Downloads

Transcription

Downloads

KB 160053
How to enable and read the full trace file for
IDENTIKEY Authentication Server (IAS) 3.6, step
by step.
Creation date: 22/12/2014
Last Review: 22/12/2014
Document type: How To
Revision number: 2
Security status: EXTERNAL
Summary
To be able to troubleshoot an IDENTIKEY Authentication Server installation you have
to enable and examine the full trace file.
This is a step by step guide how to enable full tracing and where you can find the file.
This article also includes some basic information you can find in the trace file.
details.
How to enable the full tracing?
There are two possibilities to enable Full tracing in IDENTIKEY:
1. Using the Web Administration tool.
Select Server Configuration from the SYSTEM tab, and edit the General tab.
Applies to: IDENTIKEY Authentication Server 3.6
KB 160053– 22/12/2014
 2014 VASCO Data Security. All rights reserved.
Page 1 of 7
Set the Tracing level to Full. It is recommended to enable Rotate Trace logs so the
trace files do not grow too large. You can rotate based on days or size. After
pressing the SAVE button the tracing starts, there is no need to restart the
IDENTIKEY Service.
2. Using IDENTIKEY Authentication Server configuration utility.
Open the IDENTIKEY Authentication Server Configuration GUI from the Windows
Start menu All Programs IDENTIKEY Authentication Server IDENTIKEY
Authentication Server Configuration.
In the general settings, Select Full Tracing and specify and file rotation settings.
The default file location for the trace file will be
C:\Program Files\VASCO\IDENTIKEY Authentication Server 3.6\log\ias.trace.
KB 160053– 22/12/2014
Page 2 of 7
Click YES when you are asked to restart the service:
Where can I find the trace file?
After restarting the service, or enabling the tracing via Webadmin, you can find the
KB 160053– 22/12/2014
Page 3 of 7
trace file in the log directory of IDENTIKEY Authentication Server (default location is
C:\Program Files\VASCO\IDENTIKEY Authentication Server 3.6\log\)
Below is the trace data generated when an authentication attempt is handled by
IDENTIKEY Authentication Server 3.6:
[2013/08/19|19:19:54.524125UTC][05068][DEBUG][SocketManager::getPendingSockets] > Waiting to acquire connection lock
mutex.
[2013/08/19|19:19:54.539750UTC][05068][DEBUG][SocketManager::getPendingSockets] > Acquired connection lock mutex.
[2013/08/19|19:19:54.539750UTC][05068][DEBUG][SocketManager::getPendingSockets] > Releasing connection lock mutex.
[2013/08/19|19:19:54.555375UTC][05776][DEBUG][ValidationTask::getSharedSecretStore] > Looking for RADIUS Client with
Shared Secret
[2013/08/19|19:19:54.555375UTC][05776][DEBUG][ComponentLoader::fetchComponent]
>
Existing
Component
record
[RADIUS
Client:192.168.17.1] returned from Component Cache
[2013/08/19|19:19:54.555375UTC][05776][INFO ][ValidationTask::process] > Received request is from NAS location 10.1.1.101
[2013/08/19|19:19:54.555375UTC][05776][DEBUG][ValidationTask::processPossibleRequestRepeat] > Failed to find entry in
request cache. Must be a new request. Caching new request
[2013/08/19|19:19:54.555375UTC][05776][VINFO][Manager::getElementFromRequest] > Packet contains no state attribute,
assuming this is a new request
[2013/08/19|19:19:54.571000UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Component cache says there is no
Component record [RADIUS Client:10.1.1.101]
>
Existing
Component
record
[RADIUS
IDENTIKEY found a client component with the IP address of the client
location
[2013/08/19|19:19:54.571000UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent]
