Summary
At times you may see some users getting a Device Trust Verification Error without a message explaining the details of the error. These are often caused by certificate-related issues on the client's device and can range from 3rd party apps intercepting TLS to the user's certificate no longer existing in the device's certificate store.
Problem Description
The device is unable to send the Managed-Device certificate to the Banyan Trustprovider endpoint while accessing the Banyan App or a Banyan-protected SaaS App. When the Banyan Trustprovider is not able to get the device certificate, it has no identifying information of the user or device and thus authentication with Banyan fails. You can identify the TrustProvider as the domain of <YourORG>.trust.banyanops.com. An example of the certificate in question is shown below:
Troubleshooting Steps
MacOS
Keychain prompts during the first-time login.
When users first register and sign in on MacOS they will get a Keychain Prompt when the browser wants to access the Managed-Device-<SERIALNUMBER> certificate stored in the login keychain.
If the user clicks "Deny" at this step, the browser will not send the device certificate to the TrustProvider endpoint, thus causing a Device Trust Verification Error. If the user has already clicked Deny, have them clear their browser data, restart the browser, and try again.
The Browser Policy Does Not Exist in the Keychain or is Not in Effect
When users register with the Banyan Desktop App on MacOS we create an "Identity Preference" in the Login Keychain which matches up to a browser policy as shown below:
This Identity Preference is used to tell the browser what certificate to use on the TrustProvider endpoint with Banyan. You can find this identity Preference inside the "Keychain Access" app under the Login keychain. The name will be <YourORG>.trust.banyanops.com. If the identity preference does not exist, you will need to re-register the Banyan App in order to have it generated again. You can do so by going to Settings > My Organization > Unregister Device as shown below:
Then the user will be prompted to re-register. If the identity preference does exist or you just re-registered and are seeing the Device Trust Verification Error. Ensure the policy is active with the browser. These policies can often take a browser restart to take effect after they are created. As a reminder, many browsers like Google Chrome run in the background, and closing the active browser windows is not sufficient. Please be sure the process is restarted.
Windows
The Browser Policy Does Not Exist in the Registry or is Not in Effect
When a user registers the Banyan Desktop App on a Windows device we create a registry key to add a browser policy that uses the Managed-Device certificate created during registration for authentication against the TrustProvider endpoint. The policy will start with "pattern":"<YOURORG>.trust.banyanops.com". As an example, see the location and registry key created below:
If this browser policy for AutoSelectCertificateForUrls does not exist you will need to unregister from the Banyan app. Do so by navigating to Settings > My Organization > Unregister Device.
If the browser policy does exist or you re-registered, be sure to fully restart your browser for the changes to take into effect. Please note many browsers do not fully close when you close the active windows. Please ensure the running background process(es) for the browser gets restarted.
All Operating Systems
The Device Certificate is Expired
When you register your device with Banyan that registration is valid for one which will auto-renew a month before expiration. This is tracked on the device in the form of a certificate named Managed-Device-<SerialNumber> stored in the Login Keychain on MacOS or the Personal Certificate Store on Windows. You may inspect the certificate at the location to determine if the certificate has expired.
In versions of the app prior to 3.3.0, this renewal may be interrupted by third-party proxies or VPNs which may cause renewal to fail. If your certificate does enter an expired state you will want to re-register to get a new certificate generated for your device registration. To do so successfully, go to the App Settings > My Organizations > Unregister Device. Once finished the user will be prompted to re-register.
Once done the user will get a new certificate issued to the device!
Third-Party Applications Interrupting the Certificate Transfer During Authentication
A common cause of the Managed-Device certificate not being sent to the Trustprovider endpoint is a third-party security application or proxy which performs TLS introspection. This can cause the Device Certificate to be stripped out of the request to the Banyan endpoints. Ensure the device is clear or Banya is whitelisted in any tools such as Fiddler, Avast, NetSkope or other traffic inspection services when authenticating to Banyan.
It is possible for wider issues that affect multiple users that there is a network-level introspection into web traffic which may be stripping the Device certificate out of the request. To solve this, please ensure no such services are configured during authentication with Banyan.
Outcome
There may be other scenarios covered here which are not covered here which may prevent the certificate from being sent. If you encounter this issue and this article did not solve the problem. Please open a ticket with Banyan Support and our support team will be happy to assist in investigating the cause!
Further reading
Comments
0 comments
Please sign in to leave a comment.