SafeGuard LAN Crypt: Loading Profile Troubleshooting Guide

Transcription

1 1 Troubleshooting Guide SafeGuard LAN Crypt: Loading Profile Troubleshooting Guide Document date: 26/11/2014

2 Contents 1 Introduction SafeGuard LAN Crypt User application Loading the user profile (%username%.xml and %username%.pol) Problems loading the profile Red Key with error message Cannot copy user profile Red Key with error User certificate cannot be found Red Key with error User certificate expired or is not valid yet Red Key with error LAN Crypt Security officer s certificate not found Certificates Useful logs for troubleshooting SafeGuard LAN Crypt SGMTrace Errlfile Event log Additional information Appendix Legal notices

3 Troubleshooting Guide This document applies to the following Sophos products: SafeGuard LAN Crypt Client 3

4 1 Introduction This article describes how to troubleshoot the SafeGuard LAN Crypt client when the LAN Crypt profile fails to load i.e. the tray icon does not show a green Key. 2 SafeGuard LAN Crypt User application SafeGuard LAN Crypt is designed to be used with almost no user interaction. Logon to SafeGuard LAN Crypt Logon to SafeGuard LAN Crypt is a process where the encryption profile, which is stored in policy files, is loaded on the client machine after a user has logged into Windows. The encryption profile can only be loaded when the user owns the corresponding certificates. SafeGuard LAN Crypt encryption profiles are created by a security officer according to the security policy of the company and then stored in policy files. When the client machine logs into AD it will receive a GPO setting where the policy files can be found. Such settings are done by the system administrator. The path to the policy files are written to the registry of the client machines. SafeGuard LAN Crypt loads the policy files from this directory (or even a web server) and checks whether the user is allowed to load it by verifying the user s certificates. Certificates To have access to their encryption profile, the corresponding certificates have to be available on the user s machine. This means that the user must be in possession of both their certificate (private key p12) and the security officer certificate (public key cer-file) too. The security officer has to distribute the certificates to the user and the user has to import the certificate to their machine. If the certificates are available at first logon, the process runs completely without user interaction. SafeGuard LAN Crypt also offers the possibility to import certificates automatically after the encryption profile is loaded for the first time. In this case, the system is configured by the security officer in a way that allows SafeGuard LAN Crypt to find a certificate file (at logon) and starts to import the certificate automatically. The user is prompted to enter the PIN (password) for this certificate. The certificate (filename) must be the same as the username. For instance, if the username is Peter then the certificate name must be peter*.p12. NOTE: The PIN (password) for importing the certificate has to be distributed to the user by the security officer. 4

5 Troubleshooting Guide The certificate is checked each time the encryption profile is loaded. If a valid certificate is found, the user is logged on to SafeGuard LAN Crypt. If no valid certificate is found, the user is not able to work with encrypted data. Special encryption rules included in the SafeGuard LAN Crypt encryption profiles gives the user access to encrypted data. They define exactly which files in particular directories have to be encrypted by each key. The encryption profile of a user needs to be loaded for encryption and decryption to takes place in the background (transparently). The user will not be aware of the encryption/decryption tasks being performed. User Application A key icon in the Windows task bar shows the state of SafeGuard LAN Green key: Encryption rules loaded, transparent encryption activated. Yellow key: Encryption rules loaded, transparent encryption deactivated. Red key: No profile loaded. The application provides (via right mouse button) the following functions to the user: Load encryption rules Clear encryption rules Deactivate/Activate encryption Show profile Client Status Initial encryption Close About 5

6 3 Loading the user profile (%username%.xml and %username%.pol) Starting with the version 3.90, the client works only with policies of file type xml. Older clients do not support this file format. In case your client cannot read the received policies, a corresponding message is displayed. How does the SafeGuard LAN Crypt client workstation know where to find the correct user profile and which one to load? When creating the profile, it will always be named after the corresponding username (e.g. user Peter has a profile peter.xml or peter.pol ). The path to the profile can either be defined in Group Policy Object or directly in the registry. We recommend always using the group policy settings. Note: Only SafeGuard LAN Crypt Client 3.71 and above can load the profile from network drives or web servers via http/https (https only with versions 3.90 and above). 6

7 Troubleshooting Guide 4 Problems loading the profile 4.1 Red Key with error message Cannot copy user profile... This behaviour indicates that the profile (%username%.xml or %username%.pol) was not found by the client workstation. Reasons for this behaviour 1. The profile for this user does not exist! To be checked at SafeGuard LAN Crypt Administration console: If the security officer has created the profile but the error message above is shown, the path to the profile in SafeGuard LAN Crypt Administration and the registry of the client is different. It can be checked in the SafeGuard LAN Crypt Administration console. To do so, right-click on Central Setting and click on the Directories tab. 7

