ERROR: Could not get security token

Jordane

Hello to all,
I also have the Token.dat problem on my clients in my recently deployed FOG server.
I am on the dev-branch in version 1.5.9.239.
I have done all the tests on the forum and nothing works.
When I try to regenerate the certificates by rerunning ./install.sh -K and reinstall the agent, this is what comes up:

------------------------------------------------------------------------------
--------------------------------Authentication--------------------------------
------------------------------------------------------------------------------
 20/02/2023 09:59:14 Client-Info Version: 0.12.2
 20/02/2023 09:59:14 Client-Info OS:      Windows
 20/02/2023 09:59:14 Middleware::Authentication Waiting for authentication timeout to pass
 20/02/2023 10:00:13 Log Unhandled exception caught
 20/02/2023 10:00:14 Log     Terminating: True
 20/02/2023 10:00:14 Log     Hash code: System.UnauthorizedAccessException: L'accès à la clé de Registre '230' est refusé.
   à Microsoft.Win32.RegistryKey.Win32Error(Int32 errorCode, String str)
   à Microsoft.Win32.RegistryKey.InternalGetValue(String name, Object defaultValue, Boolean doNotExpand, Boolean checkSecurity)
   à Microsoft.Win32.RegistryKey.GetValue(String name)
   à System.Diagnostics.PerformanceMonitor.GetData(String item)
   à System.Diagnostics.PerformanceCounterLib.GetPerformanceData(String item)
   à System.Diagnostics.PerformanceCounterLib.GetCategorySample(String category)
   à System.Diagnostics.PerformanceCounterLib.GetCategorySample(String machine, String category)
   à System.Diagnostics.PerformanceCounter.NextSample()
   à System.Diagnostics.PerformanceCounter.NextValue()
   à SuperSocket.SocketEngine.ProcessPerformanceCounterHelper.Collect(StatusInfoCollection statusCollection)
   à SuperSocket.SocketEngine.PerformanceMonitor.OnPerformanceTimerCallback(Object state)
   à System.Threading.TimerQueueTimer.CallCallbackInContext(Object state)
   à System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   à System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
   à System.Threading.TimerQueueTimer.CallCallback()
   à System.Threading.TimerQueueTimer.Fire()
   à System.Threading.TimerQueue.FireNextTimers()
   à System.Threading.TimerQueue.AppDomainTimerCallback(Int32 id)

Then after a few syncs, still the same problem…

 20/02/2023 10:19:49 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 20/02/2023 10:19:49 Service Sleeping for 119 seconds
 20/02/2023 10:21:48 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 20/02/2023 10:21:48 Middleware::Response Success
 20/02/2023 10:21:49 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/management/index.php?sub=requestClientInfo&mac=88:A4:C2:B9:BF:35|F4:A8:0D:08:C6:CA|70:1A:B8:5A:C4:68|70:1A:B8:5A:C4:69|72:1A:B8:5A:C4:68|00:09:0F:FE:00:01|70:1A:B8:5A:C4:6C||00:15:5D:70:C8:86|00:15:5D:8C:97:59|00:15:5D:EA:D4:A5|00:15:5D:0D:2D:C5&newService&json
 20/02/2023 10:21:49 Data::AES ERROR: Could not decrypt AES
 20/02/2023 10:21:49 Data::AES ERROR: Cette implémentation ne fait pas partie des algorithmes de chiffrement validés FIPS pour les plateformes Windows.
 20/02/2023 10:21:49 Middleware::Communication ERROR: No response recieved
 20/02/2023 10:21:49 Middleware::Response Success
 20/02/2023 10:21:49 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/service/getversion.php?clientver&newService&json
 20/02/2023 10:21:49 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/service/getversion.php?newService&json

 20/02/2023 10:21:49 Service Creating user agent cache
 20/02/2023 10:21:49 Middleware::Response ERROR: Unable to get subsection
 20/02/2023 10:21:49 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 20/02/2023 10:21:49 Middleware::Response ERROR: Unable to get subsection
 20/02/2023 10:21:49 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 20/02/2023 10:21:49 Middleware::Response ERROR: Unable to get subsection
 20/02/2023 10:21:49 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.

