Unable to get token with USER creds

Problem

The following error message appears in the WGSS (Nymi) log file when a user performs an NFC tap with their Nymi Band, for example, to log into Evidian SSO. 

The Object not found error message appears on screen.

Upon inspection of the WGSS (Nymi) log file, the following error messages appear after the "Unable to get token with USER creds" error:

WearableExtension.cpp :0440: Ext::GetListOfVisibleDevices returns: 0x8101201c
WearableExtension.cpp :0441: 0 visible devices
AutoChrono.cpp :0029: [TIME] Wearable::FreeListOfDevices() : 0 ms
WearableExtension.cpp :0495: <- CWearableExtension::ValidateProvisions returned: 0x81010009
AutoLock.cpp :0178: CS Unlock(WEProtectDll)
WearableContext.cpp :0460: <- CWearableContext::ConnectUserWearableDevice returned: 0x81010009

The Evidian Errors and Events application provides the following error message for the 0x8101201c error code:  FMK_E_SECURITY_CERTIFICATECHAINNOTTRUSTED

Inspection of the C:\Windows\System32\config\systemprofile\AppData\Roaming\Nymi\NSL\<string>\ksp directory shows that there are only the 8 locally-generated certificate files. 

The nymi_api.log file displays the following errors:

WARN - Verifying NEA certs without an NES connection. Some checks will be skipped.
ERROR - NSL: nsl_verify_nea_cert_chain, 2227, 5
ERROR - Error: ErrorWithMessage { error: MissingCerts, specifics: "Missing NES connection parameters. Please call `init` with additional fields \'nes_url\' and \'token\'" }
INFO - sending update to nea {"operation":"init","exchange":"30809","status":8000,"payload":{},"error":{"error_description":"NEA missing certificates.","error_specifics":"Missing NES connection parameters. Please call `init` with additional fields 'nes_url' and 'token'"}}

Cause

The user terminal cannot retrieve the NEA certificates from the NES server over port 443 (by default). NEA certificates are used to secure communications between the Nymi Band and the BLE adapter. The NEA certificates are a combination of 8 locally-generated certificates files and 12 NES-generated certificate files.

By default, the NEA certificates on a user terminal expire every 14 days.  When the certificates expire, the user terminal initiates a request to retrieve certificates from the NES server when the EAM Security Service restart or when an action occurs that requires certificates. 

Resolution

Perform the following sequence of actions to determine the cause of the communication issue.

1. Review the IIS log file in the C:\inetpub\logs directory on the IIS server that hosts the NES instance to confirm that communication between the user terminal and NES server occurs over http/https.  

2. Confirm that user terminal can successfully request authentication by token with the NES server.

3. Review Troubleshooting Basic Connectivity Issues to confirm that the client can communicate with the NES server.

4. Inspect firewall logs to confirm that bi-directional communication occurs between the client and server over http/https.

5. Review Troubleshooting Advanced Connectivity issues.

Articles in this section

Was this article helpful?
0 out of 0 found this helpful
Share