The key store is not initialized. Please re-login!

Hi Azwan,

hard to tell from the provided information... Just an idea:

I would assume that you are using SafeGuard Enterprise 6.10 for the SafeGuard Server / Management Center because you are refering to "SafeGuard Windows Users" which is a new feature and only available as of version 6.10.
I also assume that for the affected SafeGuard Client machine, the version is 6.00.1 as you refer to DX and CP installed (CP is no longer part of SafeGuard Enterprise as of version 6.10).

If you take the affected user and logon to a machine where the account is working properly, go the the SafeGuard Enterprise Tray Icon and select "Display" -> "User Certificate". Go to the details tab and check which "Signature" Algorithm is listed there.

If the Signature algorithm is "sha256WithRSAEncryption" (and not "sha1WithRSAEncryption"), the SafeGuard 6.00.1 Client cannot work with the User's certificates as it was created with the SHA-256 hash algorithm (only available as of 6.10).

Side note: As of 6.10, you can choose the default hash algorithm (SHA-1 / SHA-256) in the Management Center (Tools | Options | Hash algorithm for generated certificates)

Regards,
Chris

Hello ChrisD, et al,

I have just started a Tech Refresh Project (hence the "-TRP") and am tasked with supporting Sophos SafeGuard Easy 6.00.1.31.  Everything appears to be going GREAT with this software, except for not being able to get the "Key Ring..." on the User's side of the installation on a pair of desktop PCs (HP 6300 models running Windows 7 64-bit).  All of the Certificates are present (Synchronized) and the local Administrator account also DOES have its "Key Ring...", but the remote User's account is not getting it even after multiple restarts and an entire weekend sitting logged-out but connected on the corporate network.

By "Remote User" I mean an End User who the desktop computer will be shipped to after all the imaging and configuration steps are completed and verified here in our work center.  Users could be ANYWHERE in the U.S. including destinations as far away as Hawaii and Puerto Rico.

I have searched the Knowledgebase articles, downloaded, printed and read the version "RELEASE NOTES" and done just about everything I can think of to identify the "official procedure" for forcing these Key Rings to populate -OR- to confirm the role they play and why they are needed.

At this point, some instructions as well as a "Glossary" page on any Sophos specific terminology would be most helpful!

Also, I am happy to access any White Paper documents explaining essential things we might need to know about supporting Sophos SafeGuard Easy (again, version 6.00.1.31) or watch some videos on it if a Sophos channel exists somewhere online.

The issue has not, to the best of my knowledge, occurred on several HP 9470m laptops that I worked on (imaged and installed software afterwards).  I may have the ability to share any information provided to me with two (2) other work centers pursuing the same projects for a major U.S. corporate client.

Thanks very much in advance!  If this is the sort of issue requiring an official Support request under a Support contract, please advise.  I am probably the lowest man in the organization, so any guidance you provide will be greatly appreciated.

~ Dennis C. (a.k.a. "ABCR-TRP")

Virginia Beach, Virginia

** Additional information **

In addition to the above details, I viewed Windows' "Event Viewer" > "Applications" log and found the following entry at 4:14 p.m. and this was coincidentally (I believe) after a 13 minute timed Hold that I had done; waiting to log-on to Windows to see if the additional (missing) "Key Ring..." settings would be picked up.  They were not, but I thought the following CAUTION Event might be worth sharing:

(I am missing the most informative, top line of the below Event..  I can add it in tomorrow.  Something about, 'a possible file tampering attempt was detected', but I do not believe this is accurate because it is a newly imaged, contaminate-free desktop computer.)

Source: SGConfProtect, ... Logged: 6/2/2014 4:14:54 PM

Event ID: 3407, ... Task Category: Client

Level: Error, ... Keyword: Classic

User: (local_machine_name)\Admin, ... Computer: (local_machine_name).corp.(client).com

If there are any other tell-tale signs that could identify the root cause of the issue, I would very much appreciate learning of them.

~ Dennis

Hi Dennis,

hard to troubleshoot without having any logging information available, esp. since the administrative user works fine. You could check the following information and reply, we could then check if we can sort if out:

- When your remote users that are affected by the issue login to Windows, do they use the SafeGuard Credential Provider?  

((If they use something else then the SafeGuard Credential Provider, User initialization might not complete correctly.))

- When the users are on the desktop, what does the SafeGuard Client Status say in regards to the User status? (SafeGuard Tray Icon -> Status -> SGN User Status?)

- and how did you specify the SafeGuard Policy setting "Specific Machine Settings | Allow registration of new SGN users for" ?

We have a Youtube channel (http://www.youtube.com/user/SophosGlobalSupport) available where a couple of videos explain the essentials for the SafeGuard products (SafeGuard Playlist)

Regards,

ChrisD

The first line of the Event Viewer error I did not have with me last night is:

"Configuration Protection client detected a possible tampering event. Description [File not verified]."

