HP Smartcard NIPRNet Solution for US Government - Troubleshooting error messages when using non-FutureSmart firmware

An unsupported firmware version is installed on the printer.

The Smartcard Authentication update was installed on the printer without the correct firmware.

Follow these steps to enable the printer to boot to the Ready state:

1. Turn the printer off, and then on.
2. Press the 9 key during the memory test.
3. After all 3 LEDs are a solid color, release the 9 key and then press and release the 3 key.
4. Press and release the Start key. The printer should now display “SKIP DISK LOAD”.
5. Press and release the 6 key.
   The printer should then proceed to display the Ready state.

Performing a Secure Storage Erase or Disk Init erases information that is critical for the Smartcard authentication to work.

The entire Smartcard installation and configuration must be completed again. This includes reinstalling the Smartcard authentication update and performing all of the necessary EWS configuration steps.

The MFP clock is out of sync with the server clock.

Clients and servers must be synced to within 5 minutes of each other. Either configure both the MFP and the KDC server to use the same NTP server, or configure the MFP to use the KDC server as the clock drift correction server.

The DNS lookup zone is not properly configured.

Hostnames must be used for all Kerberos and SSL servers. Verify that the servers listed in the EWS for Kerberos, Send to Folder, and LDAP addressing configuration are listed as hostnames and not IP addresses.

Kerberos Realm names are not listed in upper case.

Check the Kerberos configuration in the EWS and verify that all Realm names specified are listed in upper case.

If the Smartcard is valid then the HP Smartcard reader might have failed.

Contact the system administrator to ensure that the card is valid and configured correctly. If the card is valid and configured correctly, then contact HP Support to replace the HP Smartcard NIPRNet Solution.

If the Smartcard is valid then the HP Smartcard reader is unable to read the Smartcard.

Contact the system administrator to ensure that the card is valid and configured correctly. If the card is valid and configured correctly, then contact HP Support to replace the HP Smartcard NIPRNet Solution.

An incorrect PIN for the Smartcard has been entered successively three or more times.

After entering an incorrect PIN successively three or more times, the Smartcard is disabled as a security measure. Once a Smartcard is disabled, it must be replaced.

The kerberos server host name was not entered correctly or is not a valid host name.

To determine if the host name is valid, open a Windows command shell and type: ping <kerberoshostname>.

If ping does not find the provided host name, then it is probably incorrect.

The DNS settings for the device are incorrect.

Open a Windows command shell and type: nslookup <kerberoshostname>.

The nslookup command should return the name of the DNS server that resolved the kerberos host and the IP address of the host.

Type the kerberos server IP address on the settings page and perform authentication again.

If this is successful, complete the following tasks using the printer’s EWS:

1. Obtain the IP address of the printer to open the HP EWS.
2. On the top navigation tabs, click the Networking tab.
3. In the left navigation pane, click on TCP/IP Settings.
4. On the TCP/IP Settings page, click the Network Identification tab.
5. In the DNS Primary text box, type the IP address of the DNS server returned by the nslookup command.

The Kerberos server is powered off or not reachable.

If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server.

The host is not a valid Kerberos server.

If the host is a valid Kerberos server, it should accept connections through port 88. Open a Windows command shell, type: telnet <kerberos hostname> 88.

If the telnet command returns “Connecting To <host>. Could not open connection to the host, or port 88: Connect failed”, then the host is not a valid Kerberos server.

If the window becomes blank, then it is accepting connections on port 88. Most likely the device network settings are not correct or the device is not operating correctly.

The domain field is not correct for the server that is being contacted.

Verify that the domain field is correctly set.

For example, if the host name for the server is “ad1.technical.marketing”, then the realm name is likely “TECHNICAL.MARKETING”.

OR To see the domain name follow these steps:

1. On the Windows desktop, click Start, right-click Computer, and then select Properties.
2. In the computer name section, copy the value in the Domain field to the Kerberos Default Realm field on the printer.

   note:

   The domain name must be typed in upper case.

The printer’s clock is offset by more than five minutes from Kerberbos server or KDC .

The Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server, in order to prevent replay attacks.

On the printer’s control panel use the arrow keys to scroll and touch the following menus, and then touch the control panel keys to change the time.

Administration

Time/Scheduling

Date/Time

After changing the time setting, turn the device off and back for the change to take effect.

The printer’s Network Time Protocol (NTP) server is reporting a different time from the KDC time.

The printer uses the NTP server to determine if the printer is in a different time zone than the KDC and if the time stamp reported by the printer to the KDC should be adjusted by half hour increments.

Set NTP server to KDC. Make sure that the HP printer is configured to synchronize.

Follow these steps to set the NTP server to the hostname in the Kerberos server using the EWS:

1. Obtain the IP address of the printer to open the HP EWS.

   note:

   For more information of accessing the EWS, refer the Administrator guide.

2. Select Date & Time from the left pane.
3. On the Network Time Server section, make sure to enable the option Automatically synchronize with a Network Time Server, and then click NTS settings.
4. On the Network Time Server Address section, make sure to type the Kerberos server value in the Network Time Server Address field.
5. Turn off he printer , and then turn it on to enable the NTP changes.

note:

Most KDC servers host a Network Time Protocol (NTP) service. In order to prevent replay, the Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server.

Incorrect credentials, or the user is unknown on the server to which authentication is occurring

Verify that the user is authorized and the credentials are correct., contact your system administrator.

The server hostname is incorrect or is not a valid hostname.

To determine if the host name is valid, open a command shell and type: ping <LDAP hostname>. If ping cannot find the host, then it is probably not the correct host name.

The DNS settings on the HP printer are incorrect.

