HP SmartCard SIPRNet and NIPRNet Solutions for U.S Government - Troubleshooting error messages when using HP FutureSmart firmware

Error:

Javascript is disabled in this browser. This page requires Javascript. Modify your browser's settings to allow Javascript to execute. See your browser's documentation for specific instructions.

hp-support-head-portlet

Actions

Welcome to HP Customer Support

hp-contact-secondary-navigation-portlet

Actions

hp-hero-support-search

Actions

Examples: "LaserJet Pro P1102 paper jam", "EliteBook 840 G3 bios update"

hp-share-print-widget-portlet

Actions

Information

Information regarding recent vulnerabilities
HP is aware of the recent vulnerabilities commonly referred to as "Spectre" and "Meltdown". HP has published a security bulletin with patches for these issues and a list of impacted systems. We will continue to update the bulletin as more information becomes available and encourage customers to check the bulletin frequently.

hp-concentra-wrapper-portlet

Actions

HP SmartCard SIPRNet and NIPRNet Solutions for U.S Government - Troubleshooting error messages when using HP FutureSmart firmware

This document provides solutions to issues when using the HP SmartCard SIPRNet or NIPRNet Solutions for U.S Government on HP products using FutureSmart firmware version.

General troubleshooting tips

Networking issues

Use a ping utility to verify that all server IP addresses can be contacted.
Use a name server lookup utility (such as nslookup) to query the domain name system (DNS) to verify that all host names are resolvable to IP addresses.

If the reverse DNS process is not enabled on the network, use the HP Embedded Web Server (EWS) to disable reverse lookup.
Verify the spelling and capitalization of all host and domain names.
Verify that all IP addresses, subnet masks, gateways, and DNS server host names are correct.
Use the fully qualified domain name (FQDN) for all settings.
Verify that the proper domain name and DNS suffixes are used in the network configuration.

HP Digital Sending Software (HP DSS) conflicts

Verify that the HP printer/ MFP is not on an HP DSS server during the initial configuration. If it is, remove it from the server and restart the HP printer/ MFP.

Send to Folder issues

During distributed file system (DFS) name resolution issues, a screen prompts for the user's credentials (user name and password).
If there is a common Internet file system (CIFS) or Windows server message block (SMB) failure, a screen prompts for the user's credentials (user name and password).

If this occurs, check the file sharing permissions to verify that the user has rights to the folder share.
Do not use additional file naming options for initial configuration and testing.
Use fully qualified host names in all paths.
Troubleshooting tips:
- If the FQDN of the share is not resolvable, use the IP address of the server hosting the share.
- Verify that the path resolves from the command line.
- If the path information does not auto-fill when sending to the home folder, verify that the home directory LDAP attribute is correctly set.

Kerberos troubleshooting

Error: Authentication Failed: Kerberos Server Not Available. Please Contact Administrator.

Cause	Solution
The DNS settings for the HP printer/ MFP are incorrect.	Open a Windows command shell and type: nslookup <kerberoshostname>. The nslookup command should return the name of the DNS server that resolved the kerberos host and the IP address of the host. If the issue is resolved, complete the following tasks: Obtain the IP address of the printer to open the HP EWS. On the top navigation tabs, click the Networking tab. In the left navigation pane, click on TCP/IP Settings. On the TCP/IP Settings dialog, click the Network Identification tab. In the DNS Primary text box, type the IP address of the DNS server returned by the nslookup command.

Cause

Solution

The DNS settings for the HP printer/ MFP are incorrect.

Open a Windows command shell and type: nslookup <kerberoshostname>.

The nslookup command should return the name of the DNS server that resolved the kerberos host and the IP address of the host.

If the issue is resolved, complete the following tasks:

Obtain the IP address of the printer to open the HP EWS.
On the top navigation tabs, click the Networking tab.
In the left navigation pane, click on TCP/IP Settings.
On the TCP/IP Settings dialog, click the Network Identification tab.
In the DNS Primary text box, type the IP address of the DNS server returned by the nslookup command.

Error: Authentication Failed: Realm not recognized. Please contact administrator.

