To stay updated on your favorite discussions, please create an account or log in. Then, click the Bookmark icon to subscribe and receive notifications.

WAAPI_ERROR_INVALID_CREDENTIALS error on software deployment

Options
Eddiebzh
Eddiebzh W/ Member Posts: 3 Security Scout

Hi,

I work in a High school in France. We have WithSecure EEP on servers and Workstation in Windows 10/11, in a Windows Active Directory Domain.

We have many error in software deployment (not for microsoft updates) : WAAPI_ERROR_INVALID_CREDENTIALS

Users do no have administrator rights on their workstation.

What can we do for this ? Is there a solution or a way to indicate administrator credentials ?

Thanks in advance for your response.

Answers

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 243 Moderator
    Options

    Hi @Eddiebzh

    Thank you for reaching out the WithSecure Community,

    Based on the error you reported, we kindly request you to collect the debug fsdiag logs for further analysis. To generate these logs, please refer to the following article: How to Generate Debug Fsdiag Logs for Elements Endpoint Protection, Client Security, and Server Security.

    Once you have collected the logs, please contact WithSecure support. They will be able to assist you with a deeper analysis of the issue and provide appropriate guidance.

    In the meantime, you can also have an option to exclude the problematic software updates in your Elements portal. You can refer to this article: https://community.withsecure.com/en/kb/articles/29709-how-to-exclude-specific-software-updates-from-software-updater-in-withsecure-elements-endpoint-protection

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home

  • Hmmm
    Hmmm W/ Partner Posts: 2 Security Scout
    Options

    We have had the same problem with the error WAAPI_ERROR_INVALID_CREDENTIALS in Patch Management. Did you find a solution for this problem?

  • JamesC
    JamesC W/ Partner, W/ Staff, W/ Moderator Posts: 519 Moderator
    Options

    Hi @Hmmm

    Please submit a support ticket with debug logs so we can investigate with our Software Updater vendor

    When full debug logging is enabled, an Fsdiag will gather more in depth and additional log files, which help in some problem investigations. 

    Debug logging can be enabled directly from the WithSecure user interface in the following products: Elements EPP for Computers, Elements EPP for Servers and Client Security 15.10 and later. Debug loggin can also be enabled using the Elements Security Center from with Endpoint protectin portal.

    Steps how to enable advanced debug logging (full logging) on a Windows system for: 

    1. Open the WithSecure product user interface
    2. Select Settings (Cogwheel icon)
    3. Select Edit settings
    4. Click Yes on User Account Control prompt (provide admin credentials if requested)
    5. Select Support
    6. In the Tools section, enable debug logging by tapping the On/Off switch below Debug logging helps customer support to analyze issues.. -text
    7. Reproduce the steps that caused the original problem, take note of exact time of the problem
    8. Generate an FSDIAG diagnostic file by following the steps explained in this link: How to create or generate a WSDIAG diagnostics file on a Windows computer? - WithSecure Community
    9. Open the F-Secure product user interface
    10. Select Settings (Cogwheel icon)
    11. Select Edit settings
    12. Click Yes on User Account Control prompt (provide admin credentials if requested)
    13. Select Support
    14. In the Tools section, disable debug logging by tapping the On/Off switch below Debug logging helps customer support to analyze issues.. -text

    Steps how to enable advanced debug logging (full logging) operation from the Elements Endpoint Protection Portal

    1. Login to the Elements Security Center at https://elements.withsecure.com
    2. Select End Point Protection using the Navigation bar.
    3. Select Devices using the Navigation bar.
    4. Select one or more devices by checking the checkbox in front of the device.
    5. From the Diagnostic operations button, select the option Turn on debug logging
    6. Select an option for how long to enable debug logging. The default option is 2 hours. 
    7. Click the Turn on button.
    8. Reproduce the problematic operation.

