HP Access Control Smartcard Solution
After the firmware and hardware are installed and the MFP/digital sender is configured for
HP Access Control Smartcard Solution authentication, the MFP/digital sender restricts access according to the specified options.
When a user attempts to use a Smartcard-restricted function, the following actions occur:
1. The MFP/digital sender prompts for a valid card to be placed in the Smartcard reader. The user places the card into the reader and leaves it there while using the MFP/digital sender.
2. The MFP/digital sender prompts for a personal identification number (PIN) before continuing. The user types the PIN on the number pad on the MFP/digital sender control panel, and then touches OK on the touchscreen.
3. The MFP/digital sender authenticates the user by accessing the Active Directory user attributes through a PKI version of the Kerberos authentication protocol. When authentication is complete, the MFP/digital sender provides access to the selected function.
If the user types an incorrect PIN, the MFP/digital sender prompts for the number again. If the user enters the wrong PIN three times, the Smartcard is disabled and no longer usable.
ENWW 29
4 Troubleshooting
NOTE: For the most current troubleshooting information regarding this product, go to: www.hp.com/
support/usdodsmartcard.
NOTE: For additional information on configuring Kerberos authentication refer to the Configuring Embedded Kerberos Authentication guide. It comes bundled on the product CD and is available for download from HP at h20000.www2.hp.com/bc/docs/support/SupportManual/c00646187/
c00646187.pdf
If you are experiencing an issue that is not documented here or the steps here do not resolve the issue, contact HP support.
ENWW 31
General troubleshooting
49.4c18 error displays when restarting device
Cause Solution
An unsupported firmware version is installed on the device.
The authentication upgrade was installed on the device without the correct firmware.
To enable the device to boot to Ready after this message has appeared:
CAUTION: The following procedure is for resolving the 49.4c18 error only and is not recommended for any other operation of the device.
1. Turn the device off and back on.
2. Hold down the 9 key during the memory test.
3. After all 3 LEDs are a solid color, release 9 key and then press and release the 3 key.
4. Press and release the Start key. The device should now say “SKIP DISK LOAD”.
5. Press and release the 6 key.
6. The device should then proceed to boot to ready.
Smartcard authentication does not work after performing a Secure Storage Erase or Disk Init on the MFP/digital sender.
Cause Solution
Performing a Secure Storage Erase or Disk Init erases information that is critical for the Smartcard authentication to work.
The entire HP Access Control Smartcard Solution installation and configuration must be completed again. This includes reinstalling the authentication upgrade and performing all of the necessary HP Embedded Web Server configuration steps.
Refer to Installation on page 1 and Configuring the MFP/digital sender on page 7 for instructions.
MFP/digital sender authentication is working, but remote features such as Send to email and LDAP lookup are not.
Cause Solution
The MFP/digital sender clock is out of sync with the server clock.
Clients and servers must be synced to within 5 minutes of each other. Either configure both the MFP/digital sender and the KDC server to use the same NTP server, or configure the MFP/
digital sender to use the KDC server as the clock drift correction server.
The DNS lookup zone is not properly configured. Hostnames must be used for all Kerberos and SSL servers.
Verify that the servers listed in the HP Embedded Web Server for Kerberos, Send to Folder, and LDAP addressing configuration are listed as hostnames and not IP addresses.
Kerberos Realm names are not listed in upper case. Check the Kerberos configuration in the
HP Embedded Web Server and verify that all Realm names specified are listed in upper case.
Error: “No card detected” when using a valid Smartcard
Cause Solution
If the Smartcard is valid then the mechanical switch on the card reader may have failed.
Replace the card reader.
Error: “Please insert a valid card” when using a valid Smartcard
Cause Solution
If the Smartcard is valid then the card contacts on the reader may have failed.
Replace the card reader.
The configured device no longer recognizes the Smartcard.
Cause Solution
An incorrect PIN for the Smartcard has been entered successively three or more times.