Error: Authentication Failed: Kerberos server not available for provided domain. Please contact administrator.

Cause	Solution
The domain field is not correct for the server that is being contacted.	Verify that the domain controller is valid and that the server fully qualified domain name is correct.

Error: Authentication Failed: Device Time not synchronized with server. Set the correct time, then turn the device off and back on.

Cause	Solution
The HP printer/ MFP clock is offset by more than 5 minutes from the Kerberos server.	Set the NTP server to the same hostname as the Kerberos server, and make sure that the HP printer/ MFP is configured to synchronize. note: Most Key Distribution Centers (KDC) servers host a Network Time Protocol (NTP) service. In order to prevent replay, the Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server.

Error: Login Failed, please try again.

Cause	Solution
Incorrect credentials, or the user is unknown on the server to which authentication is occurring	Verify that the user credentials are correct.

LDAP Troubleshooting

Error: LDAP Bind at Server X Failure: Server down.

Cause	Solution
The server hostname is incorrect or is not a valid hostname.	To determine if the host name is valid, open a command shell and type: ping <LDAP hostname>. If ping cannot find the host, then it is probably not the correct host name.
The DNS settings on the HP printer/ MFP are incorrect.	Open a Windows command shell and type: nslookup <kerberoshostname>. The nslookup command should return the name of the DNS server that resolved the kerberos host and the IP address of the host. If the issue is resolved, complete the following tasks: Obtain the IP address of the printer to open the HP EWS. On the top navigation tabs, click the Networking tab. In the left navigation pane, click on TCP/IP Settings. On the TCP/IP Settings dialog, click the Network Identification tab. In the DNS Primary text box, type the IP address of the DNS server returned by the nslookup command.

Error: LDAP bind at server X failure: local error.

Cause	Solution
A DNS reverse lookup zone for your LDAP server’s IP address is not configured.	To confirm the DNS zone configuration, open a Windows command shell and type nslookup <IP address of host>, and then verify if it returns the correct host name. If the nslookup command returns the correct host name, then the reverse DNS zone is configured correctly. If the nslookup command does not return the correct host name, the DNS administrator must add a reverse lookup zone to resolve the issue.

Cause

Solution

A DNS reverse lookup zone for your LDAP server’s IP address is not configured.

To confirm the DNS zone configuration, open a Windows command shell and type nslookup <IP address of host>, and then verify if it returns the correct host name.

If the nslookup command returns the correct host name, then the reverse DNS zone is configured correctly.
If the nslookup command does not return the correct host name, the DNS administrator must add a reverse lookup zone to resolve the issue.

Error: LDAP Bind at Server X Failure: SSL bind required.

Cause	Solution
The LDAP server requires an SSL connection.	Change the LDAP port to 636, and set Kerberbos over SSL Verify that the Enable SSL check box is selected under the Smart Card configuration.

Error: LDAP failure retrieving display name. Result code: “Fail”

Cause	Solution
The search root is incorrect.	Verify the search root in the LDAP directory. For example if the domain is Technical Marketing.com, then the search root will be one of the following: DC=Technical,dc=com or OU=SiteName

Error: LDAP failure retrieving e-mail address.

Cause	Solution
The attribute used to retrieve the e-mail address is incorrect.	This attribute is often mail, but might be different depending on the LDAP schema. The LDAP database does not have an e-mail address populated for this user. Contact your LDAP administrator to verify this, or use the ldp tool.

PKINIT troubleshooting

Error: HP Smartcard reader not detected. Please connect the HP <<Smartcard reader name>> to the device, and turn the device off and back on.

Cause	Solution
The HP SmartCard NIPRNet or SIPRNet Solution detection algorithim might have failed.	Perform the following tasks until the issue is resolved: Check if the HP SmartCard NIPRNet or SIPRNet Solution is firmly connected. If the issue is not resolved, go to the next step. Reboot the HP printer/ MFP. Turn off the printer/ MFP. Check if the HP SmartCard NIPRNet or SIPRNet Solution is connected firmly, and then turn on the printer/ MFP. If the issue is not resolved, go to the next step. Check if the HP SmartCard NIPRNet or SIPRNet Solution is faulty. Replace the HP SmartCard NIPRNet or SIPRNet Solution with a different Smart Card reader. note: If the HP SmartCard NIPRNet or SIPRNet Solution is faulty, return the reader to HP for replacement.

