FFE doesn't encrypt for smart card users, Part 2

Question

Hello all, In Part 1 (https://www.dell.com/community/Dell-Data-Security/FFE-doesn-t-encrypt-for-smart-card-users/td-p/7270094?ref=lithium_acptsoln), I had issues with smart card users authenticating to the security server.  We fixed it by importing our CA certs into /opt/dell/server/security-server/conf/cacerts.  Since then, we've renewed our intermediate CA's certificate, which we also uploaded into the cacerts file (and triple checked that it was there).  However, we are having issues with some users authenticating via smart card again.  I noticed a patch not for client v10.3 about smart card auth and activation, so I upgrade the server to v10.2.6.8 and a few clients to v10.3.  They are still having the issue. The logs below are for a user that got v10.3 yesterday and has rebooted since then. (listed as spoiler to prevent really long post) CMGShield.log Spoiler [07.26.19 08:25:04:902 XmlRpcActivate.: 207 E] Activation - Activation request failed [device server fault:0x13ec]: Auth failure: Error authenticating user user@domain.com [07.26.19 08:25:04:902 Activator.cpp: 848 E] Activation - Unable to activate new user domain\user [MS error = 5100] [07.26.19 08:25:04:902 Activator.cpp: 861 E] Activation - Verify network connectivity to the Dell Security Server at 'server.domain.com' and Dell Device Server at ' https://server.domain.com:8443/xapi/' [07.26.19 08:25:04:902 GinalessEEObjec: 1221 I] Event Engine - Performing user logon END [07.26.19 08:25:04:902 XmlRpcActivate.: 207 E] Activation - Activation request failed [device server fault:0x13ec]: Auth failure: Error authenticating user user@domain.com[07.26.19 08:25:04:902 Activator.cpp: 848 E] Activation - Unable to activate new user domain\user [MS error = 5100][07.26.19 08:25:04:902 Activator.cpp: 861 E] Activation - Verify network connectivity to the Dell Security Server at 'server.domain.com' and Dell Device Server at 'https://server.domain.com:8443/xapi/'[07.26.19 08:25:04:902 GinalessEEObjec: 1221 I] Event Engine - Performing user logon END /opt/dell/server/security-server/logs/output.log Spoiler 2019-07-26 08:25:04,614 INFO XSERVER [qtp309115525-4673] - Activate request user='user@domain.com' deviceUniqueId='computer.domain.com' device.os.version='6.1.7601' shield.mode='0' user.account.type='0' device.serial='REMOVED' ad.membership='{ 'Device':'CN=REMOVED,OU=REMOVED,DC=domain,DC=com','Domain':'domain.com','Member Of': ['REMOVED']}' shield.opt.in='false' device.processor='Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz' shield.category='WINDOWS' device.asset.tag='REMOVED' device.os.name='Microsoft Windows 7 Enterprise ' device.hwid='0D814CA3-F6B91C1C-4B9BEC3F-AEC4B738-7F0BD86E-7E113C89-273D9943-BFF03768' device.hwid.spec='{'version':2,'pcProduct':{'identifyingnumber':'REMOVED','uuid':'4C4C4544-0053-5A10-8032-B2C04F524632'},'pc':{'manufacturer':'Dell Inc.','model':'Latitude E5470'},'bios':{'serialnumber':'REMOVED'},'baseBoard':{'manufacturer':'Dell Inc.','product':'0P88J9','serialnumber':'/REMOVED/CN129636CM0706/'},'tpm':{'specversion':'1.2, 2, 3','manufacturerversion':'5.81','manufacturerversioninfo':'0000','manufacturerid':'1464156928'},'misc':{'gpu-sn0':'11583659','bootdiskserialnumber':'REMOVED'}}' device.locale='en-US' shield.version='10.3.0.2' param.shield.bundle.type='NOSHIELD'2019-07-26 08:25:04,614 INFO com.credant.shield.ShieldRepository [qtp309115525-4673] - located 1 shields with category WINDOWS2019-07-26 08:25:04,614 INFO com.credant.shield.ShieldRepository [qtp309115525-4673] - shield repository returning shield: shieldCategory=WINDOWS, version=9.1.0.0, date=null, guid=52a3c1672efa89c25f7ab9417794876fd2c131-d84e49519ad95ea4cbc471ed7c25d72bd49bd8-2e3195e28a56c4fe6e725b187b2fd4fefe4871-26d9c28d789c254f71ea99a3463b99a7ccc2f4fa, certificateId=null, keyMaterialVersion=6 Supported OS=[WINDOWS XP SERVICE PACK 1,WINDOWS 2000,WINDOWS XP SERVICE PACK 2,WINDOWS XP PROFESSIONAL,] Unsupported OS=[WINDOWS NT 4.0,WINDOWS SERVER 2003,] Supported Processor=[] Unsupported Processor=[]2019-07-26 08:25:04,640 INFO RIGHTS [org.springframework.jms.listener.DefaultMessageListenerContainer#9-1] - Received message to query DEEP for entitlement(s). AssetTag=REMOVED2019-07-26 08:25:04,912 INFO RIGHTS [org.springframework.jms.listener.DefaultMessageListenerContainer#9-1] - No entitlements found for AssetTag=REMOVED2019-07-26 08:25:04,929 ERROR XSERVER [qtp309115525-4673] - Activation errorError authenticating user user@domain.comat com.credant.guardian.server.device.DeviceManagerService.verifyUserCredentials(DeviceManagerService.java:1881)at com.credant.guardian.server.device.DeviceManagerService.doActivate(DeviceManagerService.java:1258)at com.credant.guardian.server.device.DeviceManagerService.activate(DeviceManagerService.java:204)at sun.reflect.GeneratedMethodAccessor175.