Troubleshooting

The following sections address common questions or issues relating to DigitalPersona software, and how to troubleshoot and resolve them.

‘Internal Server Error’ on the HID DigitalPersona Administration Console

Follow the steps below to resolve a possible Internal Server Error after authenticating with the DigitalPersona Identity Server for access to the Administration Console:

  1. On the machine where the Web Administration component is installed, use Regedit to locate the LDS Port:

    1. Navigate to SOFTWARE\DigitalPersona\LDAP.

    2. Under the ADAM Port, make a note the decimal value.

  2. Open the web.config file, located in:

    C:\Program Files\DigitalPersona\Web Management Components\DP Web Admin\DPAdminAPI\web.config

  3. Make the following changes in the file:

    1. Change the value of ActiveDirectoryContext from 127.0.0.1 to the domain controller Hostname (DNS name) or IP Address.

      Important: Do NOT change the port # in this section.
    2. Locate the node that contains “name = AltusContext” and uncomment the param name and value elements, replacing the value string with the following:

      LDAP://serverHost:port/CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US

      Where port is the port number from step 1 above.

      For example:

      Copy
      <register type="IDirectoryContext" name="AltusContext" mapTo="DirectoryContext">
          <constructor>
              <param name="nameOrConnectionString">
                  <value value="LDAP://127.0.0.1:50000/CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US"/>
              </param>
          </constructor>
      </register>
    3. Locate the node that contains “name = ActiveDirectoryDal” and uncomment the param name and value elements, replacing the value string with the following:

      LDAP://serverHost:port/CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US.

      Where port is the port number from step 1 above.

      For example:

      Copy
      <register type="IUserManagerFactory" mapTo="DigitalPersona.Altus.Administration.Manager.Interop.AltusUserManagerFactory,DigitalPersona.Altus.Administration.Manager.Interop">
          <constructor>
              <param name="connectionString">
                  <value value="LDAP://127.0.0.1:50000/CN={893B81EE-7764-44FF-8561-8377580B9B03},O=DigitalPersona,C=US"/>
              </param>
          </constructor>
      </register>

Resolving Configuration Error during DigitalPersona LDS Installation

Issue

Running the DigitalPersona LDS Configuration Wizard (DPADLDSConfig.exe) results in the following error:

Loading entries: Add error on entry starting on line 11: Operations Error

The server side error is:

0x20d6 No superior reference has been configured for the directory service. The directory service is therefore unable to issue referrals to objects outside this forest.

The extended server error is:

000020D6: SvcErr: DSID-0310081B, problem 5012 (DIR_ERROR), data 0

Resolution

This is an occasional issue whose exact cause has not yet been determined. The following procedure is effective in resolving the issue.

  1. Copy the following folder to the desktop on the server machine.

    ..\DigitalPersona LDS Server\Configuration Wizard

  2. Right-click on the DigitalPersona LDS Configuration Wizard (DPADLDSConfig.exe) from the folder you just created on the desktop and select Run as administrator.

Configure the Ports used by DigitalPersona for Firewall

Issue

The DigitalPersona client console fails to open. This may be due to interrupted communication between the DigitalPersona Server and the client through the firewall due to dynamically assigned ports.

Resolution

DigitalPersona uses Microsoft’s DCOM for calls between our server and clients. By default, DCOM assigns ports dynamically from the TCP port range of 1024 through 65535. You can open all the specified ports, or you can configure the range by using Component Services.

Before following the steps below, you should familiarize yourself with the following topics:

To configure the range of ports used by DigitalPersona:

  1. In the registry on each DigitalPersona Server, navigate to the following key.

    HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\Internet

  2. Under the Internet key, add the values:

    • "Ports" (MULTI_SZ)

    • "PortsInternetAvailable" (REG_SZ)

    • "UseInternetPorts" (REG_SZ)

  3. Set the value of Ports to the range that you want to open for DCOM communication.

  4. Set PortsInternetAvailable to Y.

  5. Set UseInternetPorts to Y.

    For example, the new registry key appears as follows:

    Ports: REG_MULTI_SZ: 5000-6000

    PortsInternetAvailable: REG_SZ: Y

    UseInternetPorts: REG_SZ: Y

  6. Restart the server.

Troubleshoot a Fingerprint Reader Operation

Issue

An officially supported fingerprint reader is not working with a properly installed DigitalPersona client.

Resolution

Troubleshooting steps will vary depending on several factors, as outlined below.

Fingerprint reader Comment

HID DigitalPersona 4500

(previously U.are.U 4500)

Drivers for this fingerprint reader are automatically installed as part of the DigitalPersona Workstation or Kiosk installation.

Once the driver is installed, the device appears in the Device Manager under "Authentication Devices".

If the device is not shown in the Device Manager, re-install the DigitalPersona client package.

