Unsolved
25 Posts
0
2737
FFE doesn't encrypt for smart card users, Part 2
Hello all,
In Part 1 (https://www.dell.com/community/Dell-Data-Security/FFE-doesn-t-encrypt-for-smart-card-users/td-p/7270094?ref=lithium_acptsoln), I had issues with smart card users authenticating to the security server. We fixed it by importing our CA certs into /opt/dell/server/security-server/conf/cacerts. Since then, we've renewed our intermediate CA's certificate, which we also uploaded into the cacerts file (and triple checked that it was there). However, we are having issues with some users authenticating via smart card again. I noticed a patch not for client v10.3 about smart card auth and activation, so I upgrade the server to v10.2.6.8 and a few clients to v10.3. They are still having the issue.
The logs below are for a user that got v10.3 yesterday and has rebooted since then.
(listed as spoiler to prevent really long post)
CMGShield.log
[07.26.19 08:25:04:902 Activator.cpp: 848 E] Activation - Unable to activate new user domain\user [MS error = 5100]
[07.26.19 08:25:04:902 Activator.cpp: 861 E] Activation - Verify network connectivity to the Dell Security Server at "server.domain.com" and Dell Device Server at " https://server.domain.com:8443/xapi/"
[07.26.19 08:25:04:902 GinalessEEObjec: 1221 I] Event Engine - Performing user logon END
/opt/dell/server/security-server/logs/output.log
2019-07-26 08:25:04,614 INFO XSERVER [qtp309115525-4673] - Activate request user='user@domain.com' deviceUniqueId='computer.domain.com' device.os.version='6.1.7601' shield.mode='0' user.account.type='0' device.serial='REMOVED' ad.membership='{
"Device":"CN=REMOVED,OU=REMOVED,DC=domain,DC=com",
"Domain":"domain.com",
"Member Of": [
"REMOVED"
]
}' shield.opt.in='false' device.processor='Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz' shield.category='WINDOWS' device.asset.tag='REMOVED' device.os.name='Microsoft Windows 7 Enterprise ' device.hwid='0D814CA3-F6B91C1C-4B9BEC3F-AEC4B738-7F0BD86E-7E113C89-273D9943-BFF03768' device.hwid.spec='{"version":2,"pcProduct":{"identifyingnumber":"REMOVED","uuid":"4C4C4544-0053-5A10-8032-B2C04F524632"},"pc":{"manufacturer":"Dell Inc.","model":"Latitude E5470"},"bios":{"serialnumber":"REMOVED"},"baseBoard":{"manufacturer":"Dell Inc.","product":"0P88J9","serialnumber":"/REMOVED/CN129636CM0706/"},"tpm":{"specversion":"1.2, 2, 3","manufacturerversion":"5.81","manufacturerversioninfo":"0000","manufacturerid":"1464156928"},"misc":{"gpu-sn0":"11583659","bootdiskserialnumber":"REMOVED"}}' device.locale='en-US' shield.version='10.3.0.2' param.shield.bundle.type='NOSHIELD'
2019-07-26 08:25:04,614 INFO com.credant.shield.ShieldRepository [qtp309115525-4673] - located 1 shields with category WINDOWS
2019-07-26 08:25:04,614 INFO com.credant.shield.ShieldRepository [qtp309115525-4673] - shield repository returning shield: shieldCategory=WINDOWS, version=9.1.0.0, date=null, guid=52a3c1672efa89c25f7ab9417794876fd2c131-d84e49519ad95ea4cbc471ed7c25d72bd49bd8-2e3195e28a56c4fe6e725b187b2fd4fefe4871-26d9c28d789c254f71ea99a3463b99a7ccc2f4fa, certificateId=null, keyMaterialVersion=6 Supported OS=[WINDOWS XP SERVICE PACK 1,WINDOWS 2000,WINDOWS XP SERVICE PACK 2,WINDOWS XP PROFESSIONAL,] Unsupported OS=[WINDOWS NT 4.0,WINDOWS SERVER 2003,] Supported Processor=[] Unsupported Processor=[]
2019-07-26 08:25:04,640 INFO RIGHTS [org.springframework.jms.listener.DefaultMessageListenerContainer#9-1] - Received message to query DEEP for entitlement(s). AssetTag=REMOVED
2019-07-26 08:25:04,912 INFO RIGHTS [org.springframework.jms.listener.DefaultMessageListenerContainer#9-1] - No entitlements found for AssetTag=REMOVED
2019-07-26 08:25:04,929 ERROR XSERVER [qtp309115525-4673] - Activation error
Error authenticating user user@domain.com
at com.credant.guardian.server.device.DeviceManagerService.verifyUserCredentials(DeviceManagerService.java:1881)
at com.credant.guardian.server.device.DeviceManagerService.doActivate(DeviceManagerService.java:1258)
at com.credant.guardian.server.device.DeviceManagerService.activate(DeviceManagerService.java:204)
at sun.reflect.GeneratedMethodAccessor175.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
...TRUNCATED...