8 In case that you are using an older version e.g 3.71, please make sure that you have enabled the option Create legacy policy files (.pol.bz2) via Options. If you use different SafeGuard Client versions, you have to make sure that all SafeGuard Clients can read the generated policy files. SafeGuard LAN Crypt supports different policy file formats: 8

9 Troubleshooting Guide Create legacy policy files (.pol) for older version than Create legacy policy files (.pol.bz2) for SafeGuard LAN Crypt versions older than 3.90 e.g 3.71 Create new policy files (.xml.bz2) for SafeGuard LAN Crypt versions 3.90 and higher 2. Make sure that the user has sufficient read access to the path where the profiles are stored. 3. To be checked at AD GPO: Examine the path where the profiles are located with the path you defined in Group Policy Object (GPO). 9

10 4. Check at client: Make sure that the GPO has been applied to the workstation. This can be done by checking the registry and ensuring that the registry key PolicyFileLocation has the same value as defined in the GPO. 10

11 Troubleshooting Guide 5. If the policies have not been applied then you would normally experience an Active Directory issue. This is indicated in the Windows Application Event log with a userenv entry. You may receive many different userenv entries but basically they all indicate problems with the Active Directory. If this is the case then please fix the Active Directory issue first before proceeding. 6. Please check the connection to the web server if the policies are located on the web. Check out by trying to connect to the webserver by calling it with a web browser check for error messages there. 11

12 4.2 Red Key with error User certificate cannot be found. If this error message is displayed, it indicates that the client workstation has located the profile file but the private Key (certificates - *.p12) for this user is not available in order to decrypt the profile. The profile file must be decrypted by the private key of the user in order to get access it. If you are using certificates from a PKI or a 3rd Party Software then the certificates (private key) must already be distributed to the user. SafeGuard LAN Crypt (Loadprof.exe) imports certificates automatically when the encryption profile is loaded for the first time. 1. If you are distributing the certificates via SafeGuard LAN Crypt (loadprof.exe), you have to make sure that the path where the certificates (%username%.p12) are located on the file system is identical to the path you defined in the GPO. Note: Starting with version 3.90, p12 files can also be downloaded from a web server. If you experience an issue here then please check the connection to the web server. 12

13 Troubleshooting Guide 2. Make sure that group policies have been applied to the workstation, check the registry key P12SearchLocation to ensure that the value is the same one as defined in the GPO. 13

14 3. If group policies are not applied then you will experience AD issues and userenv errors in Windows Application Event log. Ensure AD issues are fixed before proceeding with LAN Crypt. 4. Is the certificate (private key) available for the user? To check this, open Internet Explorer properties Content Certificates. 14

15 Troubleshooting Guide 5. If all these settings are correct and the user certificate (%username%.p12) is also installed correctly, there may be a possibility that more than one certificate exists for the user. Check to ensure that the user profile is not encrypted with a different user certificate i.e. make sure to install the same certificate with which the profile was encrypted. 6. When more than one certificate exists for a user, Safeguard LAN Crypt Client (Loadprof) will always try to install the certificate with %username%.p12 first. There are successively all of the user s p12 files imported as 15

16 long as the password is correct. At http(s), up to a maximum number of 10 <Username>.p12 files can be imported (f.e. <Username>10.p12 ). 7. To make sure that you are using the correct certificate, you can manually install the *.p12 file for the user and try loading the profile again by right-clicking on the red key in the Windows Taskbar and then select Load encryption rule. 4.3 Red Key with error User certificate expired or is not valid yet This indicates that the User certificate has expired. When using PKI, this certificate should be renewed or a new user certificate for the user must be issued. When the user receives a new certificate, also the profile for that user must be generated again too. The new certificate must then be distributed to the user so the policy file can be decrypted. SafeGuard LAN Crypt can be configured so that the time invalidity will be ignored, but for security reasons we do not recommend activating this switch! This can be activated in GPO Computer configuration. This can also be checked in the SafeGuard LAN Crypt Administration console. All users that have a valid certificate will be shown with a green symbol and users with invalid certificates with a red symbol. 16

17 Troubleshooting Guide 4.4 Red Key with error LAN Crypt Security officer s certificate not found. 1. If you are distributing the public LAN Crypt Administrator (Security officer SO) certificates with the SafeGuard LAN Crypt (Loadprof.exe) then you have to make sure that the path where the certificates (*.cer) are located (network drive or web server via http/https) on the file system is the same path you defined in the GPO. All public certificates that are located in the defined path will be imported automatically. 17

