Troubleshooting and Advanced Configurations
This section provides troubleshooting strategies and solutions for common errors quickly and effectively. For further assistance, contact Thales Customer Support.
Windows Logon (without Passwordless)
Remote Users Who Lost or Forgot Token
Following are the steps if the emergency password is enabled and the workstation is unable to communicate with the STA at the time of authentication:
-
The user contacts the STA Administrator/Operator.
-
The STA Administrator/Operator:
-
Logs in to the STA Manager, finds the user on the Secured Users tab and makes note of the emergency password.
-
Provides emergency password to the user.
-
-
The user logs in to the workstation using the emergency password.
-
The STA Administrator/Operator assigns a new token to the user or enables a STA static password.
-
The user establishes a VPN connection to the network, launches the SafeNet Windows Logon Agent Manager, and performs a manual replenish with the new token or STA static password.
The user can now log in with their SafeNet credentials while being offline.
Logon Policies not applied
The following is a possible reason if the Logon Policies do not apply after an upgrade.
Possible cause
This issue can occur for the following reason:
- If the ApplicationID value in the registry setting is blank.
Solution
To fix this issue, ensure that the ApplicationId value is populated in the registry setting path (HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA). If not, perform any of the following steps:
-
Browse and upload the latest .agent file through management console. For .agent file, refer to the Communications section under Management.
-
If you are using any tools like GPO, Microsoft Endpoint Configuration Manager (SCCM), or Intune, then push ApplicationId as a registry setting by taking its value from the updated .agent configuration file.
Refining Administrator Group Exclusions
During installation of the agent, an option can be enabled to exempt the Local and Domain Administrators groups from performing SafeNet authentication. In certain cases, restrictions may only be needed for the Local Administrators group or the Domain Administrators group rather than all Administrator groups. Perform the following steps to achieve the same:
-
During the installation of the , clear the option Exempt Local and Domain Administrator groups from SafeNet Trusted Access Authentication.
-
Log in to the STA Windows Logon protected workstation with SafeNet credentials and then with Microsoft credentials.
-
Right-click the SafeNet Windows Logon Agent Manager and select Run as administrator.
-
Click Policy tab. In the Group Authentication Exceptions section, select Only selected groups will bypass SafeNet. Add the administrator group(s) to be excluded from SafeNet authentication.
-
Log out and log in again.
Configuring Num Lock Settings
The Num Lock setting can be controlled from the registry. If required, perform the following steps:
-
Click Start > Run.
-
In the Open box, type regedit, and click OK.
-
In the registry, open one of the following:
-
For a single user:
HKEY_CURRENT_USER > Control Panel > Keyboard
-
For all users:
KEY_USERS| .Default > Control Panel > Keyboard
-
-
Edit the string value named InitialKeyboardIndicators, as follows:
-
Set to 0 to set NumLock OFF.
-
Set to 2 to set NumLock ON.
-
Configuring Transport Layer Security
To configure TLS 1.2 support on the SafeNet Agent for Windows Logon, set the registry settings as follows:
HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault => 0x0
The agent always connect with the highest enabled protocol.
Configuring URL to fetch the Public IP
If the Skip OTP on Unlock functionality does not work according to the scenarios configured in the logon policies within the STA console and the following error is displayed in the event viewer:
"getCurrentPublicIPAddress: Failed to fetch IP from specified URL
",
then the administrator can manually configure a valid URL, which is accessible within the network, to fetch the public IP.
To configure the URL:
The value of registry keys: IPAddressAPIUrl and IPAddressFallbackAPIUrl(Optional) can be pushed to the user machine using GPO. To configure the ADML/ADMX settings, refer to the Configuring Group Policy Settings.
For example,
https://www.myexternalip.com/raw
Passwordless Windows Logon
If you have any problem with the paswordless configuration, the following troubleshooting steps and common errors may help.
If you cannot find the answer to your problem, Thales Group Customer Support is available to assist you further.
System unable to contact SafeNet SCEP Adaptor
The following error notification is displayed in case of enrollment failure:
Possible causes
This error can occur due to the following reason:
- SCEP service is not available.
Solution
To fix this issue,
-
Check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.
-
Ensure that the machine is in the corporate network and SCEP service is available.
System unable to contact IdP
The following error notification is displayed if STA is not accessible:
Possible causes
This error can occur due to the following reason:
- The client machine is not able to access STA, for example, if the internet is not available.
Solution
-
Ensure that STA is accessible.
-
Check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.
The required enrollment service is currently not running
Possible causes
-
If the enrollment service is not running or stopped after the launch of the SafeNet Desktop Logon application, then the following error is displayed:
-
The enrollment service is running properly, however, insufficient hardware resources such as, RAM, processors to perform enrollment.
Solution
-
Restart your system and try again. For more details, check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.
-
Check your system configuration. If your system has insufficient RAM or CPU resources, consider upgrading the hardware to ensure optimal performance for the service.
Unable to launch the SafeNet Desktop Logon application
If for some reason, the SafeNet Desktop application is not running, the users will not be able to proceed with the enrollment process.
Possible causes
-
TPM is not available or disabled.
-
The TPM version is lower than 2.0.
-
The enrollment service is not running.
Solution
To fix this issue,
-
Check error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log
-
Use the TPM version 2.0.
SafeNet SCEP Adaptor Installation/Uninstallation Error
The following error is displayed while installing or uninstalling the SafeNet SCEP Adaptor:
Solution
To fix this issue, ensure that index.html is at the top of the IIS Manager. Perform the following steps:
-
Open the IIS Manager.
-
In the left pane, click the server name, and then click Sites > Default Web Site > Default Document.
-
Move index.html at the top.
-
Restart IIS.
-
Now, start the SafeNet SCEP Adaptor installation / uninstallation process again.
For any other issues, check the log file at <Installation_Directory>\Log\<Log_File_Name>.
The request is not supported
Possible causes
The following error notification is displayed on the login screen when your domain controller(s) either do not have a certificate or a valid certificate:
Solution
To resolve this issue, perform the following steps to request a new certificate:
- Log in to the domain controller.
- Open the command prompt and run the following command:
mmc
If you are prompted to elevate permissions, click Yes. - Click File > Add/Remove Snap-in > Certificates > Add.
- On the Certificates snap-in window, select Computer account and then click Next.
- Select Local computer, click Finish, and then click OK.
- In the left pane, navigate to Certificates (Local Computer) > Personal > Certificates.
- Click the Action tab > All Tasks > Request New Certificate > Next > Next.
- Select the Domain Controller Authentication checkbox, click Enroll, and then click Finish.
Passwordless Enrollment stuck in processing
While enrolling for passwordless, if the enrollment gets stuck in the Waiting window and the Success window is not displayed
Solution
Sign-out and sign-in again. The passwordless enrollment completes in the background, but the screen does not display the Success window.