The driver can be reinstalled from this directory: C:\Windows\DPDrv.

HID DigitalPersona 5300

(previously U.are.U 5300)

Support for the HID DigitalPersona 5300 external fingerprint reader is technically not from a driver, but rather from a code library enabling DigitalPersona support for this reader.

The library dpfpdd5000.dll is automatically installed as part of the DigitalPersona Workstation or Kiosk installation.

The reader device will be listed in the Device Manager as PC camera with Microsoft shown as the provider.

WBF

Windows Biometric Framework

Any WBF-compatible reader should work with DigitalPersona when running on a Microsoft Windows 8 or later machine.

In some cases, you may have to use Windows Update to download the correct WBF driver for the specific reader, or download it from the vendor’s website.

HID Lumidigm V- and M-series

V521, V371, M321, V311

To support Lumidigm fingerprint readers V- and M-series, the Lumidigm SDK package should be installed on a DigitalPersona client machine running DigitalPersona Workstation or Kiosk.

This SDK package is not a part of the DigitalPersona installation package, and needs to be obtained and installed separately.

Starting with the DigitalPersona 4.1 release, the Lumidigm SDK version 9.5 is being used to communicate with Lumidigm devices.

Older Lumidigm SDK versions 6.x and 7.x are not compatible with DigitalPersona 4.1.

Note: You may have to find and remove conflicting drivers or application software to allow the fingerprint reader to communicate with DigitalPersona. Possible sources of conflict that should be removed include - HP Protect Tools, HP Personal, Dell Personal, DigitalPersona Personal and the Wave Embassy Trust suite.

Resolving Unavailable Server or Domain Issues

Issue

The following two errors may indicate that either DNS cannot resolve the _srv_dpproent records which the client is looking for to resolve and start the process, or the client is unable to contact the DigitalPersona LDS Server.

  • There are currently no logon servers to process the request (0x8007501)

  • An error occurred. We can't sign you in with this credential because your domain isn't available

Resolution

Follow these steps to troubleshoot unavailable server or domain issues.

  1. Ensure that you have a network connection. If not, connect your computer to the network.

  2. Check whether or not DCOM is enabled. If not, enable DCOM on your computer.

    1. Run DCOMCNFG.EXE.

    2. Open the Computers folder and right click the computer where you wish to enable DCOM. Select Properties then Default Properties (third tab on the second row).

    3. Select Enable Distributed COM on this computer. Then click OK.

  3. Ping your DPCA Server. If ping fails, troubleshoot and resolve the network problem.

  4. Temporarily disable the firewall on both the DigitalPersona client and Server. Check whether this solves the connection issue. If it does, configure the firewall, referring to Configure the Ports used by DigitalPersona for Firewall.

  5. Check that the Active Directory Global Catalog (GC) is accessible from your computer. If not resolve the issue. using DCDIAG (Domain Controller Diagnosis) to ensure that the GC is up and available.

  6. Open ADUC and check that the computer object where DPCA Server is installed has a child SCP object for our service. If not, re-install the DPCA Server.

  7. Check that the SCP object has serviceBindingInformation set. If not, restart the DPCA Server computer.

  8. If the above steps do not resolve the issue, call DigitalPersona customer support.

Changing Password Manager Data Storage Limits

Issue

  • For DigitalPersona version 2.1 and later - If you receive the following error message, Cannot save logon due to attribute size limitation. Contact your administrator, then the storage space allotted in Active Directory for storing Password Manager data may have been exceeded.

  • For older versions - When it appears that logon data is not being saved (for instance, if changes are reverting to previously entered information), this may indicate that the Password Manager storage space allotment has been exceeded.

Resolution 1 - Clear dp-Password-Manager-Data rangeUpper value by script

Requirements

  • PowerShell with Active Directory module installed on a domain controller

  • User with Schema Master role assigned

Procedure

  1. Copy 'dpPasswordManagerData_rangeUppe.ps1' to a local directory.

  2. Sign the provided script, or temporarily allow running unsigned scripts using Set-ExecutionPolicy Unrestricted in the PowerShell console.

  3. Right-click the file and select Run in PowerShell.

  4. When prompted to confirm the action, enter Y.

  5. You may run the script again to verify that the value was cleared, or check the value through ADSI Edit.

Note: This script changes only the dp-Password-Manager-Data rangeUpper value. You may also want to change the dp-Password-Manager-Data rangeUpper value using the procedure below.

Resolution 2 - Change Password Manager Data values manually

Requirements

  • User with Schema Master role assigned

  • ADSI Edit (part of the Windows Server Support Tools)

Procedure

  1. Make the following change on the domain controller where your DigitalPersona Server is installed.

  2. Navigate to %Program Files%\Support Tools, and then double-click adsiedit.msc.

  3. Expand the Schema, and then click CN=Schema,CN=Configuration,DC=domain_name,DC=com

  4. In the Details pane, right-click CN=dp-Password-Manager-Data, and then click Properties.

  5. Double-click rangeUpper.

  6. Type a new appropriate upper range for the attribute. If a significant number of logons are being created or modified on a regular basis, you may want to consider doubling the current value.

