Knowledgebase : Axidian Certiflow > Axidian Certiflow errors

Problem:
The following errors occur when switching from one section to another or any other operation in Indeed CM web services:

Access denied

or

An internal error occurred

Solution:
The Indeed CM server address and wss://localhost is not added to Local Intranet zone in Internet Explorer security properties.

Problem:
The following errors occur while adding/issuing a card in Indeed CM:

Encryptor not found

and (or) 

Specified procedure not found

Solution: 
Most probably, the root cause is that the name of the server where Indeed CM is installed, contains “_” character.

According to the Microsoft article, cookie files are blocked on ASP pages if the server name contains characters that are not supported by DNS (Domain Name System) service. For example, underscore (“_”) character is one of those. Such behaviour is a distinct feature of the product.
To circumvent the problem, use one of the following:

  • Change the server name, using alphanumeric characters only.
  • Go to the server using its IP address, not name.

Note: After the server is renamed, the Microsoft Internet Information Server (IIS) configuration might require corresponding modifications.

Problem:
The following errors occur while issuing eToken card at a workstation operating under Windows 2008R2/2012/2012R2, Windows 7SP1, Windows 8/8.1:

Internal error

and

Invalid flags specified

Solution:
The errors are conditioned by that the key length in the certificate template used is  512 bits. 
It is necessary to increase the key length at least to 1024 bits, as Microsoft blocks RSA certificates with keys less than 1024 bits (see http://support.microsoft.com/kb/2661254/en).

Description:
The “Invalid PIN code” error occurs when trying to issue a Gemalto IDPrime MD smart card, to create a certificate request or to write a certificate to device.
However, user and administrator PIN codes are correct (including default values), since it is possible to login to the card as user or administrator in SafeNet Authentication Client.

Cause:
If user PIN code is correct, then the error is caused by mini-driver version for operating system the device is issued in. The error can be reproduced at workstations under Windows 10 1809 build 17763.195, mini-driver version of 8.5.0.7.

Solution:
Update the mini-driver for Gemalto ID Prime smart cards. No error appears under Windows 10 with mini-driver version of 10.2.120.0.
Mini-driver can be downloaded from Windows Update catalogue. To install the driver, unpack the .cab file with suitable archiver, right-click the installation package, then click Install in the context menu:

Description:

Certification Authority error occurs when attempting to issue a smart card:

Solution:

  1. Open the Certificates (Local computer) Snap-in via MMC application.
  2. Switch to Personal certificates storage and find the service account Enrollment agent certificate.
  3. Then switch to private key management of the certificate (context menu ->All tasks->Manage Private Keys...)
  4. Add a service account to use with target Microsoft CA and grant Full access rights to it:
  5. Press Apply and then OK.

Problem:
The following error errors occurs when trying to issue an Enrollment Agent certificate using IndeedCM.CertEnroll.MsCA.exe:

Keyset does not exist

or

Access is denied

Solution:
The IndeedCM.CertEnroll.MsCA.exe utility requires that the account used to launch it in Windows Command promt has local administrator privileges at the workstation where the utility launch occurs (Indeed CM server). Local administrator privileges are required in order that the utility could place the issued Enrollment Agent certificate to Personal certificate storage (Local Computer).

Problem:
"Length of the data to decrypt is invalid" error occurs when attempting to issue a smart card along with certificate writing to it.

Cause:
The error might be conditioned by outdated Internet Explorer version (below 8.0.7601.17514). Absence of corresponding security updates for Windows XP x86 SP3/x64 SP1 might also be the cause.

Solution:
Install the latest updates available for the Windows version used.

Problem:
The following error occurs even though the username and password are specified correctly for the service account:

Logon failure: unknown user name or bad password

or

The user name or password is incorrect

Sometimes no error message appears but no activity is found after execution of the command.


Solution:
Make sure that credentials for the service account are specified correctly. You might also login to any workstation within the domain to verify whether the account is blocked. If this is not the case and credentials are specified correctly, then, most probably, the password contains characters that require special handling within the command line. Such characters are quotation marks ("), for example.

The figure below shows the result of IndeedCM.CertEnroll.MsCA.exe execution with password of service account containing double quotation marks that cause the error.
In this case, the content of the password must be enclosed in quotation marks, and instead of one double quotation mark, use two consecutive words: instead of "pass"word1" enter "pass""word1".
The password specified in this form is processed correctly.


If you need to specify a password containing double quotes in the Indeed CM configuration file (.config), the symbol must be replaced with a group of characters " and the content part should be quoted.
For example: instead of "pass"word" specify "pass"word"

Problem:
The following error message appears on any action with connected smart card:

Solution 1:
Make sure that the workstation the card being added is connected to has the Smart card service installed and running. 

