Troubleshooting and Advanced Configurations

This section provides troubleshooting strategies and solutions for common errors quickly and effectively. For further assistance, contact Thales Customer Support.

• Windows Logon

• Passwordless Windows Logon

Windows Logon (without Passwordless)

• Remote Users Who Lost or Forgot Token

• Logon Policies not applied

• Refining Administrator Group Exclusions

• Configuring Num Lock Settings

• Configuring Transport Layer Security

• Configuring URL to fetch the Public IP

• No authenticator found for this user. Please contact your administrator

• Error 1722

Remote Users Who Lost or Forgot Token

Following are the steps if the emergency password is enabled and the workstation is unable to communicate with the STA at the time of authentication:

1. The user contacts the STA Administrator/Operator.

2. The STA Administrator/Operator:

   1. Logs in to the STA Manager, finds the user on the Secured Users tab and makes note of the emergency password.

   2. Provides emergency password to the user.

3. The user logs in to the workstation using the emergency password.

4. The STA Administrator/Operator assigns a new token to the user or enables a STA static password.

5. The user establishes a VPN connection to the network, launches the SafeNet Windows Logon Agent Manager, and performs a manual replenish with the new token or STA static password.

The user can now log in with their SafeNet credentials while being offline.

Logon Policies not applied

The following is a possible reason if the Logon Policies do not apply after an upgrade.

Possible cause

This issue can occur for the following reason:

• If the ApplicationID value in the registry setting is blank.

Solution

To fix this issue, ensure that the ApplicationId value is populated in the registry setting path (HKEY_LOCAL_MACHINE\SOFTWARE\CRYPTOCard\AuthGINA). If not, perform any of the following steps:

• Browse and upload the latest .agent file through management console. For .agent file, refer to the Communications section under Management.

• If you are using any tools like GPO, Microsoft Endpoint Configuration Manager (SCCM), or Intune, then push ApplicationId as a registry setting by taking its value from the updated .agent configuration file.

Refining Administrator Group Exclusions

During installation of the agent, an option can be enabled to exempt the Local and Domain Administrators groups from performing SafeNet authentication. In certain cases, restrictions may only be needed for the Local Administrators group or the Domain Administrators group rather than all Administrator groups. Perform the following steps to achieve the same:

1. During the installation of the , clear the option Exempt Local and Domain Administrator groups from SafeNet Trusted Access Authentication.

2. Log in to the STA Windows Logon protected workstation with SafeNet credentials and then with Microsoft credentials.

3. Right-click the SafeNet Windows Logon Agent Manager and select Run as administrator.

4. Click Policy tab. In the Group Authentication Exceptions section, select Only selected groups will bypass SafeNet. Add the administrator group(s) to be excluded from SafeNet authentication.

5. Log out and log in again.

Configuring Num Lock Settings

The Num Lock setting can be controlled from the registry. If required, perform the following steps:

1. Click Start > Run.

2. In the Open box, type regedit, and click OK.

3. In the registry, open one of the following:

   • For a single user: HKEY_CURRENT_USER > Control Panel > Keyboard

   • For all users: KEY_USERS| .Default > Control Panel > Keyboard

4. Edit the string value named InitialKeyboardIndicators, as follows:

   • Set to 0 to set NumLock OFF.

   • Set to 2 to set NumLock ON.

Configuring Transport Layer Security

To configure TLS 1.2 support on the SafeNet Agent for Windows Logon, set the registry settings as follows:

HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault => 0x0

The agent always connect with the highest enabled protocol.

Configuring URL to fetch the Public IP

If the Skip OTP on Unlock functionality does not work according to the scenarios configured in the logon policies within the STA console and the following error is displayed in the event viewer:

"getCurrentPublicIPAddress: Failed to fetch IP from specified URL",

then the administrator can manually configure a valid URL, which is accessible within the network, to fetch the public IP.

To configure the URL:

The value of registry keys: IPAddressAPIUrl and IPAddressFallbackAPIUrl(Optional) can be pushed to the user machine using GPO. To configure the ADML/ADMX settings, refer to the Configuring Group Policy Settings.

For example,

https://www.myexternalip.com/raw

No authenticator found for this user. Please contact your administrator

The following error message is displayed while trying to log in to the WLA enabled machine:

Solution

From WLA v3.7.0 and above, use the updated .agent file (downloaded from STA) for uploads in the WLA management console.

Error 1722

The following error message is displayed while uninstalling the agent through the control panel:

Possible cause: Insufficient user permission during uninstallation

Possible Cause 1

If the agent is deployed via GPO and uninstallation is done through the control panel while the user is logged in to the machine as a non built-in administrator user.

Solution

Perform any of the following step to resolve the issue:

• If the agent is installed through GPO, then uninstall the agent via GPO only (Recommended).