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)...TRUNCATED... 2019-07-26 08:25:04,931 ERROR XSERVER [qtp309115525-4673] - Auth failure: Error authenticating user user@domain.comorg.apache.xmlrpc.XmlRpcException: Auth failure: Error authenticating user user@domain.comat com.credant.xserver.handler.helpers.ActivationHelper.generateActivateException(ActivationHelper.java:371)at com.credant.xserver.handler.helpers.ActivationHelper.activate(ActivationHelper.java:209)at com.credant.xserver.handler.ActivationHandler.activateDeviceWithPassword(ActivationHandler.java:99)at sun.reflect.GeneratedMethodAccessor906.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)...TRUNCATED... 2019-07-26 08:25:04,614 INFO XSERVER [qtp309115525-4673] - Activate request user='user@domain.com' deviceUniqueId='computer.domain.com' device.os.version='6.1.7601' shield.mode='0' user.account.type='0' device.serial='REMOVED' ad.membership='{'Device':'CN=REMOVED,OU=REMOVED,DC=domain,DC=com','Domain':'domain.com','Member Of': ['REMOVED']}' shield.opt.in='false' device.processor='Intel(R) Core(TM) i5-6200U CPU @ 2.30GHz' shield.category='WINDOWS' device.asset.tag='REMOVED' device.os.name='Microsoft Windows 7 Enterprise ' device.hwid='0D814CA3-F6B91C1C-4B9BEC3F-AEC4B738-7F0BD86E-7E113C89-273D9943-BFF03768' device.hwid.spec='{'version':2,'pcProduct':{'identifyingnumber':'REMOVED','uuid':'4C4C4544-0053-5A10-8032-B2C04F524632'},'pc':{'manufacturer':'Dell Inc.','model':'Latitude E5470'},'bios':{'serialnumber':'REMOVED'},'baseBoard':{'manufacturer':'Dell Inc.','product':'0P88J9','serialnumber':'/REMOVED/CN129636CM0706/'},'tpm':{'specversion':'1.2, 2, 3','manufacturerversion':'5.81','manufacturerversioninfo':'0000','manufacturerid':'1464156928'},'misc':{'gpu-sn0':'11583659','bootdiskserialnumber':'REMOVED'}}' device.locale='en-US' shield.version='10.3.0.2' param.shield.bundle.type='NOSHIELD'2019-07-26 08:25:04,614 INFO com.credant.shield.ShieldRepository [qtp309115525-4673] - located 1 shields with category WINDOWS2019-07-26 08:25:04,614 INFO com.credant.shield.ShieldRepository [qtp309115525-4673] - shield repository returning shield: shieldCategory=WINDOWS, version=9.1.0.0, date=null, guid=52a3c1672efa89c25f7ab9417794876fd2c131-d84e49519ad95ea4cbc471ed7c25d72bd49bd8-2e3195e28a56c4fe6e725b187b2fd4fefe4871-26d9c28d789c254f71ea99a3463b99a7ccc2f4fa, certificateId=null, keyMaterialVersion=6 Supported OS=[WINDOWS XP SERVICE PACK 1,WINDOWS 2000,WINDOWS XP SERVICE PACK 2,WINDOWS XP PROFESSIONAL,] Unsupported OS=[WINDOWS NT 4.0,WINDOWS SERVER 2003,] Supported Processor=[] Unsupported Processor=[]2019-07-26 08:25:04,640 INFO RIGHTS [org.springframework.jms.listener.DefaultMessageListenerContainer#9-1] - Received message to query DEEP for entitlement(s). AssetTag=REMOVED2019-07-26 08:25:04,912 INFO RIGHTS [org.springframework.jms.listener.DefaultMessageListenerContainer#9-1] - No entitlements found for AssetTag=REMOVED2019-07-26 08:25:04,929 ERROR XSERVER [qtp309115525-4673] - Activation errorError authenticating user user@domain.comat com.credant.guardian.server.device.DeviceManagerService.verifyUserCredentials(DeviceManagerService.java:1881)at com.credant.guardian.server.device.DeviceManagerService.doActivate(DeviceManagerService.java:1258)at com.credant.guardian.server.device.DeviceManagerService.activate(DeviceManagerService.java:204)at sun.reflect.GeneratedMethodAccessor175.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)...TRUNCATED...2019-07-26 08:25:04,931 ERROR XSERVER [qtp309115525-4673] - Auth failure: Error authenticating user user@domain.comorg.apache.xmlrpc.XmlRpcException: Auth failure: Error authenticating user user@domain.comat com.credant.xserver.handler.helpers.ActivationHelper.generateActivateException(ActivationHelper.java:371)at com.credant.xserver.handler.helpers.ActivationHelper.activate(ActivationHelper.java:209)at com.credant.xserver.handler.ActivationHandler.activateDeviceWithPassword(ActivationHandler.java:99)at sun.reflect.GeneratedMethodAccessor906.invoke(Unknown Source)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:498)...TRUNCATED... Anyone have an insights? Thanks, RMills1

