Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

SafeNet Agent for Windows Logon

Troubleshooting and Advanced Configurations

search
printsuggest an editpdf paneldownload

Troubleshooting and Advanced Configurations

This section provides troubleshooting strategies and solutions for common errors quickly and effectively. For further assistance, contact Thales Customer Support.

copy link to clipboardWindows Logon (without Passwordless)

copy link to clipboardRemote Users Who Lost or Forgot Token

Following are the steps if the emergency password is enabled and the workstation is unable to communicate with the STA at the time of authentication:

  1. The user contacts the STA Administrator/Operator.

  2. The STA Administrator/Operator:

    1. Logs in to the STA Manager, finds the user on the Secured Users tab and makes note of the emergency password.

    2. Provides emergency password to the user.

  3. The user logs in to the workstation using the emergency password.

  4. The STA Administrator/Operator assigns a new token to the user or enables a STA static password.

  5. The user establishes a VPN connection to the network, launches the SafeNet Windows Logon Agent Manager, and performs a manual replenish with the new token or STA static password.

The user can now log in with their SafeNet credentials while being offline.

copy link to clipboardLogon Policies not applied

The following is a possible reason if the Logon Policies do not apply after an upgrade.

Possible cause

This issue can occur for the following reason:

  • If the ApplicationID value in the registry setting is blank.

Solution

To fix this issue, ensure that the ApplicationId value is populated in the registry setting path (HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA). If not, perform any of the following steps:

  • Browse and upload the latest .agent file through management console. For .agent file, refer to the Communications section under Management.

  • If you are using any tools like GPO, Microsoft Endpoint Configuration Manager (SCCM), or Intune, then push ApplicationId as a registry setting by taking its value from the updated .agent configuration file.

copy link to clipboardRefining Administrator Group Exclusions

During installation of the agent, an option can be enabled to exempt the Local and Domain Administrators groups from performing SafeNet authentication. In certain cases, restrictions may only be needed for the Local Administrators group or the Domain Administrators group rather than all Administrator groups. Perform the following steps to achieve the same:

  1. During the installation of the , clear the option Exempt Local and Domain Administrator groups from SafeNet Trusted Access Authentication.

  2. Log in to the STA Windows Logon protected workstation with SafeNet credentials and then with Microsoft credentials.

  3. Right-click the SafeNet Windows Logon Agent Manager and select Run as administrator.

  4. Click Policy tab. In the Group Authentication Exceptions section, select Only selected groups will bypass SafeNet. Add the administrator group(s) to be excluded from SafeNet authentication.

  5. Log out and log in again.

copy link to clipboardConfiguring Num Lock Settings

The Num Lock setting can be controlled from the registry. If required, perform the following steps:

  1. Click Start > Run.

  2. In the Open box, type regedit, and click OK.

  3. In the registry, open one of the following:

    • For a single user: HKEY_CURRENT_USER > Control Panel > Keyboard

    • For all users: KEY_USERS| .Default > Control Panel > Keyboard

  4. Edit the string value named InitialKeyboardIndicators, as follows:

    • Set to 0 to set NumLock OFF.

    • Set to 2 to set NumLock ON.

copy link to clipboardConfiguring Transport Layer Security

To configure TLS 1.2 support on the SafeNet Agent for Windows Logon, set the registry settings as follows:

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault => 0x0

note

Note

The agent always connect with the highest enabled protocol.

copy link to clipboardConfiguring URL to fetch the Public IP

If the Skip OTP on Unlock functionality does not work according to the scenarios configured in the logon policies within the STA console and the following error is displayed in the event viewer:

"getCurrentPublicIPAddress: Failed to fetch IP from specified URL",

then the administrator can manually configure a valid URL, which is accessible within the network, to fetch the public IP.

To configure the URL:

The value of registry keys: IPAddressAPIUrl and IPAddressFallbackAPIUrl(Optional) can be pushed to the user machine using GPO. To configure the ADML/ADMX settings, refer to the Configuring Group Policy Settings.