>
Client
component
check
succeeded
[2013/08/19|19:19:54.586625UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent] > Client license check skipped
[2013/08/19|19:19:54.586625UTC][05776][VINFO][ValidationTask::routePacket] > Processing packet data
[2013/08/19|19:19:54.586625UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > Retrieving handler for packet
[2013/08/19|19:19:54.586625UTC][05776][DEBUG][RADIUSHandlerFactory::getHandler] > Creating PAP handler
[2013/08/19|19:19:54.602250UTC][05776][INFO ][adt_record] > Audit: {Info} {RADIUS} {I-006001} {A RADIUS Access-Request has
been received.} {0xDA009133786EE52E41E8B256A5BA614D}
[2013/08/19|19:19:54.602250UTC][05776][INFO
][adt_record]
>
Audit:
{Client
Location:192.168.17.1:51943,
Source
Location:192.168.17.95, Request ID:8, Password Protocol:PAP, Input Details:RADIUS Code:1, RADIUS Id:8, , UserName:user@master, NAS-IP-Address:10.1.1.101, NAS-Port:1, NAS-Identifier:Vasco Radius Simulator, User-Password:********,
Calling-Station-Id:13080, Action:Process}
[2013/08/19|19:19:54.602250UTC][05776][VINFO][Distributor::acquireConnection] > Node.Connector allocated
[2013/08/19|19:19:54.649125UTC][05776][VINFO][Distributor::releaseConnection] > Node.Connector released
[2013/08/19|19:19:54.664750UTC][05776][MAJOR][alert_record] > plugin not initialized
[2013/08/19|19:19:54.664750UTC][05776][DATA ][RADIUSLayer::dispatchCommandTask] > Retrieved from packet - Attributes : '
{Password : ********}', Params: '
{User ID : user@master}
{Password : ********}
{Raw User ID : 0x75736572406D6173746572}
{Password Format : 0}
{Protocol ID : RADIUS}
{Protocol Specific Data : 0xC0A81101E7CA0850172110214174142063541626427246}'
[2013/08/19|19:19:54.664750UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > Authentication request received.
[2013/08/19|19:19:54.664750UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask]
>
Executing
authentication
scenario
command.
[2013/08/19|19:19:54.680375UTC][05776][DEBUG][CommandFactory::generateCommand] > Request for command: <20:1>
[2013/08/19|19:19:54.680375UTC][05776][DEBUG][CommandFactory::generateCommand] > Found factory - creating command
[2013/08/19|19:19:54.680375UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Existing Component record [Identikey
Server:192.168.17.95] returned from Component Cache The IDENTIKEY Server that will authenticate the user
[2013/08/19|19:19:54.680375UTC][05776][DEBUG][ComponentCheckUtils::checkServerComponent] > Protocol field <RADIUS> was
successfully located in license.
[2013/08/19|19:19:54.680375UTC][05776][DEBUG][ComponentCheckUtils::checkServerComponent] > Scenario field <Authentication>
was successfully located in license.
[2013/08/19|19:19:54.696000UTC][05776][DEBUG][ComponentCheckUtils::checkServerComponent] > For scenario Authentication
protocol RADIUS was successfully located in license.
[2013/08/19|19:19:54.696000UTC][05776][VINFO][ComponentCheckUtils::checkServerComponent] > Server component and license
check succeeded
[2013/08/19|19:19:54.696000UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Component cache says there is no
Component record [RADIUS Client:10.1.1.101]
>
Existing
Component
record
[RADIUS
[2013/08/19|19:19:54.696000UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent]
>
Client
component
check
succeeded
[2013/08/19|19:19:54.711625UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent] > Client license check skipped
[2013/08/19|19:19:54.711625UTC][05776][INFO ][AuthenticateRequest::execute] > Processing user authentication request...
