cause inside your environment, an independent consultant can run a structured PKI diagnostic with you over a screen-shared session and deliver a written report identifying root cause, remediation, and — where relevant — the next responsible party (CA, internal IT, or software vendor).
Book a $49 Zoom diagnostic →Includes a written diagnostic summary. Independent consulting engagement — not affiliated with DocuSign, Adobe, or Microsoft.