• Log in to the affected machine as a built-in administrator user (<DomainName>\Administrator) and then try to uninstall the agent through control panel.

• Open CMD in Run as administrator mode and execute the following command to uninstall the agent:

  • For 64-bit installer: msiexec /x {523727B0-D5D5-4392-935B-BFEAA70F29A6}

  • For 32-bit installer: msiexec /x {41948304-AE7B-483D-BC8D-8749FAA993A8}

Possible Cause 2

If the agent is deployed via any method other than MDM (GPO, Intune, or SCCM) and uninstallation is done through the control panel while the user is logged in to the machine as a non built-in administrator user.

Solution

Perform any of the following step to resolve the issue:

• Log in to the affected machine as a built-in administrator user (<DomainName>\Administrator) and then try to uninstall the agent through control panel.

• Open CMD in Run as administrator mode and execute the following command to uninstall the agent:

  • For 64-bit installer: msiexec /x {523727B0-D5D5-4392-935B-BFEAA70F29A6}

  • For 32-bit installer: msiexec /x {41948304-AE7B-483D-BC8D-8749FAA993A8}

Passwordless Windows Logon

If you have any problem with the passwordless configuration, the following troubleshooting steps and common errors may help.

If you cannot find the answer to your problem, Thales Group Customer Support is available to assist you further.

• System unable to contact SafeNet SCEP Adaptor

• System unable to contact IdP

• The required enrollment service is currently not running

• Unable to launch the SafeNet Desktop Logon application

• SafeNet SCEP Adaptor Installation/Uninstallation Error

• The request is not supported

• Passwordless Enrollment stuck in processing

System unable to contact SafeNet SCEP Adaptor

The following error notification is displayed in case of enrollment failure:

Possible causes

This error can occur due to the following reason:

• SCEP service is not available.

Solution

To fix this issue,

• Check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.

• Ensure that the machine is in the corporate network and SCEP service is available.

System unable to contact IdP

The following error notification is displayed if STA is not accessible:

Possible causes

This error can occur due to the following reason:

• The client machine is not able to access STA, for example, if the internet is not available.

Solution

• Ensure that STA is accessible.

• Check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.

The required enrollment service is currently not running

Possible causes

• If the enrollment service is not running or stopped after the launch of the SafeNet Desktop Logon application, then the following error is displayed:

  

• The enrollment service is running properly, however, insufficient hardware resources such as, RAM, processors to perform enrollment.

Solution

• Restart your system and try again. For more details, check the error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log.

• Check your system configuration. If your system has insufficient RAM or CPU resources, consider upgrading the hardware to ensure optimal performance for the service.

Unable to launch the SafeNet Desktop Logon application

If for some reason, the SafeNet Desktop application is not running, the users will not be able to proceed with the enrollment process.

Possible causes

• TPM is not available or disabled.

• The TPM version is lower than 2.0.

• The enrollment service is not running.

Solution

To fix this issue,

• Check error message in the logs at <Installation_Directory>\Log\DesktopLogon-{date}.log

• Use the TPM version 2.0.

SafeNet SCEP Adaptor Installation/Uninstallation Error

The following error is displayed while installing or uninstalling the SafeNet SCEP Adaptor:

Solution

To fix this issue, ensure that index.html is at the top of the IIS Manager. Perform the following steps:

1. Open the IIS Manager.

2. In the left pane, click the server name, and then click Sites > Default Web Site > Default Document.

3. Move index.html at the top.

4. Restart IIS.

5. Now, start the SafeNet SCEP Adaptor installation / uninstallation process again.

   

For any other issues, check the log file at <Installation_Directory>\Log\<Log_File_Name>.

The request is not supported

Possible causes

The following error notification is displayed on the login screen when your domain controller(s) either do not have a certificate or a valid certificate:

Solution

To resolve this issue, perform the following steps to request a new certificate:

1. Log in to the domain controller.
2. Open the command prompt and run the following command: mmc
   If you are prompted to elevate permissions, click Yes.
3. Click File > Add/Remove Snap-in > Certificates > Add.
4. On the Certificates snap-in window, select Computer account and then click Next.
5. Select Local computer, click Finish, and then click OK.
6. In the left pane, navigate to Certificates (Local Computer) > Personal > Certificates.
7. Click the Action tab > All Tasks > Request New Certificate > Next > Next.
8. Select the Domain Controller Authentication checkbox, click Enroll, and then click Finish.

Passwordless Enrollment stuck in processing

While enrolling for passwordless, if the enrollment gets stuck in the Waiting window and the Success window is not displayed

Solution

Sign-out and sign-in again. The passwordless enrollment completes in the background, but the screen does not display the Success window.