To view Smart card service status in OS with interface in English, proceed as follows (local administrator privileges are required):
Open Control Panel - Administrative Tools - Services menu and find Smart Card service:


Solution 2:
Make sure that the Indeed CM server address is added to Local Intranet zone of browser of the workstation the smart card is connected to:
Internet options - Security - Local intranet - Sites.
Add the following nodes to the zone if required: https://"CM server DNS name" and wss://localhost/

Description:
“An error occurred while executing the function” error appears when connected to workstation operating under Windows Server 2012 R2 from workstation under Windows 10 and attempted to issue a card. No error occurs when RDP is not used.

Cause:
The error cause is that Indeed CM cannot log in to device if the latter is forwarded via RDP. The error might be attributed to KB2992611 and KB3000850 updates for Windows Server 2012 R2.

Solution:
Remove KB2992611 and KB3000850, if these are installed. If the problem persists, then edit the registry of Windows Server 2012 R2 and set the ProtectionPolicy parameter to 1 in the following branch: HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb and try to issue a smart card again.
The recommendation is based on Microsoft article: https://support.microsoft.com/en-us/help/3000850/november-2014-update-rollup-for-windows-rt-8-1-windows-8-1-and-windows

Question:
The certification authority is added to the policy but the following error occurs while issuing a card:

Enrollment Agent certificate not found

However, the certificate is valid and resides in the workstation storage with Indeed CM server installed. The privileges required to manage the private key of the certificate are set properly.

Answer:
The error might be attributed to that the template of “Enrollment Agent” certificate has a name that differs from default one of template of Enrollment Agent certificate in Microsoft CA. If this is the case, then you have to issue a certificate using the default template name, that is EnrollmentAgent.
If the default name of certificate template is used, then make sure that service account name (the value before @ character) in the Subject Alternative Name parameter of Enrollment Agent certificate is identical to one in the certification authority settings, section Configuration - <Policy name> - PKI settings - Microsoft - Certification authorities. The account names in the certificate and in the policy must be identical and in the same letter case.

Problem:
The following message appears when issuing a card in Indeed CM with connector to Indeed EA/ESSO enabled:

“Indeed EA: Class not registered"

Solution:
Make sure that Indeed CM server has Indeed-Id Administration Tools or Indeed-Id Admin Pack component installed, depending on the Indeed EA/ESSO version used.

Description:
Smart cards are issued using XID 8300 printer.

Problem:
The following error occurs while issuing a device in Indeed CM:


Cause:
Reader names specified in the registry differ from ones of actually connected devices.

Example:
Connected readers:

  1. Contact - USB CCID Smart Card Reader 0
  2. Proximity - HID OMNIKEY 5427 CK CL0

Readers defined in the registry:

  1. The OMNIKEY AG Smart Card Reader USB 0 value is specified in the ContactReaderName parameter of contact reader.
  2. The HID OMNIKEY 5427 CK CL 0 value is specified in the СontactlessReaderName parameter of proximity reader.

As the example shows, the name of connected contact reader  USB CCID Smart Card Reader 0 does not correspond to one defined in the registry parameter ContactReaderName = OMNIKEY AG Smart Card Reader USB 0. This causes the error.

Solution:
Use the listreaders.exe utility, that shows the list of connected readers. To do so, run the CMD application as administrator and execute listreaders.exe command.

The default reader names are:

  1. Contact reader XID 8300 - OMNIKEY AG Smart Card Reader USB 0or USB CCID Smart Card Reader 0
  2. Proximity reader XID 8300 - HID OMNIKEY 5427 CK CL 0

Important: The actual reader names might differ from the default ones.

Run RegEdit.exe and switch to the following registry branch:

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\IndeedCM\Client\Printers\XID 8300 (DS)] - for x64

or

[HKEY_LOCAL_MACHINE\SOFTWARE\IndeedCM\Client\Printers\XID 8300 (DS)] - for x86

  1. The ContactReaderNameparameter value should coincide with the name of connected contact reader.
  2. The value of СontactlessReaderName should coincide with the name of connected proximity reader.

Problem:
The following message appears when issuing a eToken card in Indeed CM:

Error: Cannot login to the system: the specified password has expired.

Cause:
The “Change password upon the first login” option was enabled for user PIN code during device initialization in eToken PKI Client\SafeNet Authentication Client.

Solution:
Initialize the eToken device with the said option disabled and issue the card in Indeed CM again.

Problem:
The following error appears when issuing a card with EA/ESSO connector enabled:

“Access denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"

Cause:
Insufficient privileges for the account used by Indeed EA/ESSO connector.