[2013/08/19|19:19:54.711625UTC][05776][INFO ][AuthenticateRequest::execute] > Fast authentication is <false>
[2013/08/19|19:19:54.711625UTC][05776][VINFO][AuthenticateRequest::execute] > Password format is [Cleartext combined]
[2013/08/19|19:19:54.711625UTC][05776][DATA ][Policy::traceDetails] > *** Effective Policy Settings ***
[2013/08/19|19:19:54.727250UTC][05776][DATA ][Policy::traceDetails] > Policy ID
: [Identikey Local
Authentication] Policy Settings used for the client found
[2013/08/19|19:19:54.727250UTC][05776][DATA ][Policy::traceDetails] > Parent Policy ID
: [Base Policy]
[2013/08/19|19:19:54.742875UTC][05776][DATA ][Policy::traceDetails] > DUR
: [No]
[2013/08/19|19:19:54.742875UTC][05776][DATA ][Policy::traceDetails] > Autolearn
: [No]
[2013/08/19|19:19:54.742875UTC][05776][DATA ][Policy::traceDetails] > Stored Pwd Proxy
: [No]
[2013/08/19|19:19:54.758500UTC][05776][DATA ][Policy::traceDetails] > Assignment Mode
: [Neither]
[2013/08/19|19:19:54.758500UTC][05776][DATA ][Policy::traceDetails] > Assign Search Up OU Path
: [No]
[2013/08/19|19:19:54.774125UTC][05776][DATA ][Policy::traceDetails] > Grace Period
: [0]
[2013/08/19|19:19:54.774125UTC][05776][DATA ][Policy::traceDetails] > Application Names
: []
[2013/08/19|19:19:54.774125UTC][05776][DATA ][Policy::traceDetails] > Application Type
: [No Restriction]
[2013/08/19|19:19:54.789750UTC][05776][DATA ][Policy::traceDetails] > Digipass Types
: []
[2013/08/19|19:19:54.789750UTC][05776][DATA ][Policy::traceDetails] > Local Authentication
:
[Digipass/Password]
[2013/08/19|19:19:54.789750UTC][05776][DATA ][Policy::traceDetails] > BackEnd Authentication
: [None]
[2013/08/19|19:19:54.789750UTC][05776][DATA ][Policy::traceDetails] > BackEnd Protocol ID
: []
[2013/08/19|19:19:54.805375UTC][05776][DATA ][Policy::traceDetails] > Default Domain
: []
[2013/08/19|19:19:54.805375UTC][05776][DATA ][Policy::traceDetails] > Group List
: []
[2013/08/19|19:19:54.805375UTC][05776][DATA ][Policy::traceDetails] > Group Check Mode
: [No Check]
[2013/08/19|19:19:54.805375UTC][05776][DATA ][Policy::traceDetails] > User Lock Threshold
: [3]
[2013/08/19|19:19:54.821000UTC][05776][DATA ][Policy::traceDetails] > One-Step Chall/Response
: [No]
[2013/08/19|19:19:54.821000UTC][05776][DATA ][Policy::traceDetails] > One-Step CR Chall Length
: [0]
[2013/08/19|19:19:54.821000UTC][05776][DATA ][Policy::traceDetails] > One-Step CR Check Digit
: [1]
[2013/08/19|19:19:54.821000UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Enabled
: [No]
KB 160053– 22/12/2014
Page 4 of 7
[2013/08/19|19:19:54.821000UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Maximum Days
: [0]
[2013/08/19|19:19:54.821000UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Max Uses
: [0]
[2013/08/19|19:19:54.821000UTC][05776][DATA ][Policy::traceDetails] > Pin Change Allowed
: [Yes]
[2013/08/19|19:19:54.836625UTC][05776][DATA ][Policy::traceDetails] > Self-Assign Separator
: []
[2013/08/19|19:19:54.836625UTC][05776][DATA ][Policy::traceDetails] > Challenge Request Method
: [Keyword]
[2013/08/19|19:19:54.836625UTC][05776][DATA ][Policy::traceDetails] > Challenge Request Keyword
: []
[2013/08/19|19:19:54.836625UTC][05776][DATA ][Policy::traceDetails] > Primary VDP Rqst Method
: [Password]
[2013/08/19|19:19:54.836625UTC][05776][DATA ][Policy::traceDetails] > Primary VDP Rqst Keyword
: []
[2013/08/19|19:19:54.852250UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Rqst Method
: [KeywordPassword]
[2013/08/19|19:19:54.852250UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Rqst Keyword
: [otp]
[2013/08/19|19:19:54.852250UTC][05776][DATA ][Policy::traceDetails] > ITimeWindow
: [20]
[2013/08/19|19:19:54.852250UTC][05776][DATA ][Policy::traceDetails] > STimeWindow
: [20]
[2013/08/19|19:19:54.867875UTC][05776][DATA ][Policy::traceDetails] > EventWindow
: [20]
[2013/08/19|19:19:54.867875UTC][05776][DATA ][Policy::traceDetails] > SyncWindow
: [6]
[2013/08/19|19:19:54.867875UTC][05776][DATA ][Policy::traceDetails] > IThreshold
: [0]
[2013/08/19|19:19:54.867875UTC][05776][DATA ][Policy::traceDetails] > SThreshold
: [0]
[2013/08/19|19:19:54.883500UTC][05776][DATA ][Policy::traceDetails] > Check Challenge
: [1]
[2013/08/19|19:19:54.883500UTC][05776][DATA ][Policy::traceDetails] > OnlineSG
: [0]
[2013/08/19|19:19:54.883500UTC][05776][DATA ][Policy::traceDetails] > Check Inactive Days
: [0]