Brian Piatt · Answer

@RMills1 ,

I'm sorry to hear that you are having issues post CA renewal. When you looked in the cacert file (in the security server service), did you remove the old CA thumbprint? Did you also renew the other cacert locations on the back-end?

Do you have a front-end server? If so, have you renewed the certs on the the front-end server as well?

-Brian

L4 | Dell Data Security #IWork4Dell

RMills1 · Answer

Hey Brian,

I didn't remove the old CA thumbprint. I wasn't sure if I needed to leave it for old certificates or not, as not all our users have re-enrolled their smart cards.

I wasn't aware there are other cacert locations. Could you send me the locations on the virtual appliance?

I don't have a front-end server, but I've been planning to add one since I've gone from ~110 clients to ~1300 clients. I'll keep in mind I'm going to need to add the CAs into cacerts.

Thanks,

RMills1

RMills1 · Answer

Hey Brian,

I found the following locations for cacerts:

/opt/dell/server/core-server-proxy/conf/cacerts
/opt/dell/server/forensic-server/conf/cacerts
/opt/dell/server/local-server/conf/cacerts
/opt/dell/server/reporter/conf/cacerts
/opt/dell/server/security-server/conf/cacerts

Can you confirm I need to add my CA certs to all of these?

Thanks,

Rmills1

RMills1 · Answer

So I went ahead and removed the old CA certs from the cacerts file. One of my users on client v10.3 worked! However, another client on 10.2 still didn't work, so I'll update them to 10.3 and see what happens.

Also, it appears the software automatically updates the other cacerts file when you update the /opt/dell/server/security-server/conf/cacerts file.

Thanks!

Brian Piatt · Answer

@RMills1, My apologies about the delay as I was on PTO. You were correct on the location for the other cacerts. I'm glad to hear 10.3.0 client seems to be working for you. I would suggest we get a case opened up with our support folks if the issue persists by collecting logs for Client: https://www.dell.com/support/article/us/en/19/sln294330/how-to-collect-logs-for-dell-data-security-dell-data-protection-using-diagnosticinfo?lang=en Server: https://www.dell.com/support/article/us/en/04/sln301253/how-to-collect-logs-for-dell-security-management-server-virtual-dell-data-protection-virtual-edition?lang=en Contact info for our phone support https://www.dell.com/support/article/us/en/04/sln297692/dell-data-security-international-support-phone-numbers?lang=en

RMills1 · Answer

Hey Brian,

While it seemed to work for some users, most still aren't working. I reproduced it on a test account and captured the logs. I should have time this afternoon, so I'll call support then. Thanks for the help!

RMills

Brian Piatt · Answer

@RMills1 ,

Sorry to hear that you are having inconsistent results. Inconsistency is always when it comes to troubleshooting an issue.

When the agent gets the logs he should be troubleshooting the communication from CMGAgent.log > Security Server Output.log. (which is located in the opt/var folder for the Server logs).

If you end up running into any snags, shoot me a PM with the SR (service request number) and I will see what I can do to help you get your issues resolved quickly.

Have a good one.

-Brian

L4 | Dell Data Security #IWork4Dell

Dell Data Security

Was this post helpful?