6 Replies Latest reply on Aug 30, 2018 6:11 AM by deylo

    Entrust PKI popup because of Ivanti scan?

    deylo Rookie

      Hello!

      For E-Mail encryption we use Entrust PKI Software and since Windows 10, every round about 15 minutes the Login Window from this Entrust PKI Software popups for credentials.

       

      When i refresh the ivanti Portal Manager manually, the Entrust PKI Login Windows popup reproducible.

       

      Does anyone know about this special behavior and maybe which Ivanti component activate this login windows from this software?

       

      I deactivate some Ivanti agent features like inventory scan, without success.

       

      Thanks

        • 1. Re: Entrust PKI popup because of Ivanti scan?
          phoffmann SupportEmployee

          We don't have anything specifically that'd integrate (/be aware of) Entrust PKI.

           

          At a *GUESS* (since you're saying that calling up portal manager brings it up) it could be the running of either POLICYSYNC.EXE, and/or of "LDAPWHOAMI.EXE" (to resolve "who is this user and what AD-groups do they belong to".

           

          I'm highlighting those two binaries as it'll help you hopefully figure out which one it is that's directly responsible (You can run either of those "as is" without additional parameters).

           

          PolicySync just pokes the Core's policy service in a "Hey - I am machine XYZ and user ABC - what do you have for me?" kind of way (and LDAPIWHOAMI is usually part of an inventory scan but can be used by policy as well to resolve AD-groups for the "User ABC is part of AD-groups X, Y and Z therefor should / should not be targeted with Policy ZZZ" logic).

           

          ===========

           

          None of our stuff "runs every 15 minutes" normally (that comes to mind). You can check what's scheduled though via our local scheduler in inventory (check the local scheduled tasks HERE) in regular inventory (click on the picture for full size version):

           

           

          I've worked with a customed before who used Entrust too, and we didn't get cred-prompts there (but that's a few years ago) ... could be a config issue perhaps?

           

          ... I'd suggest perhaps running a PROCMON trace on the system, and see / wait for figuring out what process(es) kick off just before Entrust goes & pops you for creds for whatever reason (if it doesn't have logging of its own that'd explain "Here's why I'm presenting you with a popup")? It's a bit awkward, but seems the best approach in a "I've no idea what could cause this" type of scenario.

           

          Hope that helps?

          • 2. Re: Entrust PKI popup because of Ivanti scan?
            deylo Rookie

            Thanks for the quick answer, i will check some settings.

             

            and we didn't get cred-prompts there (but that's a few years ago) ... could be a config issue perhaps?

            Correct! We don't have these popups on our Windows 7 Clients (same config), only the 'new' Windows 10.

             

            Thanks!

            • 3. Re: Entrust PKI popup because of Ivanti scan?
              phoffmann SupportEmployee

              Huh - OK ... so could be "something new" that Win 10 does, rather than Entrust necessarily.

               

              Well - that's a lot of fun ... (And yeah, the customer at the time was on Win 7, so that'd match with your experiences).

               

              Hmm - you may want to poke the Entrust folks to see what their debug-logging options are, as this is a bit of a multi-tiered mystery.

               

              For "our stuff", most binaries adhere to this -- How to enable Xtrace Diagnostic Logging -- (there's a handful of exceptions).

               

              Hoping that between the two (their & our logging) you'll get a more precise idea as to "which binary / binaries" kick it off precisley, and potentially - "what actions" ... from that, hopefully, possibilities will become clear(er).

              • 4. Re: Entrust PKI popup because of Ivanti scan?
                deylo Rookie

                I have new results.

                 

                The Entrust Client installs a Entrust Certifacte Explorer with a personal certificate vor e-mail encryption.

                When you delete your personal certifcate, there is NO popup when policysync.exe starts or inventory scan!

                 

                When you open an e-mail to encrypt with Entrust, your personal certifcate is available again and with policysync, the login window from Entrust appear again.

                 

                I really don't know the connection and context between Ivanti scans an these certs in Entrust, but it is a new hint...

                • 5. Re: Entrust PKI popup because of Ivanti scan?
                  phoffmann SupportEmployee

                  Hrmm...

                   

                  OK - so I suspect this is going to be a case of "open a case with Entrust support & Ivanti support" ... chances are that our devs will need to talk to their devs, so that we can figure out what's happening on whose side, and what can/needs to be fixed as it were.

                   

                  You'll need to open these support cases "on both sides" since you're the customer (software vendors don't usually overly respond to "other software vendor"-s making a request/inquest unless one of their own support-paying customers is involved in my experience).

                   

                  I don't think this is something that the community will be able to help with, unfortunately. This is definitely going to be a dev-backend thing.

                   

                  Hope that helps / gives you a way forward.

                  • 6. Re: Entrust PKI popup because of Ivanti scan?
                    deylo Rookie

                    Problem solved!

                     

                     

                    The two mentioned certs are default set to 'Alle Zwecke für dieses Zertifikat aktivieren'. (Enable all purposes for this certificate)

                     

                    I changed it to 'Enable only the following purposes' and disabled 'Client Authentication'.

                     

                    So, no popup anymore and (seemingly) no other limitations.

                     

                    Thanks for your help!