This document provides information on how to troubleshoot error messages when using the HP Smartcard NIPRNet Solution for US Government on supported HP products using the HP non-FutureSmart firmware.
Cause
|
Solution
|
An unsupported firmware version is installed on the printer.
The Smartcard Authentication update was installed on the printer without the correct firmware.
|
Follow these steps to enable the printer to boot to the Ready state:
|
Cause
|
Solution
|
Performing a Secure Storage Erase or Disk Init erases information that is critical for the Smartcard authentication to work.
|
The entire Smartcard installation and configuration must be completed again. This includes reinstalling the Smartcard authentication update and performing all of the necessary EWS configuration steps.
|
Cause
|
Solution
|
The MFP clock is out of sync with the server clock.
|
Clients and servers must be synced to within 5 minutes of each other. Either configure both the MFP and the KDC server to use the same NTP server, or configure the MFP to use the KDC server as the clock drift correction server.
|
The DNS lookup zone is not properly configured.
|
Hostnames must be used for all Kerberos and SSL servers. Verify that the servers listed in the EWS for Kerberos, Send to Folder, and LDAP addressing configuration are listed as hostnames and not IP addresses.
|
Kerberos Realm names are not listed in upper case.
|
Check the Kerberos configuration in the EWS and verify that all Realm names specified are listed in upper case.
|
Cause
|
Solution
|
If the Smartcard is valid then the HP Smartcard reader might have failed.
|
Contact the system administrator to ensure that the card is valid and configured correctly. If the card is valid and configured correctly, then contact HP Support to replace the HP Smartcard NIPRNet Solution.
|
Cause
|
Solution
|
If the Smartcard is valid then the HP Smartcard reader is unable to read the Smartcard.
|
Contact the system administrator to ensure that the card is valid and configured correctly. If the card is valid and configured correctly, then contact HP Support to replace the HP Smartcard NIPRNet Solution.
|
Cause
|
Solution
|
An incorrect PIN for the Smartcard has been entered successively three or more times.
|
After entering an incorrect PIN successively three or more times, the Smartcard is disabled as a security measure. Once a Smartcard is disabled, it must be replaced.
|
Cause
|
Solution
|
The kerberos server host name was not entered correctly or is not a valid host name.
|
To determine if the host name is valid, open a Windows command shell and type: ping <kerberoshostname>.
If ping does not find the provided host name, then it is probably incorrect.
|
The DNS settings for the device are incorrect.
|
Open a Windows command shell and type: nslookup <kerberoshostname>.
The nslookup command should return the name of the DNS server that resolved the kerberos host and the IP address of the host.
Type the kerberos server IP address on the settings page and perform authentication again.
If this is successful, complete the following tasks using the printer’s EWS:
|
The Kerberos server is powered off or not reachable.
|
If the hostname is correct but the ping command fails, the server may be physically powered off or network problems may be preventing you from accessing this server.
|
The host is not a valid Kerberos server.
|
If the host is a valid Kerberos server, it should accept connections through port 88. Open a Windows command shell, type: telnet <kerberos hostname> 88.
If the telnet command returns “Connecting To <host>. Could not open connection to the host, or port 88: Connect failed”, then the host is not a valid Kerberos server.
If the window becomes blank, then it is accepting connections on port 88. Most likely the device network settings are not correct or the device is not operating correctly.
|
Cause
|
Solution
|
The domain field is not correct for the server that is being contacted.
|
Verify that the domain field is correctly set.
For example, if the host name for the server is “ad1.technical.marketing”, then the realm name is likely “TECHNICAL.MARKETING”.
OR To see the domain name follow these steps:
|
Cause
|
Solution
|
The printer’s clock is offset by more than five minutes from Kerberbos server or KDC .
|
The Kerberos protocol requires that the device performing authentication is nearly synchronized with the Kerberos server, in order to prevent replay attacks.
On the printer’s control panel use the arrow keys to scroll and touch the following menus, and then touch the control panel keys to change the time.
Administration
Time/Scheduling
Date/Time
After changing the time setting, turn the device off and back for the change to take effect.
|
The printer’s Network Time Protocol (NTP) server is reporting a different time from the KDC time.
|
The printer uses the NTP server to determine if the printer is in a different time zone than the KDC and if the time stamp reported by the printer to the KDC should be adjusted by half hour increments.
Set NTP server to KDC. Make sure that the HP printer is configured to synchronize.