For example,

https://www.myexternalip.com/raw

copy link to clipboardUpgrade/Error prompt during agent installation

Either of the following upgrade prompt or error message is displayed while installing the agent:

alt_text

alt_text

copy link to clipboardPossible cause

Upgrade code and Product code are not deleted from the registry during agent uninstallation.

copy link to clipboardSolution

Perform the following steps to resolve the issue:

  1. Open the Registry Editor.

  2. Navigate to the following registry path and delete the corresponding keys.

    • For 64-bit agent,

      "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\01779F6209AC86E40B7FFCECEBCF2E57"

      "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\0B7273255D5D293439B5FBAE7AF0926A"

    • For 32-bit agent,

      "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AD45FBE9E31364443B7976CB83D67A42"

      "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\40384914B7EAD384CBD87894AF9A398A"

copy link to clipboardIssue while configuring the Local admin MFA privilege control feature

If you are facing any issue after enabling the RegEditCount registry setting, the following could be the reason:

copy link to clipboardPossible causes

  • The registry auditing might not enabled.

  • Required registry permissions are not set.

copy link to clipboardSolution

  • Perform the following steps to enable auditing of the registry using a user with admin rights:

    1. Open the Local Security Policy.
    2. Press Win+R, type secpol.msc, and press Enter.
    3. Navigate to Audit Policy:

      a. Go to Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Access > Audit Registry.

      b. Enable Registry Auditing:

      i. Double-click on Audit Registry.

      ii. Select both the Success and Failure checkbox to log both successful and unsuccessful access attempts.

  • Perform the following steps to set the registry auditing permissions in AuthGINA registry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA:

    1. Right-click AuthGINA, and then click Permissions > Advanced.
    2. On the Advanced Security Settings for AuthGINA window, click the Auditing tab, and then click Add.
    3. On the Auditing Entry for AuthGINA window, click Select a principal link.
    4. On the Select User, Computer, Service Account, or Group window, enter Everyone as the object name, click Check Names, and then click OK.
    5. Now, on the Auditing Entry for AuthGINA window, select All from the Type dropdown. Under Basic permissions, select Full Control and Only apply these auditing settings to objects and/or containers within this container, and then click OK.
    6. Click Apply > OK.
    7. On the Permissions for AuthGINA window, click OK.

copy link to clipboardNo authenticator found for this user. Please contact your administrator

The following error message is displayed while trying to log in to the WLA enabled machine:

alt_text

copy link to clipboardSolution

From WLA v3.7.0 and above, use the updated .agent file (downloaded from STA) for uploads in the WLA management console.

copy link to clipboardError 1722

The following error message is displayed while uninstalling the agent through the control panel:

alt_text

copy link to clipboardPossible cause: Insufficient user permission during uninstallation

Possible Cause 1

If the agent is deployed via GPO and uninstallation is done through the control panel while the user is logged in to the machine as a non built-in administrator user.

copy link to clipboardSolution

Perform any of the following step to resolve the issue:

  • If the agent is installed through GPO, then uninstall the agent via GPO only (Recommended).

  • Log in to the affected machine as a built-in administrator user (<DomainName>\Administrator) and then try to uninstall the agent through control panel.

  • Open CMD in Run as administrator mode and execute the following command to uninstall the agent:

    • For 64-bit installer: msiexec /x {523727B0-D5D5-4392-935B-BFEAA70F29A6}

    • For 32-bit installer: msiexec /x {41948304-AE7B-483D-BC8D-8749FAA993A8}

Possible Cause 2

If the agent is deployed via any method other than MDM (GPO, Intune, or SCCM) and uninstallation is done through the control panel while the user is logged in to the machine as a non built-in administrator user.

copy link to clipboardSolution

Perform any of the following step to resolve the issue:

  • Log in to the affected machine as a built-in administrator user (<DomainName>\Administrator) and then try to uninstall the agent through control panel.

  • Open CMD in Run as administrator mode and execute the following command to uninstall the agent:

    • For 64-bit installer: msiexec /x {523727B0-D5D5-4392-935B-BFEAA70F29A6}

    • For 32-bit installer: msiexec /x {41948304-AE7B-483D-BC8D-8749FAA993A8}

copy link to clipboardFor offline access please contact your administrator

During online authentication, the following message is displayed if the user SID is not fetched properly due to domain/network connectivity issue.

alt_text

copy link to clipboardSolution

  • If offline access is not required, ignore the message and continue with the authentication.