    In case the option described above are not available, follow the steps below:

    1. Download the debug tool from download.f-secure.com/support/tools/CCF-logging-tool/fsloglevel.exe
    2. Double click fsloglevel.exe
    3. Select Full Logging
    4. Click OK
    5. Restart the computer
    6. Reproduce the steps that caused the original problem, take note of exact time of the problem
    7. Generate an FSDIAG diagnostic file by following the steps explained in this link: How to create or generate a WSDIAG diagnostics file on a Windows computer? - WithSecure Community
    8. Run the fsloglevel.exe tool a second time after submitting the logs
    9. Click on Normal Logging to turn off the debug mode (debug mode slows down the machine slightly)

  • Eddiebzh
    Eddiebzh W/ Member Posts: 3 Security Scout
    Options

    Hi @Hmmm

    No solution found so far. We use another software for deploying upgrade to non microsoft software.

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 243 Moderator
    Options

    Hi @Eddiebzh

    I'm sorry to hear that you used another software application to deploy upgrades for non-Microsoft software. If you reconsider and decide to utilize our Software Updater feature for deploying non-Microsoft software, please feel free to contact our WithSecure support team.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™  https://community.withsecure.com/home/leaving?allowTrusted=1&target=https%3A%2F%2Fwww.withsecure.com%2Fen%2Fhome

  • Eddiebzh
    Eddiebzh W/ Member Posts: 3 Security Scout
    Options

    Hello,

    Since 2 month, There is much less error signed WAAPI_ERROR_INVALID_CREDENTIALS, but a new error appeared instead: WAAPI_ERROR_INVALID_SIGNATURE for the Audacity, PDF24, and GIMP package.

  • Sethu Laks
    Sethu Laks W/ Partner, W/ Staff, W/ Moderator Posts: 243 Moderator
    Options

    Hi @Eddiebzh

    In the past, we encountered a similar case, and the following steps proved effective in resolving the customer's issue. It's likely that fssua.exe isn't trusted on the system.

    Firstly, ensure that fssua.exe in the directory ...\F-Secure\PSB is trusted by following these steps:

    1. Right-click on the binary, fssua.exe.
    2. Select Properties.
    3. Under the Properties window, switch to "Digital Signatures."
    4. Select the signature and click on the "Details" button.
    5. Click on the "View Certificate" button.
    6. Under the Certificate window, switch to "Certification Path."

    You should be able to determine whether the certificate(s) are trusted on the device at this point.

    If necessary, investigate the counter signature for the certificate as well:

    1. Right-click on the binary, fssua.exe.
    2. Select Properties.
    3. Under the Properties window, switch to "Digital Signatures."
    4. Select the signature and click on the "Details" button.
    5. Select the counter signature under the "Countersignatures" box.
    6. Click on the "Details" button.
    7. Under the Digital Signature Details window, click on the "View Certificate" button.
    8. Under the Certificate window, switch to "Certification Path."

    Check whether the certificates in the counter signature are trusted on this device.

    If the certificate(s) are not trusted, ensure they are trusted.

    Additionally, check the certificates for other binaries in the same directory, ...\F-Secure\PSB:

    • libwa*.dll
    • wa_3rd_party_host_*.exe

    Ensure that the GPO is configured correctly to allow the device to receive the root CA update automatically:

    • Computer Configuration / Administrative Templates / System / Internet Communication Management / Internet Communication settings / Turn off Automatic Root Certificate Update (Set as "Not Configured" or "Disabled")

    Also, ensure that the CA, DigiCert Trusted Root G4, is trusted on the system. You can export the CA from a working system or download it from:

    [Link: https://knowledge.digicert.com/generalinformation/INFO4231.html]

    Next, import the CA into the certificate store.

    If the issue persists, run the following in an elevated PowerShell window to update the root CA manually:

    1. Download the root CA into roots.sst:certutil.exe -generateSSTFromWU .\roots.sst
    2. Import the root CA into the certificate store:$sstStore = ( Get-ChildItem -Path .\roots.sst )$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root

    After this, run the following command:

    certutil -f –urlfetch -verify <file path to the certificate that is used to digitally sign the binary, fssua.exe>

    If the issue still remains, please contact our WithSecure support and provide us with the debug WSdiag logs so that we can further investigate with our backend team.

    Best regards,
    Sethu
    Community Moderator | Technical Support Engineer
    WithSecure™ https://www.withsecure.com/en/home