How to enable and read the full trace file for IDENTIKEY Authentication Server 3.4, step by step.

Size: px

Start display at page:

Download "How to enable and read the full trace file for IDENTIKEY Authentication Server 3.4, step by step."

Arlene Page
6 years ago
Views:

1 KB How to enable and read the full trace file for IDENTIKEY Authentication Server 3.4, step by step. Creation date: 10/09/2013 Last Review: 10/09/2013 Revision number: 2 Document type: How To Security status: EXTERNAL Summary To be able to troubleshoot an IDENTIKEY Authentication Server installation you have to enable and examine the full trace file. This is a step by step guide how to enable full tracing and where you can find the file. This article also includes some basic information you can find in the trace file. details. How to enable the full tracing? There are two possibilities to enable Full tracing in IDENTIKEY: 1. Using the Web Administration tool. Select Server Configuration from the SYSTEM tab, and edit the General tab. Set the Tracing level to Full. It is recommended to enable Rotate Trace logs so the trace files do not grow too large. You can rotate based on days or size. After pressing the SAVE button the tracing starts, there is no need to restart the IDENTIKEY Service. Page 1 of 7

2 2. Using IDENTIKEY Authentication Server configuration. Open the IDENTIKEY Authentication Server Configuration GUI from the Windows Start menu All Programs IDENTIKEY Authentication Server IDENTIKEY Authentication Server Configuration. In the general settings, Select Full Tracing and specify and file rotation settings. The default file location for the trace file will be C:\Program Files\VASCO\Identikey 3.4\log\ikeyserver.trace. Page 2 of 7

$After restarting the service, or enabling the tracing via Webadmin, you can find the trace file in the log directory of IDENTIKEY Authentication Server (default location is C:\Program$ $Files\VASCO\Identikey 3.4\log) Below is the trace data generated when an authentication attempt is handled by IDENTIKEY Authentication Server 3.4: [2013/08/19 19:19:54.$

3 Click YES when you are asked to restart the service: Where can I find the trace file? After restarting the service, or enabling the tracing via Webadmin, you can find the trace file in the log directory of IDENTIKEY Authentication Server (default location is C:\Program Files\VASCO\Identikey 3.4\log) Below is the trace data generated when an authentication attempt is handled by IDENTIKEY Authentication Server 3.4: [2013/08/19 19:19: UTC][05068][DEBUG][SocketManager::getPendingSockets] > Waiting to acquire connection lock mutex. [2013/08/19 19:19: UTC][05068][DEBUG][SocketManager::getPendingSockets] > Acquired connection lock mutex. [2013/08/19 19:19: UTC][05068][DEBUG][SocketManager::getPendingSockets] > Releasing connection lock mutex. [2013/08/19 19:19: UTC][05776][DEBUG][ValidationTask::getSharedSecretStore] > Looking for RADIUS Client with Shared Secret Page 3 of 7