Solution:
Add the said account (specified in the smart card usage policy, Indeed EA section), to Indeed-ID User Admins and Indeed-ID Enrollment Admins groups.
The Indeed-ID User Admins group is created automatically at the Indeed EA/ESSO system deployment stage. The Indeed-ID Enrollment Admins group is created with IndeedID.security.provider.ex.cfg.exe utility from the Indeed-Id Extended Security Provider component package. After the Extended Security Provider is installed at each Indeed EA/ESSO server and Indeed-ID Enrollment Admins group is created, the Indeed server has to be restarted with the following command:

IndeedID.srvcfg.exe /restart.

After the service account is added to Indeed-ID Enrollment Admins group, you have to logout and log in to Indeed EA server again under this account for the changes to take effect.

Error “Invalid flags specified” at the issuance, errors at deleting and initializing eToken cards when SAC 10.5.175.0 or higher is used.

Description:

Errors when eToken cards used with SafeNet Authentication Client 10.5.175.0 or higher:

  • Error at the card issuing -  “Invalid flags specified”:
  • Error when trying delete card from Indeed CM - "The specified PIN has invalid characters in it"

  • Error when trying initialize card - “The new administrator password must comply with the quality settings”

Cause:

After installing SafeNet Authentication Client 10.5.175.0 or higher, by default options are enabled: 

  1. Verify the quality of the administrator's PIN 
  2. Restriction on the generation of weak keys
  3. Restriction on exported keys generation. 

Solution:

All restrictions can be removed in two ways, through GPO or registry editing. In the case of registry editing, there are examples where changes will only affect Indeed CM components and will not be distribute to other software:

1. Verify the quality of the administrator's PIN.

The administrator PIN must have at least three character groups and be at least 8 characters long. Character groups: Lowercase letters, uppercase letters, numbers, and special characters.

GPO

  1. Parameter: Enable Administrator Password Quality Check
  2. Computer Configuration/Administrative Templates/SafeNet Authentication Client Setting/Token Password Quality Settings/ Enable Administrator Password Quality Check
  3. Set policy: Disabled

Registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\PQ\IndeedCM.Client.Server.exe]
"pqAdminPQ"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\PQ\IndeedCM.Agent.Client.exe]
"pqAdminPQ"=dword:00000000

Use default settings:
You need to set a suitable administrator PIN, edit the device type, or enter a token in Indeed CM with the desired PIN.

2. Restriction on weak key generation

The following algorithms and features are prohibited or not recommended for use in SAC 10.5: MD5, RC2, RC4, DES, 2DES, GenericSecret<112, RSA-RAW, RSA<2048, ECC<224, ECB, Sign-SHA1.

GPO:

  1. Parameter: Deprecated Cryptographic Algorithms and Features. 
  2. Computer Configuration/Administrative Templates/SafeNet Authentication Client Setting/Security Settings/Deprecated Cryptographic Algorithms and Features.
  3. Set Policy: None

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\Crypto\IndeedCM.Client.Server.exe]
"Disable-Crypto"="None"

[HKEY_LOCAL_MACHINE/SOFTWARE/SafeNet\Authentication\SAC\Crypto\IndeedCM.Agent.Client.exe]
"Disable-Crypto"="None"

Use default settings:
For RSA certificates, you must set the key length to at least 2048 bits.

3. Prohibit the generation of exportable keys.

By default in SAC 10.5, exportable keys are not allowed to be generated on the device.

GPO:

  1. Parameter: Key Management.
  2. Computer Configuration/Administrative Templates/SafeNet Authentication Client Setting/Security Settings/Key Management
  3. Set policy value: Compatible

Registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\SafeNet\Authentication\SAC\Crypto\IndeedCM.Client.Server.exe]
"Key-Management-Security"="Compatible"
[HKEY_LOCAL_MACHINE/SOFTWARE/SafeNet\Authentication\SAC\Crypto\IndeedCM.Agent.Client.exe]
"Key-Management-Security"="Compatible"

Use default settings:
Do not use exported keys.

All ADMX group policy files and registry file attached.

 

Problem:
The following errors occur when attempting to issue or add eToken card to Indeed CM:

The authenticated user type does not correspond to the operation

or

Incorrect user type defined

Solution:
The error is conditioned by that the administrator PIN code is not defined for the token. It is necessary to initialize the token in Indeed CM (see Configuration - Card types section, Initialize card upon adding option).

Problem:
After the Indeed CM Server is installed and configuration files are set up, Internet Explorer gives HTTP 403 - Forbidden error when trying to log in to any web service of the system.

Solution:
The error might be attributed to absence of Windows KB980368 update for Windows Server 2008, Windows Server 2008 Service Pack 2 and Windows Server 2008R2 at the Indeed CM server. This update provides for correct mapping of handler to URL addresses with no extensions. The update might require computer restart after installation.