[2013/08/19|19:19:54.883500UTC][05776][DATA ][Policy::traceDetails] > Offline Auth Enabled
: [No]
[2013/08/19|19:19:54.899125UTC][05776][DATA ][Policy::traceDetails] > Offline Time Interval
: [21]
[2013/08/19|19:19:54.899125UTC][05776][DATA ][Policy::traceDetails] > Offline Max Events
: [300]
[2013/08/19|19:19:54.899125UTC][05776][DATA ][Policy::traceDetails] > DCR
: [No]
[2013/08/19|19:19:54.914750UTC][05776][DATA ][Policy::traceDetails] > Chg Win Pwd Enabled
: [No]
[2013/08/19|19:19:54.914750UTC][05776][DATA ][Policy::traceDetails] > Chg Win Pwd Length
: [16]
[2013/08/19|19:19:54.914750UTC][05776][DATA ][Policy::traceDetails] > Client Group List
: []
[2013/08/19|19:19:54.930375UTC][05776][DATA ][Policy::traceDetails] > Client Group Mode
: [No Check]
[2013/08/19|19:19:54.930375UTC][05776][DATA ][Policy::traceDetails] > 2OTP Sync Enabled
: [No]
[2013/08/19|19:19:54.946000UTC][05776][DATA ][Policy::traceDetails] > VDP Delivery Method
: [SMS]
[2013/08/19|19:19:54.946000UTC][05776][DATA ][Policy::traceDetails] > Reply Radius Attribute Enabled
: [No]
[2013/08/19|19:19:54.946000UTC][05776][DATA ][Policy::traceDetails] > Radius Attribute Group List
: []
[2013/08/19|19:19:54.961625UTC][05776][DATA ][Policy::traceDetails] > Radius Allowed Protocols
: [Any]
[2013/08/19|19:19:54.961625UTC][05776][DATA ][Policy::traceDetails] > Radius Session Lifetime
: [3600]
[2013/08/19|19:19:54.961625UTC][05776][DATA ][Policy::traceDetails] > Radius Session Ticket Lifetime
: [86400]
[2013/08/19|19:19:54.977250UTC][05776][DATA ][Policy::traceDetails] > Radius Session Ticket Reuse
: [48]
[2013/08/19|19:19:54.977250UTC][05776][DATA ][Policy::traceDetails] > Radius Session Group List
: []
[2013/08/19|19:19:54.977250UTC][05776][DATA ][Policy::traceDetails] > Static Password Diff To Prev
: [4]
[2013/08/19|19:19:54.977250UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Length
: [7]
[2013/08/19|19:19:54.992875UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Lower Alpha : [1]
[2013/08/19|19:19:54.992875UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Upper Alpha : [1]
[2013/08/19|19:19:54.992875UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Number
: [1]
[2013/08/19|19:19:54.992875UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Symbol
: [0]
[2013/08/19|19:19:54.992875UTC][05776][DATA ][Policy::traceDetails] > Static Password Not UserId Based : [Yes]
[2013/08/19|19:19:54.992875UTC][05776][DATA ][Policy::traceDetails] > Multi Digipass Application Mode
: [Multiple
DIGIPASS Applications Allowed]
[2013/08/19|19:19:54.992875UTC][05776][DATA ][Policy::traceDetails] > Privileged Users : [Reject]
[2013/08/19|19:19:55.008500UTC][05776][DATA ][Policy::traceDetails] > *********************************
[2013/08/19|19:19:55.008500UTC][05776][DATA ][UserChecks::resolveUserAndGroupCheck] > userId is [user@master]
user
authenticating
[2013/08/19|19:19:55.008500UTC][05776][DATA ][UserChecks::resolveUserAndGroupCheck] > domain is []
[2013/08/19|19:19:55.008500UTC][05776][INFO ][ODBCStorageConnector::connect] > Trying to connect to the ODBC data source
[2013/08/19|19:19:55.024125UTC][05776][INFO ][ODBCSource::Connect] > Already connected
[2013/08/19|19:19:55.024125UTC][05776][INFO ][ODBCRequestContext::doUserNameTranslation] > Not doing Windows user name
translation
[2013/08/19|19:19:55.024125UTC][05776][DEBUG][ODBCRequestContext::doUserNameTranslation] > Found domain '<master>' in
cache and it exists - using
[2013/08/19|19:19:55.039750UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "SELECT vdsDomain,
vdsUserId, vdsOrgUnit, vdsUserName, vdsMobile, vdsEmail, vdsStaticPwd, vdsLinkUserDomain, vdsLinkUserId, vdsLocalAuth,
vdsBackEndAuth, vdsLockCount, vdsLocked, vdsDisabled, vdsAdminPrivileges, vdsOfflineAuthEnabled, vdsStaticPwdHistory,
vdsCreateTime, vdsLastAuthTime, vdsExpirationTime FROM vdsUser WHERE (vdsDomain = ?) AND (vdsUserId = ?) ORDER BY
vdsDomain, vdsUserId, vdsOrgUnit"
[2013/08/19|19:19:55.055375UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 1 to string "master"
[2013/08/19|19:19:55.055375UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 2 to string "user"
[2013/08/19|19:19:55.071000UTC][05776][DATA ][ODBCResultSet::GetRowCount] > Returned row-count 1
[2013/08/19|19:19:55.086625UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "SELECT vdsSerialNo FROM
vdsDigipass WHERE (vdsDomain = ?) AND (vdsUserId = ?)"
