File Share Encryption

 View Only

  • 1.  Invisible silent enrollment fails with error 10970

    Posted Jul 30, 2015 01:30 PM

    Hello, 

    troubleshooting Invisible silent enrollment problem, 

     

    Error in PHPlog.txt is 

    *A 19:21:52 ----- Encryption Desktop started -----
    *A 19:21:52 Encryption Desktop 10.3.2 (Build 16620) (16620)
    *A 19:21:52 Today's date is Thursday, July 30, 2015
    IP 19:21:54 Setting logging level to: normal
    IP 19:21:58 Initiating daily maintenance procedures
    EP 19:21:58 Certificate Enrollment has failed with error: PGPError #-10970 (-10970)
    *A 19:22:14 ----- Encryption Desktop stopped -----

    PHPssoLog.txt is

     

    SSO Enrollment Log
    Passed PGP_INSTALL_DISABLESSOENROLL registry check
    Attempting to impersonate user...
    Username is *user01* on domain *domain*.
    DsGetDcName *\\dc.domain*.
    NetUserGetInfo *\\dc.domain* *user01*.
    LoadUserProfile *\\dc.domain* *user01* **.
    LoadUserProfile Succeeded
    Impersonate user OK!
    Passed impersonation
    Saving SSO password...
    Universal server: crypto.domain
    Created user app data folder: C:\Users\user01\AppData\Roaming\PGP Corporation\PGP\
    Common app data folder: C:\ProgramData\PGP Corporation\PGP\
    PGPtrustedcerts.asc path: C:\ProgramData\PGP Corporation\PGP\PGPtrustedcerts.asc
    orgkey.asc path: C:\ProgramData\PGP Corporation\PGP\orgkey.asc
    PGPsso.dat path: C:\Users\user01\AppData\Roaming\PGP Corporation\PGP\PGPsso.dat
    PGPprefs.xml path: C:\Users\user01\AppData\Roaming\PGP Corporation\PGP\PGPprefs.xml
    Deleting old PGPsso.dat file.
    Non-fatal error: Pref file doesn't exist
    Using orgkey.asc.
    PGPFilterKeySet found 1 keys that matched
    sFilterForEncryptKeys found 1 keys that matched
    Success: Writing out data!

    Encryption server client log is 

     client request <AuthenticateInternalPassphrase> returning fault -11976 (corrupt data)

     

    Everything is setup according to HOWTO77014

     

    Any ideas?

     

     

     



  • 2.  RE: Invisible silent enrollment fails with error 10970
    Best Answer

    Posted Jul 30, 2015 04:12 PM

    Are you using Certificate enrollment?  It looks like it is trying to pass a certificate, and not recognizing the format.  Most customers don't enroll using certificates.

    If you are not actively using certificate enrollment, you should set the enrollment process to Deny Certificate Enrollment, which will force it to enroll using the username and password from AD.  It looks like the impersonation of the user is working, so my best guess based on the log outputs together would be that it is passing a certificate (error 10970 is an invalid certificate), the desktop client tries building out the folder structures needed for the program (this happens normally even on a failed enrollment), and the server sees the certificate as 'corrupt', because it is not the format it expected.

    Go to Consumers>Directory Synchronization, then click Settings... in the bottom left.  The box to enroll using directory authentication should be checked.  Change 'Allow' or 'Force' to 'Deny' for certificate enrollment.

    Let me know how that works for you.



  • 3.  RE: Invisible silent enrollment fails with error 10970

    Posted Aug 04, 2015 06:37 AM

    Progress.

    After disabling certificate enrollment, error 10970 has dissappeared, but encryption desktop won't start.

    Desktop log shows:

    *A 11:26:49 ----- Encryption Desktop started -----
    *A 11:26:49 Encryption Desktop 10.3.2 (Build 16620) (16620)
    *A 11:26:49 Today's date is Tuesday, August 04, 2015
    IP 11:26:52 Setting logging level to: normal
    IP 11:26:55 Initiating daily maintenance procedures
    *A 11:27:07 ----- Encryption Desktop stopped -----

     

    Server log (client) shows 

    CLIENT-03171: client request <AuthenticateInternalPassphrase> returning fault -11976 (corrupt data)