Cause

Solution

The HP SmartCard NIPRNet or SIPRNet Solution detection algorithim might have failed.

Perform the following tasks until the issue is resolved:

Check if the HP SmartCard NIPRNet or SIPRNet Solution is firmly connected.

If the issue is not resolved, go to the next step.
Reboot the HP printer/ MFP.
1. Turn off the printer/ MFP.
2. Check if the HP SmartCard NIPRNet or SIPRNet Solution is connected firmly, and then turn on the printer/ MFP.
If the issue is not resolved, go to the next step.
Check if the HP SmartCard NIPRNet or SIPRNet Solution is faulty.

Replace the HP SmartCard NIPRNet or SIPRNet Solution with a different Smart Card reader.

note:

If the HP SmartCard NIPRNet or SIPRNet Solution is faulty, return the reader to HP for replacement.

Error: Authentication Failed: CMS verify signed failed: Failed to find issuer with subject ‘X’ for certificate with subject ‘Y’. Please contact the administrator.

Cause	Solution
The issuer certificate of the KDC certificate is not installed on the HP printer/ MFP.	Installing the issuer’s certificate on the HP printer/ MFP enables the HP printer/ MFP to verify that the response from the KDC is valid. Complete the following tasks to view the certificates that are installed on the HP printer/ MFP: Obtain the IP address of the printer to open the HP EWS. On the top navigation tabs, click the Security tab. In the left navigation pane, click on Certificate Management. Scroll down to the CA Certificates section and select the correct file.

Cause

Solution

The issuer certificate of the KDC certificate is not installed on the HP printer/ MFP.

Installing the issuer’s certificate on the HP printer/ MFP enables the HP printer/ MFP to verify that the response from the KDC is valid.

Complete the following tasks to view the certificates that are installed on the HP printer/ MFP:

Obtain the IP address of the printer to open the HP EWS.
On the top navigation tabs, click the Security tab.
In the left navigation pane, click on Certificate Management.
Scroll down to the CA Certificates section and select the correct file.

Error: Authentication Failed: KDC issuer certificate with subject 'X' is expired. Please contact the administrator.

Cause	Solution
The issuer certificate of the KDC certificate is installed on the HP printer/ MFP, but it is no longer valid. Digital certificates are only valid for a specific time period. Once that time period is expired the certificate is no longer valid.	If the certificate has expired, install a new certificate on the HP printer/ MFP.

Error: Authentication Failed: User certificate has been revoked.

Cause	Solution
The user is trying to authenticate with an invalid Smartcard.	Try using a different Smartcard for authentication.

Error: Authentication Failed: User certificate is expired.

Cause	Solution
The user is trying to authenticate with an expired Smartcard.	Try using a different Smartcard for authentication.

Error: Authentication Failed: Kerberos Server unable to validate user certificate.

Cause	Solution
The Kerberos server may have an outdated CRL or might be unable to contact the OCSP server for validation.	Work with IT personnel maintaining the server to resolve the problem.

E-mail troubleshooting

E-mail Gateway rejected the job because of the addressing information. Job Failed.

Cause	Solution
The issue occurred due to one of the following causes: The email address attribute under "Searching the LDAP Database" on the Kerberos settings page is incorrect. The email address attribute is used to set the authenticated user’s from address. The email gateway is trying to verify that the "from“ address is a valid.	Correct the e-mail address attribute. Try changing the e-mail address attribute on the Kerberos page to reflect the correct LDAP attribute

Error: There are problems with the signature. Click the signature button for details.