[2013/08/19|19:19:55.102250UTC][05776][DATA ][vasco::CryptoEngine::decryptWithEmbeddedProvider] > Decrypt the content
using embedded crypto provider.
[2013/08/19|19:19:55.102250UTC][05776][VINFO][SoftwareCryptoBase::preDecryptProcess] > First 2 byte of cipher text 0x[00]
0x[0A]
[2013/08/19|19:19:55.102250UTC][05776][DATA ][SoftwareCryptoBase::custom_aes128cbc_key_derive] > Block size for aes is
[16]
[2013/08/19|19:19:55.117875UTC][05776][DATA ][vasco::CryptoEngine::decryptWithEmbeddedProvider] > Data is decrypted using
embedded crypto provider.
[2013/08/19|19:19:55.117875UTC][05776][INFO ][UserChecks::userChecks] > Digipass User account found
[2013/08/19|19:19:55.117875UTC][05776][DEBUG][UserChecks::userChecks] > Checking User login inactivity: 'true'
[2013/08/19|19:19:55.117875UTC][05776][DEBUG][UserChecks::userChecks] > User login inactivity time: [90]
[2013/08/19|19:19:55.117875UTC][05776][DEBUG][UserChecks::userChecks] > Checking user activity
[2013/08/19|19:19:55.133500UTC][05776][INFO ][UserChecks::userChecks] > Setting m_userChecksState to [User Exists]
[2013/08/19|19:19:55.133500UTC][05776][DATA ][User::traceDetails] > *** User Details ***
[2013/08/19|19:19:55.133500UTC][05776][DATA ][User::traceDetails] > User ID
: [user]
[2013/08/19|19:19:55.133500UTC][05776][DATA ][User::traceDetails] > Mobile no.
: []
[2013/08/19|19:19:55.133500UTC][05776][DATA ][User::traceDetails] > Email.
: []
[2013/08/19|19:19:55.133500UTC][05776][DATA ][User::traceDetails] > Domain
: [master]
[2013/08/19|19:19:55.149125UTC][05776][DATA ][User::traceDetails] > Org Unit
: []
[2013/08/19|19:19:55.149125UTC][05776][DATA ][User::traceDetails] > LDAP DN
: []
[2013/08/19|19:19:55.149125UTC][05776][DATA ][User::traceDetails] > Local Auth
: [Digipass/Password]
[2013/08/19|19:19:55.149125UTC][05776][DATA ][User::traceDetails] > Back End Auth
: [None]
[2013/08/19|19:19:55.180375UTC][05776][DATA ][User::traceDetails] > Offline Auth Enabled : [No]
[2013/08/19|19:19:55.196000UTC][05776][DATA ][User::traceDetails] > Use DP from UserID : []
[2013/08/19|19:19:55.196000UTC][05776][DATA ][User::traceDetails] > Use DP from domain : []
[2013/08/19|19:19:55.196000UTC][05776][DATA ][User::traceDetails] > Use DP from LDAP DN: []
[2013/08/19|19:19:55.196000UTC][05776][DATA ][User::traceDetails] > ********************
[2013/08/19|19:19:55.196000UTC][05776][DEBUG][UserChecks::adminPrivilegeCheck] > 'Privileged Users' policy setting set to
'Reject' however this user does not have administrative privileges. The admin privilege check for this user has therefore
succeeded.