4 [2013/08/19 19:19: UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Existing Component record [RADIUS Client: ] returned from Component Cache [2013/08/19 19:19: UTC][05776][INFO ][ValidationTask::process] > Received request is from NAS location [2013/08/19 19:19: UTC][05776][DEBUG][ValidationTask::processPossibleRequestRepeat] > Failed to find entry in request cache. Must be a new request. Caching new request [2013/08/19 19:19: UTC][05776][VINFO][Manager::getElementFromRequest] > Packet contains no state attribute, assuming this is a new request [2013/08/19 19:19: UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Component cache says there is no Component record [RADIUS Client: ] [2013/08/19 19:19: UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Existing Component record [RADIUS Client: ] returned from Component Cache IDENTIKEY found a client component with the IP address of the client location [2013/08/19 19:19: UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent] > Client component check succeeded [2013/08/19 19:19: UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent] > Client license check skipped [2013/08/19 19:19: UTC][05776][VINFO][ValidationTask::routePacket] > Processing packet data [2013/08/19 19:19: UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > Retrieving handler for packet [2013/08/19 19:19: UTC][05776][DEBUG][RADIUSHandlerFactory::getHandler] > Creating PAP handler [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Info} {RADIUS} {I } {A RADIUS Access-Request has been received.} {0xDA EE52E41E8B256A5BA614D} [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Client Location: :51943, Source Location: , Request ID:8, Password Protocol:PAP, Input Details:RADIUS Code:1, RADIUS Id:8,, User- Name:user@master, NAS-IP-Address: , NAS-Port:1, NAS-Identifier:Vasco Radius Simulator, User-Password:********, Calling-Station-Id:13080, Action:Process} [2013/08/19 19:19: UTC][05776][VINFO][Distributor::acquireConnection] > Node.Connector allocated [2013/08/19 19:19: UTC][05776][VINFO][Distributor::releaseConnection] > Node.Connector released [2013/08/19 19:19: UTC][05776][MAJOR][alert_record] > plugin not initialized [2013/08/19 19:19: UTC][05776][DATA ][RADIUSLayer::dispatchCommandTask] > Retrieved from packet - Attributes : ' {Password : ********}', Params: ' {User ID : user@master} {Password : ********} {Raw User ID : 0x D } {Password Format : 0} {Protocol ID : RADIUS} {Protocol Specific Data : 0xC0A81101E7CA }' [2013/08/19 19:19: UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > Authentication request received. [2013/08/19 19:19: UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > Executing authentication scenario command. [2013/08/19 19:19: UTC][05776][DEBUG][CommandFactory::generateCommand] > Request for command: <20:1> [2013/08/19 19:19: UTC][05776][DEBUG][CommandFactory::generateCommand] > Found factory - creating command [2013/08/19 19:19: UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Existing Component record [Identikey Server: ] returned from Component Cache The IDENTIKEY Server that will authenticate the user [2013/08/19 19:19: UTC][05776][DEBUG][ComponentCheckUtils::checkServerComponent] > Protocol field <RADIUS> was successfully located in license. [2013/08/19 19:19: UTC][05776][DEBUG][ComponentCheckUtils::checkServerComponent] > Scenario field <Authentication> was successfully located in license. [2013/08/19 19:19: UTC][05776][DEBUG][ComponentCheckUtils::checkServerComponent] > For scenario Authentication protocol RADIUS was successfully located in license. [2013/08/19 19:19: UTC][05776][VINFO][ComponentCheckUtils::checkServerComponent] > Server component and license check succeeded [2013/08/19 19:19: UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Component cache says there is no Component record [RADIUS Client: ] [2013/08/19 19:19: UTC][05776][DEBUG][ComponentLoader::fetchComponent] > Existing Component record [RADIUS Client: ] returned from Component Cache [2013/08/19 19:19: UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent] > Client component check succeeded [2013/08/19 19:19: UTC][05776][VINFO][ComponentCheckUtils::checkClientComponent] > Client license check skipped [2013/08/19 19:19: UTC][05776][INFO ][AuthenticateRequest::execute] > Processing user authentication request... [2013/08/19 19:19: UTC][05776][INFO ][AuthenticateRequest::execute] > Fast authentication is <false> [2013/08/19 19:19: UTC][05776][VINFO][AuthenticateRequest::execute] > Password format is [Cleartext combined] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > *** Effective Policy Settings *** [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Policy ID : [Identikey Local Authentication] Policy Settings used for the client found [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Parent Policy ID : [Base Policy] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > DUR : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Autolearn : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Stored Pwd Proxy : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Assignment Mode : [Neither] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Assign Search Up OU Path : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Grace Period : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Application Names : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Application Type : [No Restriction] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Digipass Types : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Local Authentication : [Digipass/Password] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > BackEnd Authentication : [None] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > BackEnd Protocol ID : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Default Domain : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Group List : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Group Check Mode : [No Check] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > User Lock Threshold : [3] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > One-Step Chall/Response : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > One-Step CR Chall Length : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > One-Step CR Check Digit : [1] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Enabled : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Maximum Days : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Max Uses : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Pin Change Allowed : [Yes] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Self-Assign Separator : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Challenge Request Method : [Keyword] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Challenge Request Keyword : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Primary VDP Rqst Method : [Password] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Primary VDP Rqst Keyword : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Rqst Method : [KeywordPassword] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Backup VDP Rqst Keyword : [otp] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > ITimeWindow : [20] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > STimeWindow : [20] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > EventWindow : [20] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > SyncWindow : [6] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > IThreshold : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > SThreshold : [0] Page 4 of 7