Cause	Solution
The e-mail sent by the HP printer/ MFP have an invalid digital signature using Microsoft Outlook. Viewing details on the signature shows: "Error: The system cannot validate the certificate used to create this signature because the issuer's certificate is either unavailable or invalid.“ The recipient of the e-mail message does not have the intermediate and/or root certificate necessary to validate the client’s e-mail certificate installed on their PC. The HP printer/ MFP is not appending the intermediate and root certificates in the e-mail message because they have not been installed on the HP printer/ MFP.	Check the Kerberos page to see if the e-mail signing certificates are installed. note: Even if the HP printer/ MFP shows the certificates are installed, this does not mean the correct certificates are installed. To ensure that the correct certificates are installed, check the details for the digital signature in Microsoft Outlook to know which CA issued the user’s e-mail signing certificate: Click on the signer and then click View Details. Under Certificate Information check the certificate in Issued By. This certificate should be installed on the recipient’s PC. note: For more information on exporting the E-mail certificate chain to the HP printer/ MFP, follow the steps under Configure Send to E-mail.

Cause

Solution

The e-mail sent by the HP printer/ MFP have an invalid digital signature using Microsoft Outlook. Viewing details on the signature shows: "Error: The system cannot validate the certificate used to create this signature because the issuer's certificate is either unavailable or invalid.“

The recipient of the e-mail message does not have the intermediate and/or root certificate necessary to validate the client’s e-mail certificate installed on their PC. The HP printer/ MFP is not appending the intermediate and root certificates in the e-mail message because they have not been installed on the HP printer/ MFP.

Check the Kerberos page to see if the e-mail signing certificates are installed.

note:

Even if the HP printer/ MFP shows the certificates are installed, this does not mean the correct certificates are installed.

To ensure that the correct certificates are installed, check the details for the digital signature in Microsoft Outlook to know which CA issued the user’s e-mail signing certificate:

Click on the signer and then click View Details.
Under Certificate Information check the certificate in Issued By.

This certificate should be installed on the recipient’s PC.

note:

For more information on exporting the E-mail certificate chain to the HP printer/ MFP, follow the steps under Configure Send to E-mail.

Error: Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority.

Cause	Solution
The e-mail sent by the HP printer/ MFP have an invalid digital signature using Microsoft Outlook and a window with the following message is displayed when the user views details on the signature: Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority. The signature is invalid because you have either distrusted or not yet chosen to trust the following Certificate Authority: Issued By: <CA Issuer Name>.The correct E-mail signing certificates have been installed on the HP printer/ MFP, however, the user has not yet chosen to trust the certificate chain which signed the user's E-mail certificate.	The recipient of the message needs to decide whether or not to trust the CA that issued your digital certificate. When the user decides to trust the signature, the CA certificate(s) are installed on their PC and future messages appear to have valid signatures.

Cause

Solution

The e-mail sent by the HP printer/ MFP have an invalid digital signature using Microsoft Outlook and a window with the following message is displayed when the user views details on the signature: Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority.

The signature is invalid because you have either distrusted or not yet chosen to trust the following Certificate Authority: Issued By: <CA Issuer Name>.The correct E-mail signing certificates have been installed on the HP printer/ MFP, however, the user has not yet chosen to trust the certificate chain which signed the user's E-mail certificate.

The recipient of the message needs to decide whether or not to trust the CA that issued your digital certificate.

When the user decides to trust the signature, the CA certificate(s) are installed on their PC and future messages appear to have valid signatures.

Tools used for troubleshooting

The tools used for troubleshooting are the following:

LDAP (with username and password account)

Useful for determining LDAP settings
ADSIEdit

Useful for determining LDAP settings, especially search roots.
ping (-a option)

Useful for verifying server availability, reverse lookups.
Nslookup

Useful for verifying proper DNS lookups, forward and reverse zones
Telnet (port 25)

Useful for verifying mail gateway availability.
KerberosInfoCert2.vbs or exe

Useful VB Script for gathering Kerberos and network info
CertificateChainBuilder.exe or ps1

Useful power shell script that will pull down the certificates needed to be installed in the MFP.

hp-feedback-input-portlet

Actions

hp-online-communities-portlet

Actions

Ask the community!

Support Forum

Join the conversation! Find Solutions, ask questions, and share advice with other HP product owners. Visit now

hp-feedback-banner-portlet

Actions

hp-country-locator-portlet

Actions

Country/Region: Flag

Latvia

hp-detect-load-my-device-portlet

Actions