Knowledgebase : Axidian Certiflow

Error “Invalid flags specified” at the issuance, errors at deleting and initializing eToken cards when SAC 10.5.175.0 or higher is used.

Description:

Errors when eToken cards used with SafeNet Authentication Client 10.5.175.0 or higher:

  • Error at the card issuing -  “Invalid flags specified”:
  • Error when trying delete card from Indeed CM - "The specified PIN has invalid characters in it"

  • Error when trying initialize card - “The new administrator password must comply with the quality settings”

Cause:

After installing SafeNet Authentication Client 10.5.175.0 or higher, by default options are enabled: 

  1. Verify the quality of the administrator's PIN 
  2. Restriction on the generation of weak keys
  3. Restriction on exported keys generation. 

Solution:

All restrictions can be removed in two ways, through GPO or registry editing. In the case of registry editing, there are examples where changes will only affect Indeed CM components and will not be distribute to other software:

1. Verify the quality of the administrator's PIN.

The administrator PIN must have at least three character groups and be at least 8 characters long. Character groups: Lowercase letters, uppercase letters, numbers, and special characters.

GPO

  1. Parameter: Enable Administrator Password Quality Check
  2. Computer Configuration/Administrative Templates/SafeNet Authentication Client Setting/Token Password Quality Settings/ Enable Administrator Password Quality Check
  3. Set policy: Disabled

Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\PQ\IndeedCM.Client.Server.exe]
"pqAdminPQ"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\PQ\IndeedCM.Agent.Client.exe]
"pqAdminPQ"=dword:00000000

Use default settings:
You need to set a suitable administrator PIN, edit the device type, or enter a token in Indeed CM with the desired PIN.

2. Restriction on weak key generation

The following algorithms and features are prohibited or not recommended for use in SAC 10.5: MD5, RC2, RC4, DES, 2DES, GenericSecret<112, RSA-RAW, RSA<2048, ECC<224, ECB, Sign-SHA1.

GPO:

  1. Parameter: Deprecated Cryptographic Algorithms and Features. 
  2. Computer Configuration/Administrative Templates/SafeNet Authentication Client Setting/Security Settings/Deprecated Cryptographic Algorithms and Features.
  3. Set Policy: None

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\Crypto\IndeedCM.Client.Server.exe]
"Disable-Crypto"="None"

[HKEY_LOCAL_MACHINE/SOFTWARE/SafeNet\Authentication\SAC\Crypto\IndeedCM.Agent.Client.exe]
"Disable-Crypto"="None"

Use default settings:
For RSA certificates, you must set the key length to at least 2048 bits.

3. Prohibit the generation of exportable keys.

By default in SAC 10.5, exportable keys are not allowed to be generated on the device.

GPO:

  1. Parameter: Key Management.
  2. Computer Configuration/Administrative Templates/SafeNet Authentication Client Setting/Security Settings/Key Management
  3. Set policy value: Compatible

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\Crypto\IndeedCM.Client.Server.exe]
"Key-Management-Security"="Compatible"
[HKEY_LOCAL_MACHINE/SOFTWARE/SafeNet\Authentication\SAC\Crypto\IndeedCM.Agent.Client.exe]
"Key-Management-Security"="Compatible"

Use default settings:
Do not use exported keys.

All ADMX group policy files and registry file attached.