  • If offline access is required, continue performing online authentication until the popup message stops appearing.

copy link to clipboardPasswordless Windows Logon

If you have any problem with the passwordless configuration, the following troubleshooting steps and common errors may help.

If you cannot find the answer to your problem, Thales Group Customer Support is available to assist you further.

copy link to clipboardSystem unable to contact SafeNet SCEP Adaptor

The following error notification is displayed in case of enrollment failure:

alt_text

copy link to clipboardPossible causes

This error can occur due to the following reason:

  • SCEP service is not available.

copy link to clipboardSolution

To fix this issue,

  • Check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.

  • Ensure that the machine is in the corporate network and SCEP service is available.

copy link to clipboardSystem unable to contact IdP

The following error notification is displayed if IdP is not accessible:

alt_text

copy link to clipboardPossible causes

This error can occur due to the following reason:

  • The client machine is not able to access IdP, for example, if the internet is not available.

copy link to clipboardSolution

  • Ensure that the IdP is accessible.

  • Check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.

copy link to clipboardThe required enrollment service is currently not running

copy link to clipboardPossible causes

  • If the enrollment service is not running or stopped after the launch of the SafeNet Desktop Logon application, then the following error is displayed:

    alt_text

  • The enrollment service is running properly, however, insufficient hardware resources such as, RAM, processors to perform enrollment.

copy link to clipboardSolution

  • Restart your system and try again. For more details, check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.

  • Check your system configuration. If your system has insufficient RAM or CPU resources, consider upgrading the hardware to ensure optimal performance for the service.

copy link to clipboardUnable to launch the SafeNet Desktop Logon application

If for some reason, the SafeNet Desktop application is not running, the users will not be able to proceed with the enrollment process.

copy link to clipboardPossible causes

  • TPM is not available or disabled.

  • The TPM version is lower than 2.0.

  • The enrollment service is not running.

copy link to clipboardSolution

To fix this issue,

  • Check error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log

  • Use the TPM version 2.0.

copy link to clipboardSafeNet SCEP Adaptor Installation/Uninstallation Error

The following error is displayed while installing or uninstalling the SafeNet SCEP Adaptor:

alt_text

copy link to clipboardSolution

To fix this issue, ensure that index.html is at the top of the IIS Manager. Perform the following steps:

  1. Open the IIS Manager.

  2. In the left pane, click the server name, and then click Sites > Default Web Site > Default Document.

  3. Move index.html at the top.

  4. Restart IIS.

  5. Now, start the SafeNet SCEP Adaptor installation / uninstallation process again.

    alt_text

For any other issues, check the log file at <Installation_Directory>\Log\<Log_File_Name>.

copy link to clipboardThe request is not supported

copy link to clipboardPossible causes

The following error notification is displayed on the login screen when your domain controller(s) either do not have a certificate or a valid certificate:

alt_text

copy link to clipboardSolution

To resolve this issue, perform the following steps to request a new certificate:

  1. Log in to the domain controller.
  2. Open the command prompt and run the following command: mmc
    If you are prompted to elevate permissions, click Yes.
  3. Click File > Add/Remove Snap-in > Certificates > Add.
  4. On the Certificates snap-in window, select Computer account and then click Next.
  5. Select Local computer, click Finish, and then click OK.
  6. In the left pane, navigate to Certificates (Local Computer) > Personal > Certificates.
  7. Click the Action tab > All Tasks > Request New Certificate > Next > Next.
  8. Select the Domain Controller Authentication checkbox, click Enroll, and then click Finish.

copy link to clipboardPasswordless Enrollment stuck in processing

While enrolling for passwordless, if the enrollment gets stuck in the Waiting window and the Success window is not displayed

alt_text

copy link to clipboardSolution

Sign-out and sign-in again. The passwordless enrollment completes in the background, but the screen does not display the Success window.

On this page