[2013/08/19|19:19:55.211625UTC][05776][VINFO][LocalAuthenticationChecks::localVerification] > Length of password entered
is [6] bytes
KB 160053– 22/12/2014
Page 5 of 7
vdsSerialNo,
vdsOrgUnit,
vdsDPType,
vdsGPExpires,
vdsBVDPEnabled,
vdsBVDPExpires,
vdsBVDPUsesLeft,
vdsUserId,
vdsDPSoftParamsID, vdsActivLocs, vdsActivCount, vdsLastActivTime FROM vdsDigipass WHERE (vdsDomain = ?) AND vdsOrgUnit IS
NULL AND (vdsUserId = ?) ORDER BY vdsDomain, vdsSerialNo, vdsDPDescription"
[2013/08/19|19:19:55.242875UTC][05776][DATA
][ODBCStatement::PrepareSQL]
>
Prepared
SQL
statement
"SELECT
vdsDPApplication.vdsSerialNo,
vdsDPApplication.vdsApplName,
vdsDPApplication.vdsApplNo,
vdsDPApplication.vdsApplType,
vdsDPApplication.vdsActive,
vdsDPApplication.vdsBlob,
vdsDigipass.vdsDomain,
vdsDigipass.vdsOrgUnit,
vdsDigipass.vdsuserid, vdsDPApplication.vdsCreateTime, vdsDPApplication.vdsModifyTime, vdsDPApplication.vdsStorageKeyID,
vdsDPApplication.vdsSensitiveKeyID FROM (vdsDPApplication INNER JOIN vdsDigipass
ON (vdsDPApplication.vdsSerialNo =
vdsDigipass.vdsSerialNo))
WHERE
(vdsDPApplication.vdsSerialNo
=
?)
ORDER
BY
vdsDPApplication.vdsSerialNo,
vdsDPApplication.vdsApplName"
[2013/08/19|19:19:55.242875UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 1 to string "0091234582"
[2013/08/19|19:19:55.258500UTC][05776][INFO ][vasco::CryptoEngine::storageDecrypt] > Decrypting digipass Blob.
[2013/08/19|19:19:55.258500UTC][05776][INFO ][vasco::CryptoEngine::storageDecrypt] > Decrypting digipass Blob.
[2013/08/19|19:19:55.274125UTC][05776][DATA ][vasco::CryptoEngine::decryptWithEmbeddedProvider] > Decrypt the content
using embedded crypto provider.
[2013/08/19|19:19:55.274125UTC][05776][VINFO][SoftwareCryptoBase::preDecryptProcess] > First 2 byte of cipher text 0x[00]
0x[0A]
[2013/08/19|19:19:55.274125UTC][05776][DATA ][SoftwareCryptoBase::custom_aes128cbc_key_derive] > Block size for aes is
[16]
[2013/08/19|19:19:55.274125UTC][05776][DATA ][vasco::CryptoEngine::decryptWithEmbeddedProvider] > Data is decrypted using
embedded crypto provider.
[2013/08/19|19:19:55.289750UTC][05776][DATA ][Digipass::traceDetails] > *** Digipass Details ***
[2013/08/19|19:19:55.289750UTC][05776][DATA ][Digipass::traceDetails] > Serial No.
: [0091234582]
[2013/08/19|19:19:55.289750UTC][05776][DATA ][Digipass::traceDetails] > Domin
: [master]
[2013/08/19|19:19:55.289750UTC][05776][DATA ][Digipass::traceDetails] > Org Unit
: []
[2013/08/19|19:19:55.289750UTC][05776][DATA ][Digipass::traceDetails] > LDAP DN
: []
[2013/08/19|19:19:55.289750UTC][05776][DATA ][Digipass::traceDetails] > Backup VDP Enabled : [No]
[2013/08/19|19:19:55.305375UTC][05776][DATA ][Digipass::traceDetails] > Grace Period Expiry : [2013/08/19]
[2013/08/19|19:19:55.305375UTC][05776][DATA ][Digipass::traceDetails] > Backup VDP Expiry
: []
[2013/08/19|19:19:55.305375UTC][05776][DATA ][Digipass::traceDetails] > Backup VDP Uses Left: []
[2013/08/19|19:19:55.305375UTC][05776][DATA ][Digipass::traceDetails] > ************************
[2013/08/19|19:19:55.305375UTC][05776][DATA ][CryptoKeyLoader::getKeyData] > key [SSMINSTALLSTORAGEKEY] found in the cache
[2013/08/19|19:19:55.305375UTC][05776][INFO ][CryptoKeyDataFactory::createSSMStorageDataKey] > SSM Storage Crypto Key Data
object is created.
object is created.