After entering an incorrect PIN successively three or more times, the Smartcard is disabled as a security measure. Once a Smartcard is disabled, it must be replaced.
ENWW General troubleshooting 33
Kerberos troubleshooting
Error message: “Authentication Failed: Kerberos server not available. Please contact the administrator.”
Cause Solution
The Kerberos server hostname was not entered correctly or is not a valid hostname.
To determine if the hostname is valid, open a Windows command shell and type: ping <kerberos hostname>.
If ping cannot find the host you are typing, then it is probably not the correct hostname.
The DNS settings on the device are not correct. To determine if the device’s DNS settings are not correct, try using the IP address of the Kerberos server instead of a hostname. Open a Windows command shell and type:
nslookup <kerberos hostname>.
The nslookup command should return the name of the DNS server that resolved the Kerberos host and the IP address of the host. Try entering the Kerberos server IP address on the settings page and performing authentication again. If this works, then open the HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the Primary DNS text box, enter the IP address of the DNS server returned by the nslookup command.
The Kerberos server is powered off or not reachable. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server.
The host is not a valid Kerberos server. If the host is a valid Kerberos server, it should accept connections through port 88. Open a Windows command shell, type: telnet <kerberos hostname> 88.
If the telnet command returns “Connecting To <host>…Could not open connection to the host, or port 88: Connect failed”, then the host is not a valid Kerberos server.
If the window becomes blank, then it is accepting connections on port 88. Most likely the device network settings are not correct or the device is not operating correctly.
Error message: “Authentication Failed: Realm not recognized. Please contact the administrator.” or “Authentication Failed: Kerberos server not available for provided domain. Please contact the administrator.”
Cause Solution
The domain field is not correct for the server that is being contacted. If the hostname for the server were
“ad1.technical.marketing”, then the realm name is probably
“TECHNICAL.MARKETING”.
If you have followed the procedure for finding the default realm from the Configuring Embedded Kerberos Authentication guide and it does not work, try this alternative method for discovering the domain:
1. On the Windows desktop, click Start, then right-click on My Computer and select Properties.
2. Select the Computer Name tab.
3. Copy the value in the Domain field to the Kerberos Default Realm field on the device.
Error message: “Authentication Failed: Device time not synchronized with server. Set correct time, then turn device off and back on.”
Cause Solution
The device clock is offset more than five minutes from the Kerberos server.
The Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server, in order to prevent replay attacks.
On the device control panel press Administration, then press Time/Scheduling, then press Date/Time. Use the control panel keys to change the time.
After changing the time setting, turn the device off and back on for the change to take effect.
The device’s Network Time Protocol (NTP) server is reporting a different time from the KDC time.
The device uses the NTP server to determine if the device is in a different time zone than the KDC and if the time stamp reported by the device to the KDC should be adjusted by half hour increments.
Most KDC servers are also hosting a NTP service, so try setting your NTP server to the same hostname as your Kerberos server.
1. Start the HP Embedded Web Server and select the Settings tab.
2. On the left menu bar, click Date & Time, then click Clock Drift Correction.
3. Copy the value from the Kerberos Server text box on the Kerberos Settings page into the Network Time Server Address text field.
After changing your NTP setting, turn the device off and back on for the change to take effect.
NOTE: Because of the NTP adjustment, the time zone and daylight savings settings on the device do not affect the time reported by the device.
Error message: “Login failed. Please try again”
Cause Solution
Incorrect credentials were entered, or the user is unknown on the server to which you are authenticating.
Verify that the user is authorized and using valid credentials.
Error message: “Authentication Failed: Kerberos LDAP server not configured. Please contact the administrator.” or any other LDAP related error
Cause Solution
The settings under “Accessing the LDAP Server” are not correct.
See the Configuring Embedded Kerberos Authentication guide for help in determining your organization’s LDAP configuration.
See LDAP server troubleshooting on page 37 for other possible issues.
