Troubleshooting Steps: Online Client & Reader End Users

weepingwaterpickSecurity

Feb 23, 2014 (3 years and 6 months ago)

745 views

Troubleshooting Steps: Online Client & Reader End
Users


The purpose of this guide is to provide sufficient information to DigitalPersona

Online providers
and partners such that they can be equipped technically to quickly address some of the most
common issues encountered by DigitalPersona Online Client end users.

Below is a high level overview of the DigitalPersona Online Client and comm
unication path with
the authentication server. It is important to understand how the software works in order to
troubleshoot.




















Firewall

Biometric Authentication Service
\

DigitalPersona Authentication Service




How It Works

(non RDP or Citrix)


Assuming the Online Client is installed

and browser has ActiveX enabled

the behavior is as such:

1.)

A reader is plugged into the client machine (this can be a built
-
in reader or an external
re
ader).

2.)

A driver is loaded by Windows

3.)

The Biometric Authentication Service is notified of the device connection.

4.)

The Online Client control waits for a fingerprint event

5.)

User presses his
\
her finger.

6.)

A finger event is passed from the Biometric Authentication Service to the Online
Client control.

7.)

The Online Client control fires a javascript to relay notification to the browser a finger
was captured.

8.)

The web page submits information to the Authenticat
ion Service for enrollment,
verification, or update purposes (adding
\
removing a registered print).


How It Works for RDP

Assuming the Online Client software is installed on both the client machine and the terminal
server or remote desktop
:

1.)

A reader is plug
ged into the client machine.

2.)

A driver is loaded by Windows.

3.)

The Biometric Authentication Service is notified of the device connection.

4.)

The Biometric Authentication Service notifies the DPTSClnt.dll (the plugin loaded by
mstsc.exe) of the device connection
and any other fingerprint related events such as a
capture.

5.)

DPTSClnt.dll sends device connection and capture information to the Biometric
Authentication Service (BAS) residing on the terminal server (over a virtual channel)

6.)

The server side BAS sends the co
nnection and capture related data to the Online
Client control in the browser.

7.)

The Online Client control fires a javascript to relay notification to the browser a finger
was captured.

8.)

The web page submits information to the Authentication Service for e
nrollment,
verification, or update purposes (adding
\
removing a registered print).






How It Works for Citrix


Virtually the same for RDP except the fingerprint data is passed to DPICACnt.dll instead of
DPTSClnt.dll. DPICACnt.dll is the DP Citrix plugin a
nd should be located under the
“%programfiles%
\
Citrix
\
ICA Client
\
” folder. WARNING: If Citrix is updated, admin must re
-
register
the component. “regsvr32 DPICACnt.dll”


Initial Troubleshooting Steps:


1.)

Confirm the biometric device and software is
configured correctly.

a.

Fingerprint reader light should be glowing and respond to finger touches (flash).

b.

Online Client 4.x or 5.x should be listed in the Program & Features list in the
Control Panel or Add
\
Remove Programs

c.

Biometric Authentication Service (c
lient 4.x) or DigitalPersona Authentication
Service (client 5.x) should be running and set to “automatic”. Confirm this by
going to Control Panel
-
>Administrative Tools
-
>Services

d.

Visit
https://onlinedem
o.digitalpersona.com

and click the checkbox to register a
print.

Typically if the ActiveX component of the Online Client software is
blocked
this demo site will relay such information.


2.)

Confirm IE settings are configured correctly:

a.

Usually the default IE settings are sufficient. Revert
all
settings back to default in
the IE
-
>Options
-
>Advanced Options window.

User should get a pop
-
up when
visiting the site (either at the top of the browser or bottom of the browser) asking
if they wa
nt to allow the ActiveX to run. Make sure they click “Allow”.

If no pop
-
up appears, make sure the ActiveX filtering option is unchecked under IE
-
>

Safety
-
>ActiveX filter.

b.

Rule out any issue with a proxy server.
Verify IE
-
>Options
-
>Internet Options
-
>LA
N
Configuration
-
>Proxy Server is unchecked.

c.

For the Online Client 4.4 and IE 10 and later, verify the login page is not running
under Protected Mode. You can do this by simply clicking File
-
>Properties in the
browser. Online Client 5.5 will work with Pro
tected Mode enabled.


3.)

Confirm incompatible software is not loaded on the system.

a.

For HP laptops check for a software called “HP Protect Tools”. If found, remove it
and any of its dependent software packages, typically
-

HP Protect Tools
,
HP
Password Manag
er
,
Privacy Manager for Protect Tools
,
Face Recognition for HP
ProtectTools
, File Sanitizer
For HP ProtectTools
,
Drive Encryption for HP
ProtectTools
,
Theft Recovery
. Re
-
install the Online Client software after the system is
appropriately cleaned of HP Pro
tect Tools.

b.

For Dell laptops check for another “DigitalPersona” named software (other than
“DigitalPersona Pro” in your Programs And Features listing or Add
\
Remove
Programs listing. Remove it before installing the Online Client.

c.

If installing the Online C
lient alongside Pro Workstation or Pro Enterprise
Workstation they must share the same major version number. E.g. Pro
Workstation 4.x is compatible with Online Client 4.x.

d.

If Pro Workstation or Pro Enterprise Workstation is installed alongside Online
Clie
nt, be sure the below registry entries and corresponding policies are set via
GPO:

1.

AllowFPRedirect=1

2.

ForceAuthOnServer=1

3.

ForbidFPCompression=1

These are found under the registry at HKLM
\
Software
\
DigitalPeronsa
\
Policies

Or HKLM
\
Software
\
Wow6432Node
\
DigitalPersona
\
Policies


Specific
Troubleshooting Steps:


For “Service Unavailable”

Possible causes (ranked in prevalence):

1.)