[2013/08/19|19:19:55.321000UTC][05776][INFO ][DigipassAppl::verifyPlainTextOTPCombined] > Combined parameters.
object is created.
[2013/08/19|19:19:55.336625UTC][05776][MAJOR][DigipassAppl::verifyPlainTextOTPCombined] > Password length too short
[2013/08/19|19:19:55.336625UTC][05776][INFO ][Digipass::verifyResponse] > Serial 0091234582 Application APPLI 1 OTP
Incorrect - Password length too short We get a respose too small error because we did not give the PIN.
[2013/08/19|19:19:55.352250UTC][05776][INFO ][Digipass::verifyResponse] > Failed to verify response for serial number
0091234582 application APPLI 1
[2013/08/19|19:19:55.352250UTC][05776][INFO ][DigipassList::verifyResponse] > Response verification has failed for
digipass 0091234582
[2013/08/19|19:19:55.352250UTC][05776][DEBUG][LocalAuthenticationChecks::doResponseChecking] > There was no definite One
Time Password in the credentials
[2013/08/19|19:19:55.367875UTC][05776][DEBUG][LocalAuthenticationChecks::doResponseChecking] > One or more DIGIPASS are
outside of grace period
object is created.
[2013/08/19|19:19:55.367875UTC][05776][VINFO][LocalAuthenticationChecks::isAnyTriggerPassword] >
A
challenge
request
method is 'password', but no DIGIPASS of the correct type was found
[2013/08/19|19:19:55.399125UTC][05776][VINFO][LocalAuthenticationChecks::doResponseChecking]
>
Set
localAuthState
to
[Definite Fail]
[2013/08/19|19:19:55.399125UTC][05776][ALERT][LocalAuthenticationChecks::verifyStaticPassword] > Incorrect static password
[2013/08/19|19:19:55.399125UTC][05776][INFO
][LocalAuthenticationChecks::verifyStaticPassword]
>
Password
failed
verification with stored password
[2013/08/19|19:19:55.399125UTC][05776][INFO ][AuthenticateRequest::dbUpdate] > Fast authentication is <false>
[2013/08/19|19:19:55.414750UTC][05776][INFO ][DigipassList::update] > Updating 1 digipasses.
[2013/08/19|19:19:55.414750UTC][05776][VINFO][AuthenticateRequest::dbUpdate] > User's lock count is now [3]
[2013/08/19|19:19:55.414750UTC][05776][ALERT][AuthenticateRequest::dbUpdate] > User's account is now locked! Account is
now locked due to too maily failed attempts
[2013/08/19|19:19:55.414750UTC][05776][DEBUG][ODBCConnection::TransactionStart] > Starting transaction
[2013/08/19|19:19:55.430375UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "UPDATE vdsUser SET
vdsLockCount = ?, vdsLocked = ?, vdsModifyTime = ? WHERE (vdsDomain = ?) AND (vdsUserId = ?)"