The answers to your other questions are:

• - When your remote users that are affected by the issue login to Windows, do they use the SafeGuard Credential Provider?  ((If they use something else then the SafeGuard Credential Provider, User initialization might not complete correctly.))
• - When the users are on the desktop, what does the SafeGuard Client Status say in regards to the User status? (SafeGuard Tray Icon -> Status -> SGN User Status?)
•  - and how did you specify the SafeGuard Policy setting "Specific Machine Settings | Allow registration of new SGN users for" ?

1).  Do they use the SafeGuard Credential Provider? - - Yes, as far as I know.  Please remember this is brand new software for me and even the other Technicians working in our center are not Sophos "experts" by any means.  The start-up appears to be normal and I am seeing the prompt for an Old Password to be entered, but we do not believe the remote End User has changed their password in any way during the past week (the time we have been preparing this replacement computer using their Domain credentials here in our work center).  Log-on occurs, and shows, the POA as expected...

2).  What does the "Status" show? - - I know it shows Synchronized and that no new data is available to download.  I do not know the "SGN user state:" of the local Admin profile because I am not logged in to it at the moment.  Since these PCs now appear to be working, we will likely be shipping them out today without any further delay. - - It would be fantastic to know if there is something we can do to avoid this (what amounts to..) trememdous delay for our team and we are supposed to have a turn-around time of 3 business days, not 6!!

3).  What are the Policy settings? - - I do not know the answer to this third question.  I have no involvement in the setup of Policies for these machines.  Our team is tasked with installing the software and verifying everything happened correctly.  If you believe I should escalate this issue "internally" to the Sophos Administrators or Leads, I can bring that point to my team leader, but beyond this I am not sure what else I can do.  Each machine typically has only one single End User, so there are no multiple Users in 95%+ of the cases.  We act as both the End User (..with temporarily elevated local Admin privileges) and the local Admin during install of the software and all "extra" privileges are removed from the End User's Domain account before the PCs ship to the User's physical location. - - Ideally, when we encounter an "issue" the best, fastest, easiest solution is the one we want.  Internal escalation(s) and questions are MORE likely to cause people to question the choice of this software solution in my opinion (as a 19 year support Tech veteran).

I hope these answers help you understand our situation.

Suddenly, I am told that last night a FINAL reboot attempt caused the missing local Admin "Key Ring"(s) to appear!  This is quite surprising to me and I have to wonder if it was simply a matter of time (timing) for the Sophos server to see the clients and push the Key Rings to them.  If this is the case, I still wonder why it took more than 72 hours and 8 to 10 reboots (warm, cold) to get things to happen.

Respectfully,

~ Dennis C., Refresh Project Contractor

Hi Dennis,

just for clarification, SafeGuard Easy and SafeGuard Enterprise are different products and work differently:

• For SafeGuard Enterprise, the SafeGuard Clients report to a centralized SafeGuard Server component and have their encryption keys and certificates etc created from the SafeGuard Enterprise Server as soon as they report in for the first time
  
  
• For SafeGuard Easy, there is no SafeGuard Server component and certificates and encryption keys are created locally on the SafeGuard Client w/o the need of contacting a SafeGuard Server first

I'd assume you're running SafeGuard Enterprise since you've mentioned Configuration Protection, a module that is only available for the SafeGuard Enterprise Clients.

For SafeGuard Enterprise, when using the SafeGuard Credential Provider for logging on to the SafeGuard Client and the SafeGuard Client can establish a connection to the SafeGuard Enterprise Server, the user initialization should be completed immediately - not after x hours or days.

You might want to discuss the policy setup for your clients internally with your SafeGuard Security Officer and have him inform you about the general User Machine Assignment process.

If you cannot figure out what is causing the delay before users get active in SafeGuard, it might be good to create a Support Request with Sophos Support and verify what the reason for that could be.

A hint regarding the Configuration Protection Event you've posted: Make sure to check if you're running 6.00.1 Configuration Protection R2 Patch (available at http://www.sophos.com/en-us/support/downloads/data-protection/safeguard-enterprise.aspx -> Patches) on the affected machines. The error should no longer occur with R2 patch installed.

A hinte regarding 1) / "The old password" prompt: I'd recommend to have a look at: SafeGuard Enterprise: User is asked to provide their 'old password' during logon to Windows

Hope that helps.

Regards,
ChrisD

Good morning ChrisD,

I have posed the question regarding the versions of Sophos SafeGuard products being used by this client on this project.  I specifically asked him whether it is possible the client might be using SafeGuard Easy on its Laptops (due to their being used for travel and 'on the road') and SafeGuard Enterprise on the Desktops.  It seems the answer to this question *might* make a difference to the way we install, use, training and document these products for ourselves and the End User audience on the deployed workstations.  Agree?

Thanks very much for your assistance and additional information; still digesting it all.  As I said before, the outsome of this may greatly support the efforts of numerous Technicians working at three work centers on a project anticipated to last AT LEAST 3 months (at this point).

~ Dennis C.

Refresh Deployment Project Technician

http://hiredguntech.tumblr.com/