5 [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Check Challenge : [1] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > OnlineSG : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Check Inactive Days : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Offline Auth Enabled : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Offline Time Interval : [21] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Offline Max Events : [300] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > DCR : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Chg Win Pwd Enabled : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Chg Win Pwd Length : [16] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Client Group List : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Client Group Mode : [No Check] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > 2OTP Sync Enabled : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > VDP Delivery Method : [SMS] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Reply Radius Attribute Enabled : [No] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Radius Attribute Group List : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Radius Allowed Protocols : [Any] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Radius Session Lifetime : [3600] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Radius Session Ticket Lifetime : [86400] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Radius Session Ticket Reuse : [48] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Radius Session Group List : [] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Static Password Diff To Prev : [4] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Length : [7] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Lower Alpha : [1] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Upper Alpha : [1] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Number : [1] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Static Password Min Symbol : [0] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Static Password Not UserId Based : [Yes] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Multi Digipass Application Mode : [Multiple DIGIPASS Applications Allowed] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > Privileged Users : [Reject] [2013/08/19 19:19: UTC][05776][DATA ][Policy::traceDetails] > ********************************* [2013/08/19 19:19: UTC][05776][DATA ][UserChecks::resolveUserAndGroupCheck] > userid is [user@master] user authenticating [2013/08/19 19:19: UTC][05776][DATA ][UserChecks::resolveUserAndGroupCheck] > domain is [] [2013/08/19 19:19: UTC][05776][INFO ][ODBCStorageConnector::connect] > Trying to connect to the ODBC data source [2013/08/19 19:19: UTC][05776][INFO ][ODBCSource::Connect] > Already connected [2013/08/19 19:19: UTC][05776][INFO ][ODBCRequestContext::doUserNameTranslation] > Not doing Windows user name translation [2013/08/19 19:19: UTC][05776][DEBUG][ODBCRequestContext::doUserNameTranslation] > Found domain '<master>' in cache and it exists - using [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "SELECT vdsdomain, vdsuserid, vdsorgunit, vdsusername, vdsmobile, vds , vdsstaticpwd, vdslinkuserdomain, vdslinkuserid, vdslocalauth, vdsbackendauth, vdslockcount, vdslocked, vdsdisabled, vdsadminprivileges, vdsofflineauthenabled, vdsstaticpwdhistory, vdscreatetime, vdslastauthtime, vdsexpirationtime FROM vdsuser WHERE (vdsdomain =?) AND (vdsuserid =?) ORDER BY vdsdomain, vdsuserid, vdsorgunit" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 1 to string "master" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 2 to string "user" [2013/08/19 19:19: UTC][05776][DATA ][ODBCResultSet::GetRowCount] > Returned row-count 1 [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "SELECT vdsserialno FROM vdsdigipass WHERE (vdsdomain =?) AND (vdsuserid =?)" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 1 to string "master" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 2 to string "user" [2013/08/19 19:19: UTC][05776][DATA ][vasco::cryptoengine::decryptwithembeddedprovider] > Decrypt the content using embedded crypto provider. [2013/08/19 19:19: UTC][05776][VINFO][SoftwareCryptoBase::preDecryptProcess] > First 2 byte of cipher text 0x[00] 0x[0A] [2013/08/19 19:19: UTC][05776][DATA ][SoftwareCryptoBase::custom_aes128cbc_key_derive] > Block size for aes is [16] [2013/08/19 19:19: UTC][05776][DATA ][vasco::cryptoengine::decryptwithembeddedprovider] > Data is decrypted using embedded crypto provider. [2013/08/19 19:19: UTC][05776][INFO ][UserChecks::userChecks] > Digipass User account found [2013/08/19 19:19: UTC][05776][DEBUG][UserChecks::userChecks] > Checking User login inactivity: 'true' [2013/08/19 19:19: UTC][05776][DEBUG][UserChecks::userChecks] > User login inactivity time: [90] [2013/08/19 19:19: UTC][05776][DEBUG][UserChecks::userChecks] > Checking user activity [2013/08/19 19:19: UTC][05776][INFO ][UserChecks::userChecks] > Setting m_userchecksstate to [User Exists] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > *** User Details *** [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > User ID : [user] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Mobile no. : [] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > . : [] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Domain : [master] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Org Unit : [] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > LDAP DN : [] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Local Auth : [Digipass/Password] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Back End Auth : [None] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Offline Auth Enabled : [No] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Use DP from UserID : [] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Use DP from domain : [] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > Use DP from LDAP DN: [] [2013/08/19 19:19: UTC][05776][DATA ][User::traceDetails] > ******************** [2013/08/19 19:19: UTC][05776][DEBUG][UserChecks::adminPrivilegeCheck] > 'Privileged Users' policy setting set to 'Reject' however this user does not have administrative privileges. The admin privilege check for this user has therefore succeeded. [2013/08/19 19:19: UTC][05776][VINFO][LocalAuthenticationChecks::localVerification] > Length of password entered is [6] bytes [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "SELECT vdsdomain, vdsserialno, vdsorgunit, vdsdptype, vdsgpexpires, vdsbvdpenabled, vdsbvdpexpires, vdsbvdpusesleft, vdsuserid, vdsdpsoftparamsid, vdsactivlocs, vdsactivcount, vdslastactivtime FROM vdsdigipass WHERE (vdsdomain =?) AND vdsorgunit IS NULL AND (vdsuserid =?) ORDER BY vdsdomain, vdsserialno, vdsdpdescription" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 1 to string "master" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 2 to string "user" [2013/08/19 19:19: UTC][05776][DATA ][ODBCResultSet::GetRowCount] > Returned row-count 1 [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "SELECT vdsdpapplication.vdsserialno, vdsdpapplication.vdsapplname, vdsdpapplication.vdsapplno, vdsdpapplication.vdsappltype, vdsdpapplication.vdsactive, vdsdpapplication.vdsblob, vdsdigipass.vdsdomain, vdsdigipass.vdsorgunit, vdsdigipass.vdsuserid, vdsdpapplication.vdscreatetime, vdsdpapplication.vdsmodifytime, vdsdpapplication.vdsstoragekeyid, vdsdpapplication.vdssensitivekeyid FROM (vdsdpapplication INNER JOIN vdsdigipass ON (vdsdpapplication.vdsserialno = vdsdigipass.vdsserialno)) WHERE (vdsdpapplication.vdsserialno =?) ORDER BY vdsdpapplication.vdsserialno, vdsdpapplication.vdsapplname" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 1 to string " " [2013/08/19 19:19: UTC][05776][DATA ][ODBCResultSet::GetRowCount] > Returned row-count 1 [2013/08/19 19:19: UTC][05776][INFO ][vasco::cryptoengine::storagedecrypt] > Decrypting digipass Blob. Page 5 of 7