ENWW Kerberos troubleshooting 35
Error message: “Authentication Failed: Error code XXXXX”
Cause Solution
Unknown Contact HP support
LDAP server troubleshooting
Error message: “LDAP bind at server ‘X’ failure: Server down”
Cause Solution
The LDAP server hostname was not entered correctly or is not a valid hostname.
To determine if the hostname is valid, open a Windows command shell and type: ping <LDAP hostname>.
If ping cannot find the host you are typing, then it is probably not the correct hostname.
The DNS settings on the device are not correct. To determine if the device’s DNS settings are not correct, try using the IP address of the LDAP server instead of a hostname. Open a Windows command shell and type:
nslookup <LDAP hostname>.
The nslookup command should return the name of the DNS server that resolved the LDAP host and the IP address of the host. Try entering the LDAP server IP address on the settings page and performing authentication again. If this works, then open the device's HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the Primary DNS text box, enter the IP address of the DNS server returned by the nslookup command.
The LDAP server is powered off or not reachable. If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server.
The host is not a valid LDAP server. If the host is a valid LDAP server, it should accept connections through port 389 or 3268. Open a Windows command shell, type: telnet <LDAP hostname> 389.
If the telnet command returns “Connecting To <host>…Could not open connection to the host, or port 389: Connect failed”, then the host is not a valid Kerberos server.
If the window becomes blank, then it is accepting connections on port 389. Most likely the device network settings are not correct or the device is not operating correctly.
Error message: “LDAP bind at server ‘X’ failure: Local error”
Cause Solution
A DNS reverse lookup zone for your LDAP server’s IP address is not configured.
To confirm this, open a Windows command shell and type:
nslookup <IP address of host>.
If the nslookup command returns the correct hostname, then the reverse DNS zone is configured correctly.
If the nslookup command does not come back with the correct hostname, the DNS administrator needs to add a reverse lookup zone to resolve the issue.
An unhandled error has occurred on the device and is preventing it from operating correctly.
Try rebooting the device.
ENWW LDAP server troubleshooting 37
Error message: “LDAP bind at server ‘X’ failure: SSL bind required”
Cause Solution
The LDAP server requires that the connection be made using Secure Sockets Layer (SSL).
See Configuring LDAP over SSL on page 23
Error message: “LDAP failure retrieving display name. Result code: Fail”
Cause Solution
The search root is incorrect. Typically if your domain is TECHNICAL.MARKETING.COM, then your search root would be:
DC=TECHNICAL,DC=MARKETING,DC=COM It may also have CN=Users.
The attribute used to retrieve the username is incorrect. This attribute is often “displayName”, but it may different depending on the LDAP schema.
Contact your LDAP administrator to obtain the correct LDAP settings, or use the ldp tool as described in theConfiguring Embedded Kerberos Authentication guide to discover them.
Error message: “LDAP failure retrieving E-mail address. Result code: Fail”
Cause Solution
The attribute used to retrieve the E-mail address is incorrect. This attribute is often “email”, but it may be different depending on the LDAP schema.
The LDAP database does not have an E-mail address populated for this user.
Contact your LDAP administrator to verify this, or use the ldp tool as described in the Configuring Embedded Kerberos Authentication guide.
PKINIT troubleshooting
Error message: “HP smart card reader not detected. Please connect the HP reader #nnnnn to the device, and turn the device off and back on.”
Cause Solution
The reader detection algorithm may have failed. Reboot the device and try again.
The connection may be loose. If the device reboots and the same problem persists, power the device off and check that the reader is connected firmly. After ensuring the connection is secure, power the device back on.
The reader may be faulty. Try replacing the card reader with a different reader. Return the faulty reader to HP for replacement.
Error message: “Authentication Failed: CMS verify signed failed: Failed to find issuer with subject ‘X’ for certificate with subject ‘Y’. Please contact the administrator.”
Cause Solution
The issuer certificate of the KDC certificate is not installed on the device.