  7. Click OK.

  8. Repeat steps 4 through 6 with dp-User-Private-Data.

  9. Click OK again.

FIDO2 Token AppIDs

When a FIDO2 Key credential is enrolled through the User Console of the DigitalPersona Workstation, no FIDO2 Token AppID is saved on the DigitalPersona Server.

FIDO2 tokens register their keys (AppIDs) for a specific application, which is usually a URL. FIDO2 clients must verify that the AppID belongs to the requesting application ,and that the keys are issued for the claimed AppID, which is added to the set of the signed data the token creates.

However, it is possible that an application may be represented by a real app on an Android or iOS gadget, in which case the URL does not apply. Also, it may be possible that a Web app uses multiple URLs, or one Relying Part uses multiple apps on different systems, etc. All the above cases are supported by FIDO2 by using the concept of TrustedFacets.

The official description of Trusted Facets can be found here:

https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-appid-and-facets-v1.2-ps-20170411.html

In short, AppID can represent a URL from which a JSON – encoded list of trusted URL origins and Android/iOS applications (“FacetIDs”) can be downloaded and used by the client application to verify that the AppID is indeed trusted before passing AppID to the Fido2 Token.

There are quite strict rules as what can be placed in the list of the URLs in the “trustedFacets” which are documented in the link above.

For Android and iOS apps, the “FacetID” is basically constructed by obtaining the signature of the application package. This is out of scope for this documentation, but it seems it can be easily added when we have Android and iOS applications using the same AppID as the web applications.

For other OS’s (i.e. Windows) the document does not specify any scheme, but it mentions that something similar can be used.

Restrictions on the Web FacetIDs within TrustedFacets are the following:

  • Only URLs with matching public DNS suffixes plus one extra label are trusted.

  • A public DNS suffix can be received from the official list at https://publicsuffix.org/list/public_suffix_list.dat.

  • For practical reasons, any subdomain of the company domain may be trusted if we host the AppID JSON file one level below the company domain, such as https://fido.mydomain.com/AppID or https://www.mydomain.com/fido/AppID.

  • HTTPS is mandatory, the path beyond the server address is irrelevant.

The following are examples from the Trusted facets document mentioned above.

Copy

AppID Example 1 - ".com" is a public suffix. "https://www.example.com/appID" is provided as an AppID. The body of the resource at this location contains:

{
  "trustedFacets" : [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
       "https://register.example.com", // VALID, shares "example.com" label
       "https://fido.example.com",     // VALID, shares "example.com" label
       "http://www.example.com",       // DISCARD, scheme is not https:
       "http://www.example-test.com",  // DISCARD, "example-test.com" does not match
       "https://www.example.com:444"   // VALID, port is not significant
    ]
  }]
}

For this policy, "https://www.example.com" and "https://register.example.com" would have access to the keys registered for this AppID, and "https://user1.example.com" would not.

Copy

AppID Example 2 - "hosting.example.com" is a public suffix, operated under "example.com" and used to provide hosted cloud services for many companies. "https://companyA.hosting.example.com/appID" is provided as an AppID. The body of the resource at this location contain:

{
  "trustedFacets" : [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
        "https://register.example.com",              // DISCARD, does not share  "companyA.hosting.example.com" label
        "https://fido.companyA.hosting.example.com", // VALID, shares "companyA.hosting.example.com" label
        "https://xyz.companyA.hosting.example.com",  // VALID, shares "companyA.hosting.example.com" label
        "https://companyB.hosting.example.com"       // DISCARD, "companyB.hosting.example.com" does not match
     ]
  }]
}

For this policy, "https://fido.companyA.hosting.example.com" would have access to the keys registered for this AppID, and "https://register.example.com" and "https://companyB.hosting.example.com" would not as a public-suffix exists between these DNS names and the AppID's.

Note: Be aware that each FIDO2 token may need to be re-enrolled every time the FIDO2 AppId changes. For instance, if you deploy app-id.json into https:\\win-erepv5i4qub.ldsdemo.com\Fido\app-id.json and later decide to move it to another server, you would have two options:
  1. Re-enroll all registered FIDO2 devices.

  2. Create an HTTP redirect:

    From https:\\win-erepv5i4qub.ldsdemo.com\Fido to https:\\newhost.virgo.com\Fido.

    More information on redirects can be found at https://docs.microsoft.com/en-us/iis/configuration/system.webserver/httpredirect/

    Check the FIDO2 specification for guidance on implementing the redirect.