6 [2013/08/19 19:19: UTC][05776][INFO ][vasco::cryptoengine::storagedecrypt] > Decrypting digipass Blob. [2013/08/19 19:19: UTC][05776][DATA ][vasco::cryptoengine::decryptwithembeddedprovider] > Decrypt the content using embedded crypto provider. [2013/08/19 19:19: UTC][05776][VINFO][SoftwareCryptoBase::preDecryptProcess] > First 2 byte of cipher text 0x[00] 0x[0A] [2013/08/19 19:19: UTC][05776][DATA ][SoftwareCryptoBase::custom_aes128cbc_key_derive] > Block size for aes is [16] [2013/08/19 19:19: UTC][05776][DATA ][vasco::cryptoengine::decryptwithembeddedprovider] > Data is decrypted using embedded crypto provider. [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > *** Digipass Details *** [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > Serial No. : [ ] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > Domin : [master] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > Org Unit : [] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > LDAP DN : [] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > Backup VDP Enabled : [No] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > Grace Period Expiry : [2013/08/19] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > Backup VDP Expiry : [] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > Backup VDP Uses Left: [] [2013/08/19 19:19: UTC][05776][DATA ][Digipass::traceDetails] > ************************ [2013/08/19 19:19: UTC][05776][DATA ][CryptoKeyLoader::getKeyData] > key [SSMINSTALLSTORAGEKEY] found in the cache [2013/08/19 19:19: UTC][05776][INFO ][CryptoKeyDataFactory::createSSMStorageDataKey] > SSM Storage Crypto Key Data [2013/08/19 19:19: UTC][05776][DATA ][CryptoKeyLoader::getKeyData] > key [SSMINSTALLSTORAGEKEY] found in the cache [2013/08/19 19:19: UTC][05776][INFO ][CryptoKeyDataFactory::createSSMStorageDataKey] > SSM Storage Crypto Key Data [2013/08/19 19:19: UTC][05776][INFO ][DigipassAppl::verifyPlainTextOTPCombined] > Combined parameters. [2013/08/19 19:19: UTC][05776][DATA ][CryptoKeyLoader::getKeyData] > key [SSMINSTALLSTORAGEKEY] found in the cache [2013/08/19 19:19: UTC][05776][INFO ][CryptoKeyDataFactory::createSSMStorageDataKey] > SSM Storage Crypto Key Data [2013/08/19 19:19: UTC][05776][MAJOR][DigipassAppl::verifyPlainTextOTPCombined] > Password length too short [2013/08/19 19:19: UTC][05776][INFO ][Digipass::verifyResponse] > Serial Application APPLI 1 OTP Incorrect - Password length too short We get a respose too small error because we did not give the PIN. [2013/08/19 19:19: UTC][05776][INFO ][Digipass::verifyResponse] > Failed to verify response for serial number application APPLI 1 [2013/08/19 19:19: UTC][05776][INFO ][DigipassList::verifyResponse] > Response verification has failed for digipass [2013/08/19 19:19: UTC][05776][DEBUG][LocalAuthenticationChecks::doResponseChecking] > There was no definite One Time Password in the credentials [2013/08/19 19:19: UTC][05776][DEBUG][LocalAuthenticationChecks::doResponseChecking] > One or more DIGIPASS are outside of grace period [2013/08/19 19:19: UTC][05776][DATA ][CryptoKeyLoader::getKeyData] > key [SSMINSTALLSTORAGEKEY] found in the cache [2013/08/19 19:19: UTC][05776][INFO ][CryptoKeyDataFactory::createSSMStorageDataKey] > SSM Storage Crypto Key Data [2013/08/19 19:19: UTC][05776][VINFO][LocalAuthenticationChecks::isAnyTriggerPassword] > A challenge request method is 'password', but no DIGIPASS of the correct type was found [2013/08/19 19:19: UTC][05776][VINFO][LocalAuthenticationChecks::doResponseChecking] > Set localauthstate to [Definite Fail] [2013/08/19 19:19: UTC][05776][ALERT][LocalAuthenticationChecks::verifyStaticPassword] > Incorrect static password [2013/08/19 19:19: UTC][05776][INFO ][LocalAuthenticationChecks::verifyStaticPassword] > Password failed verification with stored password [2013/08/19 19:19: UTC][05776][INFO ][AuthenticateRequest::dbUpdate] > Fast authentication is <false> [2013/08/19 19:19: UTC][05776][INFO ][DigipassList::update] > Updating 1 digipasses. [2013/08/19 19:19: UTC][05776][VINFO][AuthenticateRequest::dbUpdate] > User's lock count is now [3] [2013/08/19 19:19: UTC][05776][ALERT][AuthenticateRequest::dbUpdate] > User's account is now locked! Account is now locked due to too maily failed attempts [2013/08/19 19:19: UTC][05776][DEBUG][ODBCConnection::TransactionStart] > Starting transaction [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "UPDATE vdsuser SET vdslockcount =?, vdslocked =?, vdsmodifytime =? WHERE (vdsdomain =?) AND (vdsuserid =?)" