NSD1234 General Troubleshooting of Nordic Edge Pledge Enrollment
- 1 Overview of the Pledge Enrollment Process
- 2 Common problems
- 1. Cannot enroll user Error: Failed to update the OATH key attribute. Error code: 0
- 2. Problem with Support Enroll, cannot enroll end-user. Error "This account is not an administrator account. Login with an administrator account (1)
- 3. Cannot Support enroll or self enroll end-user. Error: Failed to create a Pledge Profile!
- 4. Invalid username or password
1 Overview of the Pledge Enrollment Process
Pledge Enrollment is allowing users to create a unique profile-id (session-id) when using Pledge Enrollment web server installed at customer site. Pledge Enrollment can also be set to allow administrators to enroll profile-id for end-users.
The Pledge application must be installed on user's devices first.
When end-user or Administrator enroll for a Pledge Profile ID the Pledge enrollment web application sends a request to the Nordic Edge Pledge Factory via a web services request, asking for a user profile ID.
Nordic Edge Pledge Factory will perform the following steps:
1. Generate a unique symmetric key and a corresponding counter.
2. Pack the customers images like logotype, icon, background, etc into a zip file (called branding data), including contact information and PIN code policy.
3. Generate a unique profile number.
4. Combine all the above information into an XML message and associate it with the unique profile number.
5. Send a unique symmetric key, corresponding counter and optionally a unique profile number.
End-user or administrator, depending on enrollment choice (Self-enrollment or Admin-enrollment), will receive a unique Profile ID via the Pledge Enrollment web page.
Then the Pledge Client must be launched, select key symbol in the left corner and enter the Profile ID. The Pledge Client makes a request to Pledge Factory and receives the Profile ID for that User.
The device is ready to generate OTP's.
Correct Enrollment
Correct Enrollment looks like this:
2 Common problems
1. User can not enroll, Error: Failed to update the OATH key attribute. Error code: 0
The log is reporting:
2010-05-07 09:23:04,609: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=jdoe)(objectclass=user))
2010-05-07 09:23:04,609: INFO: DBHandler [getDNSingle] Found user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:23:04,609: DEBUG: OTPConnection [Enrollment client] "CN=John Doe,CN=Users,DC=nordicedge,DC=local" has the following attributes: carLicense
2010-05-07 09:23:08,234: DEBUG: OTPConnection [Enrollment client] –> "Update OATH key" Request
2010-05-07 09:23:08,234: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=jdoe)(objectclass=user))
2010-05-07 09:23:08,234: INFO: DBHandler [getDNSingle] Found user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:23:08,234: INFO: DBHandler [saveOATHKey] ERROR Saving OATH Key for user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:23:08,234: ERROR: PrefetchHandler [127.0.0.1] [InsertOATHKey] ERROR OATH Key could not be saved to user "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
Cause:
This error may occur when:
1. Admin user account for the Pledge Enrollment Database in OTP-Configurator doesn't have write access to the user object OATH key attribute.
Solution: add rights to Admin user to manage OATH key Attribute content.
2. The HOTP-LDAP Database for Pledge Enrollment is not pointing to the right database
Solution:
Resolve mismatch and select correct database for Enrollment.
3. The user object's attribute chosen to store the OATH key when configuring the OTPServer database is not the right type, the length of its value may be too short, for example:
2. Problem with Admin-enrollment, cannot enroll end-user. Error "This account is not an administrator account. Login with an administrator account (1)
OTPServer log is reporting:
2010-05-07 09:51:13,484: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=gpedersen)(objectclass=user))
2010-05-07 09:51:13,500: INFO: DBHandler [getDNSingle] Found user: "CN=Gabriel Pedersen,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:51:13,500: INFO: OTPConnection [Enrollment client] –> "GET-ATTRIB-VALUE:gpedersen:memberOf"
2010-05-07 09:51:13,500: DEBUG: OTPConnection [Enrollment client] Database for "127.0.0.1" is "Enrollment Database"
2010-05-07 09:51:13,500: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=gpedersen)(objectclass=user))
2010-05-07 09:51:13,500: INFO: DBHandler [getDNSingle] Found user: "CN=Gabriel Pedersen,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:51:13,500: DEBUG: OTPConnection [Enrollment client] "CN=Gabriel Pedersen,CN=Users,DC=nordicedge,DC=local" memberOf=
When it should report:
2010-05-07 09:58:35,921: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=gpedersen)(objectclass=user))
2010-05-07 09:58:35,921: INFO: DBHandler [getDNSingle] Found user: "CN=Gabriel Pedersen,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:58:35,937: DEBUG: OTPConnection [Enrollment client] "CN=Gabriel Pedersen,CN=Users,DC=nordicedge,DC=local" memberOf=CN=Domain Admins,CN=Users,DC=nordicedge,DC=local
2010-05-07 09:58:35,937: DEBUG: OTPConnection [Enrollment client] –> "AVAILABLE ATTRIBUTES" Request
2010-05-07 09:58:35,937: DEBUG: OTPConnection [Enrollment client] Database for "127.0.0.1" is "Enrollment Database"
2010-05-07 09:58:35,937: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=jdoe)(objectclass=user))
2010-05-07 09:58:35,937: INFO: DBHandler [getDNSingle] Found user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:58:35,937: DEBUG: OTPConnection [Enrollment client] "CN=John Doe,CN=Users,DC=nordicedge,DC=local" has the following attributes: carLicense
2010-05-07 09:58:36,265: DEBUG: OTPConnection [Enrollment client] –> "Update OATH key" Request
2010-05-07 09:58:36,265: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=jdoe)(objectclass=user))
2010-05-07 09:58:36,265: INFO: DBHandler [getDNSingle] Found user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:58:36,390: INFO: DBHandler [saveOATHKey] OATH Key has been updated for user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 09:58:36,390: INFO: PrefetchHandler [127.0.0.1] [InsertOATHKey] OATH Key has been updated for user "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
Cause:
Admin account used to enroll end-user is not a member of the Support enrollment group and thus is not allowed to enroll end-users.