Installing the issuer’s certificate on the device enables the device to verify that the response from the KDC is valid.
To see the certificates that have been installed on the device:
1. Start the device HP Embedded Web Server and select the Settings tab.
2. On the left menu bar, click Kerberos Authentication.
Select the domain name and click Edit, or enter a new domain name. The Kerberos Authentication page displays.
3. Scroll down to the Kerberos PKINIT Configuration section and click Certificates.
Error: “Authentication Failed: KDC issuer certificate with subject 'X' is expired. Please contact the administrator.”
Cause Solution
The issuer certificate of the KDC certificate is installed on the device, but it is no longer valid.
Every digital certificate is only valid for a specific time period.
Once that time period is expired the certificate is no longer considered valid. You need to install a new certificate on the device.
To see certificates that have been installed on the device, go to the Kerberos Authentication page, and click Edit under the appropriate certificate type heading in the Using PKINIT Authentication (Smart Card Authentication Only) section.
You do not see a prompt to enter your PIN or insert your card when you try to access the device.
Cause Solution
The device is not configured properly for Smartcard authentication.
See Configure authentication using the Smartcard accessory on page 19 for additional information.
ENWW PKINIT troubleshooting 39
Error: “Authentication Failed: Authentication Method Not Found. Please contact the administrator”
Cause Solution
Smartcard authentication was previously installed on the device, but the device configuration has been changed because the hard disk was re-initialized.
The entire HP Access Control Smartcard Solution installation and configuration must be completed again. This includes reinstalling the HP Access Control Smartcard Solution authentication upgrade and performing all of the necessary HP Embedded Web Server configuration steps. Refer to Installation on page 1 and Configuring the MFP/digital sender on page 7 for instructions.
If the hard disk was not intentionally reinitialized, then you may want to secure the device so that only an administrator can re-initialize the hard disk. Please contact HP for more information on protecting the device from unauthorized bootloader access.
Error: “Authentication Failed: User certificate has been revoked”
Cause Solution
The user is trying to authenticate with an invalid Smartcard. Try using a different Smartcard for authentication.
Error: “Authentication Failed: User certificate is expired”
Cause Solution
The user is trying to authenticate with an expired Smartcard. Try using a different Smartcard for authentication.
Error: “Authentication Failed: Kerberos Server unable to validate user certificate”
Cause Solution
The Kerberos server may have an outdated CRL or may be unable to contact the OCSP server for validation.
Work with IT personnel maintaining the server to resolve the problem.
OCSP/CRL troubleshooting
Error message: “Authentication Failed: KDC certificate with subject ‘X’ has been revoked.”
Cause Solution
The OCSP responder returned a revoked status for the KDC certificate with subject ‘X’
Contact your PKI administrator.
Error message: “Authentication Failed: KDC certificate status with subject ‘X’ is unknown.”
Cause Solution
The OCSP responder returned an unknown status for the KDC certificate with subject ‘X’
Contact your PKI administrator.
Error message: “Authentication Failed: Unable to contact OCSP responder.”
Cause Solution
The OCSP responder URL was not entered correctly or is not a valid URL
To determine if the URL is valid, open a Web browser and copy the Web URL into the address bar. If the Web browser is unable to connect to the host or it returns a “page not found”
error, then the URL is not the address of a valid OCSP responder.
DNS settings on the device are not correct. To determine if the device DNS settings are incorrect, use the IP address of the OCSP responder instead of a hostname as the URL. To determine the IP address, open a Windows command shell, type: nslookup <OCSP responder hostname>
The nslookup command should return the name of the DNS server that resolved the host and the IP address of the host.
Try entering the OCSP responder IP address on the settings page and performing authentication again. If this works, start the device's HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the
Try entering the OCSP responder IP address on the settings page and performing authentication again. If this works, start the device's HP Embedded Web Server and click on the Networking tab, then click on TCP/IP settings on the left menu bar. Select the Network Identification tab. In the