------------------------------------------------------------------------------
----------------------------------UserTracker---------------------------------
------------------------------------------------------------------------------
 20/02/2023 11:18:44 Client-Info Client Version: 0.12.2
 20/02/2023 11:18:44 Client-Info Client OS:      Windows
 20/02/2023 11:18:44 Client-Info Server Version: 1.5.9.239
 20/02/2023 11:18:44 Middleware::Response ERROR: Unable to get subsection
 20/02/2023 11:18:44 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 20/02/2023 11:18:44 Service Sleeping for 108 seconds
 20/02/2023 11:20:32 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/management/index.php?sub=requestClientInfo&configure&newService&json
 20/02/2023 11:20:32 Middleware::Response Success
 20/02/2023 11:20:32 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/management/index.php?sub=requestClientInfo&mac=88:A4:C2:B9:BF:35|F4:A8:0D:08:C6:CA|70:1A:B8:5A:C4:68|70:1A:B8:5A:C4:69|72:1A:B8:5A:C4:68|00:09:0F:FE:00:01|70:1A:B8:5A:C4:6C&newService&json
 20/02/2023 11:20:32 Middleware::Authentication Waiting for authentication timeout to pass
 20/02/2023 11:20:44 Middleware::Communication Download: http://a42svcoufog.cougnaud.fr/fog/management/other/ssl/srvpublic.crt
 20/02/2023 11:20:44 Middleware::Authentication Cert OK
 20/02/2023 11:20:44 Middleware::Authentication No token found at C:\Program Files (x86)\FOG\token.dat, this is expected if the client has not authenticated before
 20/02/2023 11:20:44 Middleware::Authentication ERROR: Could not get security token
 20/02/2023 11:20:44 Middleware::Authentication ERROR: Le fichier 'C:\Program Files (x86)\FOG\token.dat' est introuvable.
 20/02/2023 11:20:44 Middleware::Communication POST URL: http://a42svcoufog.cougnaud.fr/fog/management/index.php?sub=requestClientInfo&authorize&newService
 20/02/2023 11:20:44 Middleware::Response Invalid security token
 20/02/2023 11:20:44 Middleware::Response Success
 20/02/2023 11:20:44 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/service/getversion.php?clientver&newService&json
 20/02/2023 11:20:44 Middleware::Communication URL: http://a42svcoufog.cougnaud.fr/fog/service/getversion.php?newService&json

 20/02/2023 11:20:44 Service Creating user agent cache
 20/02/2023 11:20:44 Middleware::Response ERROR: Unable to get subsection
 20/02/2023 11:20:44 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 20/02/2023 11:20:44 Middleware::Response ERROR: Unable to get subsection
 20/02/2023 11:20:44 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.
 20/02/2023 11:20:44 Middleware::Response ERROR: Unable to get subsection
 20/02/2023 11:20:44 Middleware::Response ERROR: La référence d'objet n'est pas définie à une instance d'un objet.

It’s been several days now that I’m doing all the topics present on the forum to unblock myself but I start to need help…
Thanks to you in advance

Sebastian Roth

@Jordane Looks like the fog-client doesn’t use FIPS complient crypto but your system enforces this security standard: https://learn.microsoft.com/en-us/troubleshoot/system-center/orchestrator/exception-error-install-sma-web-service

Though it might also just be a question of libraries being FIPS certified or not: https://learn.microsoft.com/en-us/dotnet/framework/migration-guide/retargeting/4.7.2-4.8#managed-cryptography-classes-do-not-throw-a-cryptographyexception-in-fips-mode

The fog-client currently uses Rijndael(Managed class) and I guess we would need to switch to AES:
https://learn.microsoft.com/en-us/archive/blogs/shawnfa/the-differences-between-rijndael-and-aes
https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.rijndaelmanaged?view=net-7.0

Possibly we cannot give you a quick solution or workaround on this. Maybe it’s a minor step to switch to a Aes class but I am not sure yet.

And then there might be a second issue as well. The error mentioned in the first code block (System.UnauthorizedAccessException: L'accès à la clé de Registre '230' est refusé.) points to registry access being blocked. Maybe this is caused by some kind of anti virus software?

Jordane

Hello @Sebastian-Roth, Thank you for your reactivity.
Indeed, in the local security strategy of our clients, the FIPS encryption is activated.
But also the option, Configure the types of encryption allowed for Kerberos “AES256 and future”.
These are the options that would block me?
AES is not compatible with FOG services?
Is it possible to disable encryption from fog and the TOKEN function?
Ideally, it should communicate with clients without encryption.

Sebastian Roth

@Jordane said in ERROR: Could not get security token:

Indeed, in the local security strategy of our clients, the FIPS encryption is activated.
But also the option, Configure the types of encryption allowed for Kerberos “AES256 and future”.
These are the options that would block me?

Probably yes. And I really do understand your organization is forcing FIPS compliance.

AES is not compatible with FOG services?

Well, AES is actually a subset of the Rijndael implementation used in the fog-client. So it’s pretty close. I guess we can switch to using AES as I said before but not in a quick move! Needs code changes and testing.

I was going to open an issue report on github to keep track of this but turns out this has been around since a long time already as well as another forum topic (sounds like the fix isn’t that easy…)

Is it possible to disable encryption from fog and the TOKEN function?

No, not right now. One of my future plans was to remove the self made encryption from the fog-client/forproject code but switch to using HTTPS (enforced). This way we’d rely on state of the art crypto done by webservers and system crypto libraries. But that is even further away than switching to AES.

Ideally, it should communicate with clients without encryption.

I don’t get this. Why would you enforce FIPS compliance but then let the communication go unencrypted?!?!? Just doesn’t make sense to me.