Solutions:
Step 1.
Open <Install folder>NordicEdgeOTPServer3im4otpwebappsPledgeEnrollmentconstants.jsp and verify group name set to perform Admin Enrollment
//For admin enrollment
String groupAttributeName = "memberOf"; //The name of the LDAP attribute that contains the group or role values, memberOf for AD
String supportGroupName = "Domain Admins"; //The value that contains the support group, must be the CN value
Step 2.
Add the the admin user account to this group.
3. Cannot perform Admin-enrollment or Self-enrollment. Error: Failed to create a Pledge Profile!
OTPServer log is reporting:
DBHandler [getDNSingle] Found user: "CN=Administrator,CN=Users,DC=nordicedge,DC=local"
2010-05-07 10:14:28,031: DEBUG: OTPConnection [Enrollment client] "CN=Administrator,CN=Users,DC=nordicedge,DC=local" memberOf=CN=NordicEdge_IMAdmin_Role,OU=Roles,OU=NordicEdge,DC=nordicedge,DC=local^CN=NordicEdge_RoleAdmin_Role,OU=Roles,OU=NordicEdge,DC=nordicedge,DC=local^CN=Group Policy Creator Owners,CN=Users,DC=nordicedge,DC=local^CN=Domain Admins,CN=Users,DC=nordicedge,DC=local^CN=Enterprise Admins,CN=Users,DC=nordicedge,DC=local^CN=Schema Admins,CN=Users,DC=nordicedge,DC=local^CN=Administrators,CN=Builtin,DC=nordicedge,DC=local
2010-05-07 10:14:28,031: DEBUG: OTPConnection [Enrollment client] –> "AVAILABLE ATTRIBUTES" Request
2010-05-07 10:14:28,031: DEBUG: OTPConnection [Enrollment client] Database for "127.0.0.1" is "Enrollment Database"
2010-05-07 10:14:28,046: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=jdoe)(objectclass=user))
2010-05-07 10:14:28,046: INFO: DBHandler [getDNSingle] Found user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 10:14:28,046: DEBUG: OTPConnection [Enrollment client] "CN=John Doe,CN=Users,DC=nordicedge,DC=local" has the following attributes: carLicense
When it should report:
DBHandler [getDNSingle] Found user: "CN=Administrator,CN=Users,DC=nordicedge,DC=local"
2010-05-07 10:30:20,718: DEBUG: OTPConnection [Enrollment client] "CN=Administrator,CN=Users,DC=nordicedge,DC=local" memberOf=CN=NordicEdge_IMAdmin_Role,OU=Roles,OU=NordicEdge,DC=nordicedge,DC=local^CN=NordicEdge_RoleAdmin_Role,OU=Roles,OU=NordicEdge,DC=nordicedge,DC=local^CN=Group Policy Creator Owners,CN=Users,DC=nordicedge,DC=local^CN=Domain Admins,CN=Users,DC=nordicedge,DC=local^CN=Enterprise Admins,CN=Users,DC=nordicedge,DC=local^CN=Schema Admins,CN=Users,DC=nordicedge,DC=local^CN=Administrators,CN=Builtin,DC=nordicedge,DC=local
2010-05-07 10:30:20,718: DEBUG: OTPConnection [Enrollment client] –> "AVAILABLE ATTRIBUTES" Request
2010-05-07 10:30:20,718: DEBUG: OTPConnection [Enrollment client] Database for "127.0.0.1" is "Enrollment Database"
2010-05-07 10:30:20,718: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=jdoe)(objectclass=user))
2010-05-07 10:30:20,718: INFO: DBHandler [getDNSingle] Found user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 10:30:20,718: DEBUG: OTPConnection [Enrollment client] "CN=John Doe,CN=Users,DC=nordicedge,DC=local" has the following attributes: carLicense
2010-05-07 10:30:22,640: DEBUG: OTPConnection [Enrollment client] –> "Update OATH key" Request
2010-05-07 10:30:22,640: DEBUG: DBHandler [getDNSingle] Executing Searchfilter: (&(samAccountName=jdoe)(objectclass=user))
2010-05-07 10:30:22,656: INFO: DBHandler [getDNSingle] Found user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 10:30:22,703: INFO: DBHandler [saveOATHKey] OATH Key has been updated for user: "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
2010-05-07 10:30:22,703: INFO: PrefetchHandler [127.0.0.1] [InsertOATHKey] OATH Key has been updated for user "CN=John Doe,CN=Users,DC=nordicedge,DC=local"
Cause:
This error is occurring when:
1. Wrong Pledge Web service account username or password is used.
Solution:
Verify credentials from Pledge Factory web service Account.