Server Certificate Revocation check is failing.


Try un
-
checking this option in the IE
-
>Tools
-
>Advanced Settings dialog

as just a test and restart IE. If the login site starts
working then there is an issue in the client’s computer configuration in access the
Certificate Authorities revocation server.

2.)

Incorrect setting inside IE 8/9/10/11. Trying restoring settings to d
efault for Internet and
Trusted Sites.


If that doesn’t work, also reset advanced options back to default

to reset
all IE settings back to default configuration (this is important as some users could have
ActiveX filtering enabled in the browser)
.


This ty
pically resolves issues with the ActiveX
loading (user should be prompted to Allow to Run for All Sites) after settings are
restored.

3.)

HP Protect Tools or a Dell security suite resides on the laptop. (This must be
uninstalled and then Online Client re
-
insta
lled). See above “
Confirm incompatible
software” section.

4.)

Certificate Warning or error message in URL bar.


The certificate trust chain for the
LendingTools authentication server or your application server is broken on the client
machine. Keep in mind th
at while a user can dismiss or “continue” to use unvalidated
sites over HTTPS, a service cannot. So if there is any indication that the certificates
cannot be validated by Windows (sometimes there will be notification in the URL bar of
Internet Explorer),

this must be resolved before the Online Client can communicate with
the servers. This can also be related to issue number one if “Server Certificate
Revocation Check” is enabled.

5.)

IE is set to use a proxy server.


Disable “use proxy” in the LAN setti
ngs of IE.

6.)

IE is running in protected mode (For IE 10 or later) or in 64
-
bit mode which is a no
-
no.


Customers can run TaskManager and verify they see “iexplore.exe*32” to confirm
if the process is running as x86.


IT can launch iexplore.exe from Program
Files(x86) to
ensure tests are with a supported browser.


For Windows 8 user must click File
-
>Properties to see if page is opened under Protected Mode.

This should not be an
issue for the Online Client 5.x which now contains an x64 ActiveX plugin.


7.)

Firew
all is blocking traffic to biometric.lendingtools.com:443

8.)

Anti
-
virus (temporarily disable if the above checks did not help)

9.)

No Online Client installed

10.)

If all the above fails, try the demo site at
https://onlinedemo.digitalpersona.com
/

to see
if you don’t get the “Service Unavailable Message”

when selecting the checkbox to
register a print
.


This helps to confirm the Online Client is installed and the device is
functioning correctly.


If the demo si
te doesn’t show any error messages when clicking
the “Click to enroll” checkbox, th
en you have confirmed the issue

is related to the
network configuration or IE security settings.


Please review and ensure all above steps
were checked.



11.)

If
https://onlinedemo.digitalpersona.com

yields error 0 then try to re
-
register the ActiveX
dll by running as Admin the command “regsvr32 C:
\
program
files(x86)
\
DigitalPersona
\
bin
\
dponlineclient.dll”

For
Online Client 5.5 be sure to run the command both for 32 bit and 64 files:


“regsvr32 C:
\
program files(x86)
\
DigitalPersona
\
bin
\
dponlineclient.dll”

“regsvr32 C:
\
program files
\
DigitalPersona
\
bin
\
dponlineclient.dll”

No Error Message But Not Working

1.)

Review the

above ”Initial Troubleshooting Steps”

2.)

Confirm the Biometric Authentication Service is running.

RDP Is Not Working

1.)

Reinstall the Online Client on both the client machine and the server machine.

2.)

If using Online Client 4.x, verify the client machine is x86.

If the machine is x64 then
you will have to take the below steps:

a.

Change ownership of the mstsc.exe file in System32 (the 64
-
bit version).

b.

Rename the file to something else.

c.

Update the user’s RDP shortcut to point to
\
Windows
\
SysWow64
\
mstsc.exe
.

d.

Launch
the RDP client and confirm it is running as x86: Look for “mstsc.exe*32” in
the Task Manager.

3.)

Confirm the policies are correct, see “
How It Works for RDP


Citrix Is Not Working

1.)

Read section “
How It Works for RDP
” and


How It Works for Citrix
”.

2.)

Confirm end users do not have USB redirection enabled in their citrix configuration.

3.)

Confirm end

user is not select the biometric device for redirection in the Citrix UI. This
sounds counter
-
intuitive but is absolutely necessary. The fingerprint reader(s
) have to
be redirected through the DigitalPersona Citrix plugin and not through the standard
Citrix brute force USB redirection.


If the issue remains unapparent
then g
rab trace files from the client

machine and send them to
DigitalPersona. DigitalPerson
a can quickly review these and point the support technician in the
right direction. To enable traces simply do the following:

For x86 machines:

1.)

Create registry key :HKLM
\
Software
\
DigitalPersona
\
Tracing

2.)

Create a DWORD value for the above key:



Name: “DPTr
ace”



Value: “1”

3.)

Create a String value.


Name:”TracePath”

Value: “C:
\
dptrace”

At this point the registry should look similar to the below:











4.)

Restart the Biometric Authentication Service (run “net stop dphost” and “net start
dphost” at cmd prompt)

5.)

Have user close all browsers and then launch browser and immediately reproduce the
problem (this may be as simple as going to the login page and pressing the scanner
just once).

6.)

Zip up the C:
\
dptrace folder and send to
techsupport@digitalpersona.com


For x64 machines:

Do exactly the same as specified for x86 but additionally create the registry values under
HKLM
\
Software
\
Wow6432
\
DigitalPersona