[2013/08/19|19:19:55.430375UTC][05776][DATA ][ODBCStatement::BindInteger] > Bound parameter 1 to integer 0
[2013/08/19|19:19:55.430375UTC][05776][DATA ][ODBCStatement::BindInteger] > Bound parameter 2 to integer 1
[2013/08/19|19:19:55.430375UTC][05776][DATA ][ODBCStatement::BindTimeStamp] > Bound parameter 3 to timestamp Mon Aug 19
19:19:55 2013
vdsUserId, vdsOrgUnit, vdsUserName, vdsDescription, vdsPhone, vdsMobile, vdsEmail, vdsStaticPwd, vdsLinkUserDomain,
vdsLinkUserId,
vdsLocalAuth,
vdsBackEndAuth,
vdsLockCount,
vdsLocked,
vdsDisabled,
vdsAdminPrivileges,
vdsOfflineAuthEnabled, vdsLastPwdSetTime, vdsStaticPwdHistory, vdsKeyID, vdsCreateTime, vdsModifyTime, vdsLastAuthTime,
vdsExpirationTime FROM vdsUser WHERE (vdsDomain = ?) AND (vdsUserId = ?) ORDER BY vdsDomain, vdsUserId, vdsOrgUnit"
[2013/08/19|19:19:55.555375UTC][05776][DEBUG][ODBCConnection::TransactionCommit] > Committed transaction
[2013/08/19|19:19:55.555375UTC][05776][INFO ][AuthenticateRequest::generateResponse] > Set status code [1012], message
[The One Time Password failed validation]
[2013/08/19|19:19:55.555375UTC][05776][INFO ][adt_record] > Audit: {Warning} {Authentication} {W-011003} {A DIGIPASS User
Account has become locked.} {0x2F34EFCA518DE78F1B1E629A2CB2C9F4}
[2013/08/19|19:19:55.571000UTC][05776][INFO ][adt_record] > Audit: {Source Location:192.168.17.95, User ID:user,
Domain:master, Client Location:10.1.1.101, Client Type:RADIUS Client}
[2013/08/19|19:19:55.664750UTC][05776][INFO
][adt_record]
>
Audit:
{Failure}
{Authentication}
{F-002001}
{User
authentication failed.} {0xA72E591E609AB4B0CF58987232D6618B}
KB 160053– 22/12/2014
Page 6 of 7
[2013/08/19|19:19:55.680375UTC][05776][INFO ][adt_record] > Audit: {Source Location:192.168.17.95, Policy ID:Identikey
Local Authentication, User ID:user, Domain:master, Input Details:
{User ID : user@master}
{Password : ********}
{Raw User ID : 0x75736572406D6173746572}
{Password Format : 0}
{Protocol ID : RADIUS}
{Protocol Specific Data : 0xC0A81101E7CA0850172110214174142063541626427246}, Output Details:
{Status Message : The One Time Password failed validation}
{Auxiliary Message :
{Error Code: '(1012)' ; Error Message: 'Password length too short'}
{Error Code: '(1012)' ; Error Message: 'Serial 0091234582 Application APPLI 1 OTP Incorrect - Password length too short'}
{Error Code: '(1011)' ; Error Message: 'Incorrect static password'}}
{Notification that a user has a token assigned : ********}, Local Authentication:yes, Back-End Authentication:None,
Reason:The One Time Password failed validation, Client Location:10.1.1.101, Client Type:RADIUS Client}
[2013/08/19|19:19:55.742875UTC][05776][INFO ][AuthenticateRequest::execute] > User authentication request - exit state
[Denied]
[2013/08/19|19:19:55.742875UTC][05776][MAJOR][AuthenticateUserCommand::execute]
>
===
Error
Stack
=========================
[2013/08/19|19:19:55.758500UTC][05776][MAJOR][AuthenticateUserCommand::execute] > Error code: <1011> Error message:
<Incorrect static password>
<Serial 0091234582 Application APPLI 1 OTP Incorrect - Password length too short>
<Password length too short>
[2013/08/19|19:19:55.789750UTC][05776][MAJOR][AuthenticateUserCommand::execute]
>
===
End
of
Error
Stack
==================
[2013/08/19|19:19:55.789750UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > No response found in request cache,
generating response packet locally.
[2013/08/19|19:19:55.789750UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > Auth action (based on command results)
is: 'ERROR'.
[2013/08/19|19:19:55.789750UTC][05776][INFO ][adt_record] > Audit: {Info} {RADIUS} {I-007003} {A RADIUS Access-Reject has
been issued.} {0xFE7CFBA7C9EB1E3BB4F55695C1E96FE0}
[2013/08/19|19:19:55.805375UTC][05776][INFO
][adt_record]
>
Audit:
{Client
Location:192.168.17.1:51943,
Source
Location:192.168.17.95, Request ID:8, Password Protocol:PAP, Output Details:RADIUS Code:1, RADIUS Id:8, , UserName:user@master, NAS-IP-Address:10.1.1.101, NAS-Port:1, NAS-Identifier:Vasco Radius Simulator, User-Password:********,
Calling-Station-Id:13080, Reason:Authentication processing error}
As you can see from the log file, the OTP verification did not succeed. The problem
here is the response too small (because we forgot to enter the pin). We also see that
the user is not locked.
When you have error messages in your full trace file it is always advised to search the
KB articles. Problems that are recurrent are often addressed in a KB article.
KB 160053– 22/12/2014
Page 7 of 7

Downloads

Transcription

Similar documents