Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo
back

SafeNet Agent for Windows Logon

Troubleshooting and Advanced Configurations

search

Troubleshooting and Advanced Configurations

Troubleshooting and Advanced Configurations

This section provides troubleshooting strategies and solutions for common errors quickly and effectively. For further assistance, contact Thales Customer Support.

Remote Users Who Lost or Forgot Token

Following are the steps if the emergency password is enabled and the workstation is unable to communicate with the STA at the time of authentication:

  1. The user contacts the STA Administrator/Operator.

  2. The STA Administrator/Operator:

    1. Logs in to the STA Manager, finds the user on the Secured Users tab and makes note of the emergency password.

    2. Provides emergency password to the user.

  3. The user logs in to the workstation using the emergency password.

  4. The STA Administrator/Operator assigns a new token to the user or enables a STA static password.

  5. The user establishes a VPN connection to the network, launches the SafeNet Windows Logon Agent Manager, and performs a manual replenish with the new token or STA static password.

The user can now log in with their SafeNet credentials while being offline.

Logon Policies not applied

The following is a possible reason if the Logon Policies do not apply after an upgrade.

Possible cause

This issue can occur for the following reason:

  • If the ApplicationID value in the registry setting is blank.

Solution

To fix this issue, ensure that the ApplicationId value is populated in the registry setting path (HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA). If not, perform any of the following steps:

  • Browse and upload the latest .agent file through management console. For .agent file, refer to the Communications section under Management.

  • If you are using any tools like GPO, Microsoft Endpoint Configuration Manager (SCCM), or Intune, then push ApplicationId as a registry setting by taking its value from the updated .agent configuration file.

Refining Administrator Group Exclusions

During installation of the agent, an option can be enabled to exempt the Local and Domain Administrators groups from performing SafeNet authentication. In certain cases, restrictions may only be needed for the Local Administrators group or the Domain Administrators group rather than all Administrator groups. Perform the following steps to achieve the same:

  1. During the installation of the , clear the option Exempt Local and Domain Administrator groups from SafeNet Trusted Access Authentication.

  2. Log in to the STA Windows Logon protected workstation with SafeNet credentials and then with Microsoft credentials.

  3. Right-click the SafeNet Windows Logon Agent Manager and select Run as administrator.

  4. Click Policy tab. In the Group Authentication Exceptions section, select Only selected groups will bypass SafeNet. Add the administrator group(s) to be excluded from SafeNet authentication.

  5. Log out and log in again.

Configuring Num Lock Settings

The Num Lock setting can be controlled from the registry. If required, perform the following steps:

  1. Click Start > Run.

  2. In the Open box, type regedit, and click OK.

  3. In the registry, open one of the following:

    • For a single user: HKEY_CURRENT_USER > Control Panel > Keyboard

    • For all users: KEY_USERS| .Default > Control Panel > Keyboard

  4. Edit the string value named InitialKeyboardIndicators, as follows:

    • Set to 0 to set NumLock OFF.

    • Set to 2 to set NumLock ON.

Configuring Transport Layer Security

To configure TLS 1.2 support on the SafeNet Agent for Windows Logon, set the registry settings as follows:

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault => 0x0

The agent will always connect with the highest enabled protocol.

Configuring URL to fetch the Public IP

If the Skip OTP on Unlock functionality does not work according to the scenarios configured in the logon policies within the STA console and the following error is displayed in the event viewer:

"getCurrentPublicIPAddress: Failed to fetch IP from specified URL",

then the administrator can manually configure a valid URL, which is accessible within the network, to fetch the public IP.

To configure the URL:

The value of registry keys: IPAddressAPIUrl and IPAddressFallbackAPIUrl(Optional) can be pushed to the user machine using GPO. To configure the ADML/ADMX settings, refer to the Configuring Group Policy Settings.

For example,

https://www.myexternalip.com/raw