2. Pledge Enrollment Services cannot communicate with Nordic Edge Pledge Factory.
Solution:
Step 1. Verify traffic between these web services is possible and if not restore network connection.
Step 2. Verify if there is a Proxy between the services. If there is one open <Install folder>NordicEdgeOTPServer3im4otpwebappsPledgeEnrollmentconstants.jsp and change the Proxy settings according to your Proxy system.
// Proxy settings (to be configured if proxy is used)
String proxySet = ""; //proxySet = "true" to enable proxy configuration
String http_proxyHost = "proxy.name.com"; // http proxy host
String http_proxyPort = "80"; // http proxy port
String https_proxyHost = "proxy.name.com"; // https proxy host
String https_proxyPort = "80"; // https proxy port
/*———————-Settings section end——————————————————————*/
4. Invalid username or password
If error message is received directly after entering Username and password verify Username and Password.
But, if User gets prompted for an OTP and then Pledge is reporting invalid username or password when trying to login, see situations described below:
Situation 1
Log says:
2010-06-02 16:06:23,695: DEBUG: RadiusDebug: UserDatabase for "Pledge Auth" is "Pledge AD"
2010-06-02 16:06:23,695: DEBUG: RadiusDebug: Response to Challenge. Client "Pledge Auth". MagicNr=Lk1d78 OTPLenght=6
2010-06-02 16:06:23,695: DEBUG: MobileHandler [verifyOATH] Will use OTPLength: 6 for user: "CN=John Doe,OU=MBUsers,DC=mb,DC=local"
2010-06-02 16:06:23,695: INFO: MobileHandler [verifyOATH] FAILED for user: "CN=John Doe,OU=MBUsers,DC=mb,DC=local"
2010-06-02 16:06:23,695: INFO: Radius: "jdoe" failed on PF/OATH
2010-06-02 16:06:23,695: DEBUG: >> BEGIN Radius reply from port: 1645:
2010-06-02 16:06:23,695: DEBUG: Radius Packet:
Type: 3 (Access-Reject)
Id: 37
Length: 20
IPAddress: /192.168.0.224
Port: 12013
Authenticator:
0x0a 0×56 0×11 0xb9 0xfe 0x9e 0×49 0xf3 0xc3 0xc2 0xfe 0×56 0×71 0×21 0×48 0×88
2010-06-02 16:06:23,695: DEBUG: >> END Radius reply
Reason 1:
User has entered wrong OTP in the OTP field.
Reason 2:
There is a problem with the "encryption key" in the users OATH key attribute.
Solution:
Download Nordic Edge HOTP Counter Check, see
Open the end-user object and copy the oath key from the Oath Key attribute.
Remove Ox (indicates hex format) at the beginning and the :# at the end (counter)
In this example the whole value from the OATH key attribute is
0x350572FC57A0D5838A9E66881B28A3181E4C023C:1
Remove 0x from the beginning and the :1 from the end.
Start the Nordic Edge HOTP Counter Check
Copy 350572FC57A0D5838A9E66881B28A3181E4C023C into the "Encryption key field".
Generate an OTP with the Pledge Client, enter it in "Current OTP:"
Click "Check"
Error message "Unable to get the counter for this OTP/key" means something is wrong with the end-user encryption key.
OTPServer log file is reporting:
2010-06-02 15:58:18,103: DEBUG: RadiusDebug: Response to Challenge. Client "Pledge Auth". MagicNr=EJ156h OTPLenght=6
2010-06-02 15:58:18,118: INFO: MobileHandler [verifyOATH] FAILED for user: "CN=John Doe,OU=MBUsers,DC=mb,DC=local"
2010-06-02 15:58:18,118: INFO: Radius: "jdoe" failed on PF/OATH
2010-06-02 15:58:18,118: DEBUG: >> BEGIN Radius reply from port: 1645:
2010-06-02 15:58:18,118: DEBUG: Radius Packet:
Type: 3 (Access-Reject)
Id: 118
Length: 20
IPAddress: /192.168.0.224
Port: 12013
Authenticator:
0xbf 0×55 0xa9 0xe0 0×40 0×75 0x2c 0×72 0×33 0x9f 0xd5 0xeb 0xb3 0×80 0x5b 0xf7
2010-06-02 15:58:18,118: DEBUG: >> END Radius reply
The log is not showing the source of the issue but is reporting that it Will use OTPLength: 6 for this user
Reason:
There is a mismatch in the configuration about the length of an OTP.
Solution
Use the OTP Configurator and select the OATH Configuration tab, verify that "Use variable OTP length is set" and that the Variable Length value is set to 6,8.