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindInteger] > Bound parameter 1 to integer 0 [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindInteger] > Bound parameter 2 to integer 1 [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindTimeStamp] > Bound parameter 3 to timestamp Mon Aug 19 19:19: [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 4 to string "master" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 5 to string "user" [2013/08/19 19:19: UTC][05776][DATA ][ODBCResultSet::GetRowCount] > Returned row-count 1 [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::PrepareSQL] > Prepared SQL statement "SELECT vdsdomain, vdsuserid, vdsorgunit, vdsusername, vdsdescription, vdsphone, vdsmobile, vds , vdsstaticpwd, vdslinkuserdomain, vdslinkuserid, vdslocalauth, vdsbackendauth, vdslockcount, vdslocked, vdsdisabled, vdsadminprivileges, vdsofflineauthenabled, vdslastpwdsettime, vdsstaticpwdhistory, vdskeyid, vdscreatetime, vdsmodifytime, vdslastauthtime, vdsexpirationtime FROM vdsuser WHERE (vdsdomain =?) AND (vdsuserid =?) ORDER BY vdsdomain, vdsuserid, vdsorgunit" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 1 to string "master" [2013/08/19 19:19: UTC][05776][DATA ][ODBCStatement::BindString] > Bound parameter 2 to string "user" [2013/08/19 19:19: UTC][05776][DATA ][ODBCResultSet::GetRowCount] > Returned row-count 1 [2013/08/19 19:19: UTC][05776][DEBUG][ODBCConnection::TransactionCommit] > Committed transaction [2013/08/19 19:19: UTC][05776][INFO ][AuthenticateRequest::generateResponse] > Set status code [1012], message [The One Time Password failed validation] [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Warning} {Authentication} {W } {A DIGIPASS User Account has become locked.} {0x2F34EFCA518DE78F1B1E629A2CB2C9F4} [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Source Location: , User ID:user, Domain:master, Client Location: , Client Type:RADIUS Client} [2013/08/19 19:19: UTC][05776][VINFO][Distributor::acquireConnection] > Node.Connector allocated [2013/08/19 19:19: UTC][05776][VINFO][Distributor::releaseConnection] > Node.Connector released [2013/08/19 19:19: UTC][05776][MAJOR][alert_record] > plugin not initialized [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Failure} {Authentication} {F } {User authentication failed.} {0xA72E591E609AB4B0CF D6618B} [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Source Location: , Policy ID:Identikey Local Authentication, User ID:user, Domain:master, Input Details: {User ID : user@master} {Password : ********} {Raw User ID : 0x D } {Password Format : 0} {Protocol ID : RADIUS} {Protocol Specific Data : 0xC0A81101E7CA }, Output Details: {Status Message : The One Time Password failed validation} {Auxiliary Message : {Error Code: '(1012)' ; Error Message: 'Password length too short'} {Error Code: '(1012)' ; Error Message: 'Serial Application APPLI 1 OTP Incorrect - Password length too short'} {Error Code: '(1011)' ; Error Message: 'Incorrect static password'}} {Notification that a user has a token assigned : ********}, Local Authentication:yes, Back-End Authentication:None, Reason:The One Time Password failed validation, Client Location: , Client Type:RADIUS Client} [2013/08/19 19:19: UTC][05776][VINFO][Distributor::acquireConnection] > Node.Connector allocated Page 6 of 7