Follow these steps to set the NTP server to the hostname in the Kerberos server using the EWS:
note: |
Cause
|
Solution
|
Incorrect credentials, or the user is unknown on the server to which authentication is occurring
|
Verify that the user is authorized and the credentials are correct., contact your system administrator.
|
Cause
|
Solution
|
The server hostname is incorrect or is not a valid hostname.
|
To determine if the host name is valid, open a command shell and type: ping <LDAP hostname>. If ping cannot find the host, then it is probably not the correct host name.
|
The DNS settings on the HP printer are incorrect.
|
Follow these steps to resolve the issue:
|
The LDAP server is powered off or not reachable.
|
If the hostname is correct but the ping commands fails, the server might be physically powered off or network problems might be preventing you from accessing the server.
|
Cause
|
Solution
|
A DNS reverse lookup zone for your LDAP server’s IP address is not configured.
|
To confirm the DNS zone configuration, open a Windows command shell and type nslookup <IP address of host>, and then verify if it returns the correct host name.
|
Cause
|
Solution
|
The LDAP server requires an SSL connection.
|
Change the LDAP port to 636 or 3269, and then set Kerberbos over SSL.
|
Cause
|
Solution
|
The search root is incorrect.
|
Verify the search root in the LDAP directory.
For example if the domain is Technical Marketing.com, then the search root will be one of the following:
DC=Technical,dc=com
or
OU=SiteName
|
Cause
|
Solution
|
The attribute used to retrieve the e-mail address is incorrect.
|
This attribute is often mail, but might be different depending on the LDAP schema. The LDAP database does not have an e-mail address populated for this user. Contact your LDAP administrator to verify this, or use the ldptool.
|
Cause
|
Solution
|
The Smartcard detection algorithm might have failed.
The connection might be loose.
|
Perform the following tasks until the issue is resolved:
|
Cause
|
Solution
|
The issuer certificate of the KDC certificate is not installed on the printer.
|
The issuer certificate of the KDC certificate is not installed on the printer. Installing the issuer’s certificate on the printer enables the printer to verify that the response from the KDC is valid.
Follow these steps to view the certificates that are installed on the printer:
|
Cause
|
Solution
|
The issuer certificate of the KDC certificate is installed on the device, but it is no longer valid. Digital certificates are only valid for a specific time period. Once that time period is expired the certificate is no longer valid.
|
If the certificate has expired, install a new certificate on the device.
Use the EWS to view if the certificates are installed.
|
Cause
|
Solution
|
The user is trying to authenticate with an invalid Smartcard.
|
Try using a different Smartcard (HP Smartcard NIPRNet Solution) for authentication.
|
Cause
|
Solution
|
The user is trying to authenticate with an expired Smartcard.
|
Try using a different Smartcard (HP Smartcard NIPRNet Solution) for authentication.
|
Cause
|
Solution
|
The Kerberos server may have an outdated CRL or might be unable to contact the OCSP server for validation.
|
Work with IT system administrator for maintaining the server to resolve the problem.
|
Cause
|
Solution
|
The issue occurred due to the following cause:
The email address attribute under "Searching the LDAP Database" on the Kerberos settings page is incorrect.
|
Try changing the e-mail address attribute on the Kerberos page to reflect the correct LDAP attribute.
|
Cause
|
Solution
|
Using Microsoft Outlook, e-mail sent by the device have an invalid digital signature. Viewing details on the signature shows: "Error: The system cannot validate the certificate used to create this signature because the issuer's certificate is either unavailable or invalid.“
The recipient of the e-mail message does not have the intermediate and/or root certificate necessary to validate the client’s e-mail certificate installed on their PC. The device is not appending the intermediate and root certificates in the e-mail message because they have not been installed on the device.
|
Check the Kerberos page to see if the e-mail signing certificates are installed.
note: To ensure that the correct certificates are installed, check the details for the digital signature in Microsoft Outlook to know which CA issued the user’s e-mail signing certificate:
|
Cause
|
Solution
|
Using Microsoft Outlook, e-mail sent by the device have an invalid digital signature and a window with the following message is displayed when the user views details on the signature: "Digital Signature: Invalid. Your message was digitally signed by a certificate issued by a Certificate Authority.
|
The signature is invalid because you have either distrusted or not yet chosen to trust the following Certificate Authority: Issued By: <CA Issuer Name>. The correct E-mail signing certificates have been installed on the HP printer, however, the user has not yet chosen to trust the certificate chain which signed the user's E-mail certificate. When the user decides to trust the signature, the CA certificate(s) are installed on their PC and future messages will display a valid signatures. The recipient of the message needs to decide whether or not to trust the CA that issued your digital certificate.
|