Description: 
The user directory is in Active Directory.
The following error occurs when attempting log in to self-service:

Error:
HTTP 404 Not Found


Solution:
The error states that a user who tries to access the self-service is missing the Indeed CM user directory.

  1. Run Indeed CM Setup Wizard.
  2. Switch to User catalog -> Active Directory.
  3. Make sure that LDAP path to container or unit with users is specified correctly.
  4. If LDAP path is correct then verify the user location in Active Directory.

Description:
After the Indeed CM Server or Enterprise Management Console is installed and configuration files are set up, Internet Explorer gives HTTP 500 - Internal Server Error when trying to log in to any web service of the system:



Solution:
The error might be attributed to that the required application pools have not been correctly registered in the course of Internet Information Services (IIS) service installation.

To avoid this, it is recommended to install IIS role first, according to the Indeed CM system requirements, and then install Microsoft .NET 4.5 or later version.
If the system is already deployed, then it is necessary to re-register ASP.NET applications in the IIS service.  To do so, use Aspnet_regiis.exe from Microsoft .NET Framework (usually resides in C:\Windows\Microsoft.NET\Framework\v4.0.xxxxx folder) and execute the following command in the command line run as administrator:

Aspnet_regiis.exe -i  - for Windows Server 2008R2

dism /online /enable-feature /featurename:IIS-ASPNET45 - for Windows Server 2012R2

Problem:
After the Indeed CM Server or Enterprise Management Console is installed and configuration files are set up, Internet Explorer gives HTTP 503 - Service unavailable when trying to log in to any web service of the system:

Operating system used: Windows Server 2008 SP2 x64 or Windows Server 2008 R2 SP1.



IndeedCM (IndeedEMC) application pool is stopped:



Starting the IndeedCM (IndeedEMC) application pool does not solve the problem - attempt to log in to any web service again results in HTTP 503 Service unavailable error, and the IndeedCM(IndeedEMC)  application pool is forced to stop.

The System log records the following error event:
“Application pool 'IndeedCM' is being automatically disabled due to a series of failures in the process(es) serving that application pool."

The Application log contains a number of events with the following text:
“The Module DLL '<path to dll file>' could not be loaded due to a configuration problem. The current configuration only supports loading images built for a x86 processor architecture. The data field contains the error number."

Cause 1:
It is well-known Microsoft problem. The problem itself is that x64 versions of Microsoft component DLLs (say, MS Exchange or RPC via HTTP Proxy) are attempted to load to x86 processes in application pool. The problem can be solved in two ways:

Solution 1:
Disable "Enable 32-bit Applications” parameter in IndeedCM (IndeedEMC) application pool settings. To access the settings, select Advanced Settings item in the IndeedCM (IndeedEMC) application pool menu.





Solution 2:
Explicitly set bitness for the DLL in question and make it loadable for x64 applications only. To do so, edit the applicationHost.config configuration file. As a rule, it can be found in С:\Windows\System32\inetsrv\config folder.

Open the applicationHost.config file and define preCondition="bitness64" parameter in the configuration line for the required DLL. Use the path to the dll file to search for the necessary fragment.

The line format is:
<add name="<имя модуля>" image="<path to dll file>" preCondition="bitness64" />



If the problem appears for several DLLs (that is, after preCondition="bitness64" parameter is defined for one of DLLs, the HTTP Error 503 Service unavailable still appears, and event log records error messages for another DLL), then it is necessary to define the said parameter for all the DLLs affected.

Cause 2:
The account used for IndeedCM application pool is not valid (password is incorrect or has expired).

Solution:
If default ApplicationPoolIdentity account is used, then check if standard IIS application pool (DefaultAppPool) is working correctly with this account. If not, then the problem is conditioned by IIS operation or configuration errors.
To restore Indeed CM operability promptly, you can specify another built-in account to use with IndeedCM pool (say, NetworkService).
If you prefer using special (Custom account), then make sure that it is valid (i.e. not blocked, the password is correct and its validity period has not expired yet) or create another one according to Microsoft recommendations.

Description:
Indeed CM server is installed and configured correctly. The required Indeed CM Middleware type is specified to use with the smart card or token in question. The device is connected to PC and all the required drivers (PKI client) are installed. Internet Explorer is used as a browser. The following error occurs when using the connected device in web services (icm, icmservice):

Error:
Please install appropriate Indeed CM Middleware to use the system.

Solution:

  1. Open Internet Properties.
  2. Switch to Advanced.
  3. Make sure that the following checkboxes are set: TLS 1.0; TLS 1.1; TLS 1.2.
  4. Make sure that the following checkboxes are disabled: SSL 2.0; SSL 3.0.