Follow these steps to resolve the issue:

1. Open a command shell and type: nslookup <LDAP hostname>.
   The nslookup command should return the name of the DNS server that resolved the LDAP host and the IP address of the host.
2. Type the LDAP server IP address on the Settings page and perform authentication again.
   If the issue is resolved, complete the following tasks:
   1. Obtain the IP address of the printer to open the HP EWS.
   2. On the top navigation tabs, click the Networking tab.
   3. In the left navigation pane, click on TCP/IP Settings.
   4. On the TCP/IP Settings dialog, click the Network Identification tab.
   5. In the DNS Primary text box, type the IP address of the DNS server returned by the nslookup command.

The LDAP server is powered off or not reachable.

If the hostname is correct but the ping commands fails, the server might be physically powered off or network problems might be preventing you from accessing the server.

A DNS reverse lookup zone for your LDAP server’s IP address is not configured.

To confirm the DNS zone configuration, open a Windows command shell and type nslookup <IP address of host>, and then verify if it returns the correct host name.

• If the nslookup command returns the correct host name, then the reverse DNS zone is configured correctly.
• If the nslookup command does not return the correct host name, the DNS administrator must add a reverse lookup zone to resolve the issue.
• Disable reverse DNS lookups.

The LDAP server requires an SSL connection.

Change the LDAP port to 636 or 3269, and then set Kerberbos over SSL.

The search root is incorrect.

Verify the search root in the LDAP directory.

For example if the domain is Technical Marketing.com, then the search root will be one of the following:

DC=Technical,dc=com

or

OU=SiteName

The attribute used to retrieve the e-mail address is incorrect.

This attribute is often mail, but might be different depending on the LDAP schema. The LDAP database does not have an e-mail address populated for this user. Contact your LDAP administrator to verify this, or use the ldptool.

The Smartcard detection algorithm might have failed.

The connection might be loose.

Perform the following tasks until the issue is resolved:

1. Check if the Smartcard (HP Smartcard NIPRNet Solution) is firmly connected.
   If the issue is not resolved, go to the next step.
2. Reboot the HP printer/ MFP.
   1. Turn off the printer/ MFP.
   2. Check if the Smartcard (HP Smartcard NIPRNet Solution) is connected firmly, and then turn on the printer/ MFP.
   If the issue is not resolved, go to the next step.
3. Check if the Smartcard (HP Smartcard NIPRNet Solution) is faulty.
   Replace the Smartcard with a different Smartcard .

   note:

   If the Smartcard reader (HP Smartcard NIPRNet Solution) is faulty, return the card reader to HP for replacement.

The issuer certificate of the KDC certificate is not installed on the printer.

The issuer certificate of the KDC certificate is not installed on the printer. Installing the issuer’s certificate on the printer enables the printer to verify that the response from the KDC is valid.

Follow these steps to view the certificates that are installed on the printer:

• Obtain the IP address of the printer to open the HP EWS, and then select the Settings tab.
• On the left menu bar, click Kerberos Authentication to display the page.
• Scroll down to the Kerberos PKINIT Configuration section and click Certificates.

The issuer certificate of the KDC certificate is installed on the device, but it is no longer valid. Digital certificates are only valid for a specific time period. Once that time period is expired the certificate is no longer valid.

If the certificate has expired, install a new certificate on the device.

Use the EWS to view if the certificates are installed.

The user is trying to authenticate with an invalid Smartcard.

Try using a different Smartcard (HP Smartcard NIPRNet Solution) for authentication.

The user is trying to authenticate with an expired Smartcard.

Try using a different Smartcard (HP Smartcard NIPRNet Solution) for authentication.

The Kerberos server may have an outdated CRL or might be unable to contact the OCSP server for validation.

Work with IT system administrator for maintaining the server to resolve the problem.

The issue occurred due to the following cause:

The email address attribute under "Searching the LDAP Database" on the Kerberos settings page is incorrect.

• The email address attribute is used to set the authenticated user’s from address.
• The email gateway is trying to verify that the "from“ address is valid.

Try changing the e-mail address attribute on the Kerberos page to reflect the correct LDAP attribute.

Using Microsoft Outlook, e-mail sent by the device have an invalid digital signature. Viewing details on the signature shows: "Error: The system cannot validate the certificate used to create this signature because the issuer's certificate is either unavailable or invalid.“

The recipient of the e-mail message does not have the intermediate and/or root certificate necessary to validate the client’s e-mail certificate installed on their PC. The device is not appending the intermediate and root certificates in the e-mail message because they have not been installed on the device.

Check the Kerberos page to see if the e-mail signing certificates are installed.

note:

Even if the HP printer/ MFP shows the certificates are installed, this does not mean the correct certificates are installed.

To ensure that the correct certificates are installed, check the details for the digital signature in Microsoft Outlook to know which CA issued the user’s e-mail signing certificate:

1. Click on the signer and then click View Details.
2. Under Certificate Information check the certificate in Issued By.
   This certificate should be installed on the recipient’s PC.

   note:

   For more information on exporting the E-mail certificate chain to the HP printer/ MFP, follow the steps under Configure Send to E-mail.

Using Microsoft Outlook, e-mail sent by the device have an invalid digital signature and a window with the following message is displayed when the user views details on the signature: "Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority.

The signature is invalid because you have either distrusted or not yet chosen to trust the following Certificate Authority: Issued By: <CA Issuer Name>. The correct E-mail signing certificates have been installed on the HP printer, however, the user has not yet chosen to trust the certificate chain which signed the user's E-mail certificate. When the user decides to trust the signature, the CA certificate(s) are installed on their PC and future messages will display a valid signatures. The recipient of the message needs to decide whether or not to trust the CA that issued your digital certificate.