18 2. Make sure that the group policies have been applied to the workstation. This can be done by checking that the registry key Security Officer Certificate Client Location has the same value as defined in the GPO. 3. If group policies are not applied then you will experience AD issues and userenv errors in Windows Application Event log. Please fix these issues first before proceeding. 4. Is the LAN Crypt Administrator Certificate installed? To check this, open Internet Explorer properties Content Certificates. Note: The public certificate of the security officer who created the user profile must be installed in order to gain access to the rules in the profile. 5. To make sure that you are using the correct public security officer certificate, you can manually install the *.cer file for the security officer who generated the user profile. Once done, try loading the profile again by right-clicking on the red key in the Windows Taskbar and select Load encryption rule. 6. It is not allowed to rename Security officer certificate when they are located on a web server. If you rename the certificate then it cannot be loaded on to the client because the client searches for the file name and will not be able to find it. If it is on a share then the client will search all files till it finds the certificate that matches. 18

19 Troubleshooting Guide 7. This error will also appear if the SO certificates does not contain the correct key usage. The Key Usage for SO certificates should contain: Digital Signature, Non-Repudiation, Key Encipherment, and Data Encipherment. 19

20 5 Certificates Important information about how to use certificates: The Key Usage value of the user certificate must be KeyEncryption and/or DataEncryption. The Certificate may not contain any unknown critical extensions. Following critical extensions are allowed, if any other critical extension is set then the certificate cannot be used: OID: (key usage) OID: (enhanced key usage) OID: (Utimaco critical extension) OID: (basic constraints) OID: (certificate policies) To check the key extension of a certificate, double-click on the certificate and go to the Details tab. Now you can set a filter to show Extensions Only as per image below. 20

21 Troubleshooting Guide The Key Usage for any SO certificate, that can generate the profiles, should contain Digital Signature, Non-Repudiation, Key Encipherment, and Data Encipherment. SafeGuard LAN Crypt only uses the Microsoft Crypto API for certificate functionality. Most certificates that use this function are supported. Certificates using the Cryptographic Next Generation (CNG) CSP are not supported. SafeGuard LAN Crypt supports all Cryptographic Service Providers (CSPs) that comply with certain standards (e.g. RSA key length at least 1024 bits). They include, among others, the Microsoft Enhanced CSP. In the case that a CRL-Distribution point is set in a certificate and it is out of reach, it could take a while (depending on the CSP) until a timeout appears Note: The Microsoft Base CSP cannot be used! Ignore rules during Certificate Verification In SafeGuard LAN Crypt, you can specify whether any errors found when checking user certificates are to be ignored. Note: Ignoring errors that occur during certificate checks always means a reduction in security and we recommend using a certificate that has the required properties instead of ignoring the error. Even if the setting is configured, the certificate may still be rejected by CSP or Middleware (especially when tokens are used). These settings can be defined under Client Settings Ignore during Certificate Verification in the GPO. You can select which status shall be ignored during the certificate verification. 21

22 Ignore Certificate revoked If a certificate is on a Certificate Revocations List (CRL), which is evaluated during logon, it may not actually be used for accessing his profile. But with this option activated a user can continue to gain access to his encryption profile - because in this case LAN Crypt will not check for any CRL. Ignore time invalidity Even if the validity period of a certificate has expired, the user can continue to access their encryption profile, if this option is selected. Ignore bad certificate chain 22

23 Troubleshooting Guide If this option is activated, the user can continue to access their encryption profile even if the public part of the issuer s certificate is not available on the client machine or is kept in the wrong certificate store. Ignore unknown revocation When PKIs from some vendors write reasons for the revocation of a certificate to a CRL, they do not comply with common standards. You cannot usually use a certificate if the reason for revocation is not known. However, if this option is selected, the user can continue to access their encryption profile. Note: A network connection may be necessary to evaluate the certificate chain and CRL. If a connection cannot be established, access will be denied, although the certificate may actually be valid. 23

24 6 Useful logs for troubleshooting SafeGuard LAN Crypt 6.1 SGMTrace If you experience an issue with loading profiles, it would be very helpful to create a log file called SGMTrace. KBA SafeGuard LAN Crypt: How to enable extended tracing for SafeGuard LAN Crypt explains how to do this. 6.2 Errlfile On the desktop, right-click on My Computer Properties Advanced Environment Variables System Variables. Add a new variable ERRLFILE : Restart the machine. 24

25 Troubleshooting Guide After the reboot, you will be able to access the log file (path is defined when creating the variable). Note: Errlfile can be only created for the earlier versions i.e and below. 6.3 Event log Check Windows Event log for any errors 25

26 7 Additional information Relevant KBAs KBA SafeGuard LAN Crypt: User certificate cannot be found KBA SafeGuard LAN Crypt Administration 3.80 and above: How to add a Critical Extension for a newly generated certificate 26

27 Troubleshooting Guide 8 Appendix [actually no information for future references] 27

28 Legal notices Copyright 2014 Sophos Group. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise unless you are either a valid licensee where the documentation can be reproduced in accordance with the license terms or you otherwise have the prior permission in writing of the copyright owner. Sophos, Sophos Anti-Virus, and SafeGuard are registered trademarks of Sophos Limited, Sophos Group and Utimaco Safeware AG, as applicable. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. 28