7 [2013/08/19 19:19: UTC][05776][VINFO][Distributor::releaseConnection] > Node.Connector released [2013/08/19 19:19: UTC][05776][MAJOR][alert_record] > plugin not initialized [2013/08/19 19:19: UTC][05776][INFO ][AuthenticateRequest::execute] > User authentication request - exit state [Denied] [2013/08/19 19:19: UTC][05776][MAJOR][AuthenticateUserCommand::execute] > === Error Stack ========================= [2013/08/19 19:19: UTC][05776][MAJOR][AuthenticateUserCommand::execute] > Error code: <1011> Error message: <Incorrect static password> [2013/08/19 19:19: UTC][05776][MAJOR][AuthenticateUserCommand::execute] > Error code: <1012> Error message: <Serial Application APPLI 1 OTP Incorrect - Password length too short> [2013/08/19 19:19: UTC][05776][MAJOR][AuthenticateUserCommand::execute] > Error code: <1012> Error message: <Password length too short> [2013/08/19 19:19: UTC][05776][MAJOR][AuthenticateUserCommand::execute] > === End of Error Stack ================== [2013/08/19 19:19: UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > No response found in request cache, generating response packet locally. [2013/08/19 19:19: UTC][05776][VINFO][RADIUSLayer::dispatchCommandTask] > Auth action (based on command results) is: 'ERROR'. [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Info} {RADIUS} {I } {A RADIUS Access-Reject has been issued.} {0xFE7CFBA7C9EB1E3BB4F55695C1E96FE0} [2013/08/19 19:19: UTC][05776][INFO ][adt_record] > Audit: {Client Location: :51943, Source Location: , Request ID:8, Password Protocol:PAP, Output Details:RADIUS Code:1, RADIUS Id:8,, User- Name:user@master, NAS-IP-Address: , NAS-Port:1, NAS-Identifier:Vasco Radius Simulator, User-Password:********, Calling-Station-Id:13080, Reason:Authentication processing error} [2013/08/19 19:19: UTC][05776][VINFO][Distributor::acquireConnection] > Node.Connector allocated [2013/08/19 19:19: UTC][05776][VINFO][Distributor::releaseConnection] > Node.Connector released [2013/08/19 19:19: UTC][05776][MAJOR][alert_record] > plugin not initialized As you can see from the log file, the OTP verification did not succeed. The problem here is the response too small (because we forgot to enter the pin). We also see that the user is not locked. When you have error messages in your full trace file it is always advised to search the KB articles. Problems that are recurrent are often addressed in a KB article. Page 7 of 7

How to enable and read the full trace file for IDENTIKEY Authentication Server 3.1, step by step.

KB 150021 How to enable and read the full trace file for IDENTIKEY Authentication Server 3.1, step by step. Creation date: 27/11/2009 Last Review: 10/12/2012 Revision number: 3 Document type: How To Security