    Excerpt - If the server returns an HTTP redirect (status code 3xx) the server must also send the HTTP header FIDO-AppID-Redirect-Authorized: true and........"

  3. Depending on the installation sequence (that is, a DigitalPersona desktop client and/or the DP Web Management Components), follow the steps in one of the following procedures.

When Web Management Components are installed first or along with a DigitalPersona client

At the end of the Web Management Components Configuration Wizard, a file named app-id.json is created at a location similar to this: https://fido.company-domain-name.com/fido/app-id.json.

The URL is recorded in the DigitalPersona Server store under the name "FidoAppID", and this AppID is used by each web server and desktop client during FIDO2 enrollment and authentication.

The default content of this file is similar to the following, where company-domain-name.com will be replaced with the actual company domain name.

Copy
{
  "trustedFacets" : [{
    "version": { "major": 1, "minor" : 0 },
    "ids": [
        "https://sts.company-domain-name.com",
        "https://webenrollment.company-domain-name.com",
        "dpca:<?AD/LDS domain/installation guid?>"
    ]
  }]
}
Note: Part of the URL "company-domain-name.com" must be the same in all facets within the JSON file and in the URL of the JSON file.

The URL of the JSON file (https://fido.company-domain-name.com/fido/app-id.json) will be used as the AppID. It will be saved on the DigitalPersona Server using the interface WebGetSettingsEx under the name "U2F\AppId", from which any interested party can read it to use with the Fido tokens.

HTTPS call to get the JSON file

Protocol HTTPS
Method GET
URL https://fido.company-domain-name.com/fido/app-id.json
Headers Content-Type: application/fido.trusted-apps+json
Response In case of success, the response code is 200. Otherwise the appropriate code must be returned. If the file is not found, the code is 404. The response body is the content of the file.

When only a DigitalPersona desktop client is installed

If a DigitalPersona desktop client is installed without the Web Management Components, no FIDO2 Token AppID is saved in the DigitalPersona Server store and a default hard-coded AppID is used for all FIDO2 token enrollments. Re-enrollment will be needed if the DigitalPersona Web Management Components are later installed.

Manually adding an AppID value to the server store

You can add an AppID (URL of a future app-id.json file) in the DigitalPersona Server store, and it should work fine even if the actual file is not found at that URL.

  1. Modify Web Management Components Configuration Wizard to do the following:

    1. Update the file "C:\Program Files\DigitalPersona\Web Management Components\DP Web SDK\app-id.json" with the list of configured host names.

      Copy

      Configuration sample - app-id.json in Advanced Configuration

      {
        "trustedFacets": [
          {
            "version": {
              "major": 1,
              "minor": 0
            },
            "ids": [
              "https://webenroll.virgo.com",
              "https://sts.virgo.com"
            ]
          }
        ]
      }
    2. Ensure in the Configuration Wizard that all URLs used for STS and HID DigitalPersona Enrollment share "public DNS suffixes plus one extra label."

    3. Add a FIDO2 application under the Default Web Site and point it to c:\Program Files\DigitalPersona\Web Management Components\DP Web SDK\app-id.json

      Note: The FIDO2 AppId will be <Web Management Components Host>\Fido\app-id.json - (that is, if the Web Components were installed on win-erepv5i4qub.ldsdemo.com) then AppId for both Basic and Advanced configuration will be https:\\win-erepv5i4qub.ldsdemo.com\Fido\app-id.json
    4. Store the FIDO2 AppId into the DigitalPersona server Web*Settings interface under name the name "U2F\AppId".

      You may pass null in the jwt parameter of WebSetSettingsEx if you want DPCA to use the Windows Interactive user token for authentication.

      Copy
      HRESULT WebSetSettingsEx(
          [in] BSTR JWT,            // Caller credentials
          [in] int Type,            // Settings type
          [in] BSTR Settings);    // List of settings to be set
    5. Store the FIDO2 AppId under the U2F\AppId name in the <appSettings> section of the following files:

      c:\Program Files\DigitalPersona\Web Management Components\DP STS\DPPassiveSTS\web.config

      c:\Program Files\DigitalPersona\Web Management Components\DP STS\DPActiveSTS\web.config

      c:\Program Files\DigitalPersona\Web Management Components\DP Web Enroll\DPEnrollment\Web.config

  2. Modify the Enrollment page of the HID DigitalPersona Enrollment app to get the FIDO2 AppId from its U2F\AppId setting on the server.

  3. Modify the Authentication page in the STS web server to get the FIDO2 AppId from the base64url encoded handshake data returned by the Continues authentication call.

  4. Modify the Authentication page in Enrollment to get the FIDO2 AppId from the base64url encoded handshake data returned by Continues authentication call.

  5. Modify the desktop FIDO authentication token to get the Fido2 AppID from the WebGetSettings interface and use it in enrollment and authentication.