2019-07-26 08:25:04,931 ERROR XSERVER [qtp309115525-4673] - Auth failure: Error authenticating user user@domain.com
org.apache.xmlrpc.XmlRpcException: Auth failure: Error authenticating user user@domain.com
at com.credant.xserver.handler.helpers.ActivationHelper.generateActivateException(ActivationHelper.java:371)
at com.credant.xserver.handler.helpers.ActivationHelper.activate(ActivationHelper.java:209)
at com.credant.xserver.handler.ActivationHandler.activateDeviceWithPassword(ActivationHandler.java:99)
at sun.reflect.GeneratedMethodAccessor906.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
...TRUNCATED...
Anyone have an insights?
Thanks,
RMills1
Brian Piatt
67 Posts
0
July 29th, 2019 19:00
@RMills1 ,
I'm sorry to hear that you are having issues post CA renewal. When you looked in the cacert file (in the security server service), did you remove the old CA thumbprint? Did you also renew the other cacert locations on the back-end?
Do you have a front-end server? If so, have you renewed the certs on the the front-end server as well?
-Brian
L4 | Dell Data Security #IWork4Dell
RMills1
25 Posts
0
July 31st, 2019 07:00
Hey Brian,
I didn't remove the old CA thumbprint. I wasn't sure if I needed to leave it for old certificates or not, as not all our users have re-enrolled their smart cards.
I wasn't aware there are other cacert locations. Could you send me the locations on the virtual appliance?
I don't have a front-end server, but I've been planning to add one since I've gone from ~110 clients to ~1300 clients. I'll keep in mind I'm going to need to add the CAs into cacerts.
Thanks,
RMills1
RMills1
25 Posts
0
July 31st, 2019 10:00
Hey Brian,
I found the following locations for cacerts:
/opt/dell/server/core-server-proxy/conf/cacerts
/opt/dell/server/forensic-server/conf/cacerts
/opt/dell/server/local-server/conf/cacerts
/opt/dell/server/reporter/conf/cacerts
/opt/dell/server/security-server/conf/cacerts
Can you confirm I need to add my CA certs to all of these?
Thanks,
Rmills1
RMills1
25 Posts
0
August 2nd, 2019 09:00
So I went ahead and removed the old CA certs from the cacerts file. One of my users on client v10.3 worked! However, another client on 10.2 still didn't work, so I'll update them to 10.3 and see what happens.
Also, it appears the software automatically updates the other cacerts file when you update the /opt/dell/server/security-server/conf/cacerts file.
Thanks!
Brian Piatt
67 Posts
0
August 5th, 2019 17:00
RMills1
25 Posts
0
August 6th, 2019 07:00
Hey Brian,
While it seemed to work for some users, most still aren't working. I reproduced it on a test account and captured the logs. I should have time this afternoon, so I'll call support then. Thanks for the help!
RMills
Brian Piatt
67 Posts
0
August 6th, 2019 11:00
@RMills1 ,
Sorry to hear that you are having inconsistent results. Inconsistency is always when it comes to troubleshooting an issue.
When the agent gets the logs he should be troubleshooting the communication from CMGAgent.log > Security Server Output.log. (which is located in the opt/var folder for the Server logs).
If you end up running into any snags, shoot me a PM with the SR (service request number) and I will see what I can do to help you get your issues resolved quickly.
Have a good one.
-Brian
L4 | Dell Data Security #IWork4Dell