WAAPI_ERROR_INVALID_CREDENTIALS error on software deployment
Hi,
I work in a High school in France. We have WithSecure EEP on servers and Workstation in Windows 10/11, in a Windows Active Directory Domain.
We have many error in software deployment (not for microsoft updates) : WAAPI_ERROR_INVALID_CREDENTIALS
Users do no have administrator rights on their workstation.
What can we do for this ? Is there a solution or a way to indicate administrator credentials ?
Thanks in advance for your response.
Answers
-
Hi @Eddiebzh
Thank you for reaching out the WithSecure Community,
Based on the error you reported, we kindly request you to collect the debug fsdiag logs for further analysis. To generate these logs, please refer to the following article: How to Generate Debug Fsdiag Logs for Elements Endpoint Protection, Client Security, and Server Security.
Once you have collected the logs, please contact WithSecure support. They will be able to assist you with a deeper analysis of the issue and provide appropriate guidance.
In the meantime, you can also have an option to exclude the problematic software updates in your Elements portal. You can refer to this article:
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™1 -
We have had the same problem with the error WAAPI_ERROR_INVALID_CREDENTIALS in Patch Management. Did you find a solution for this problem?
0 -
Hi @Hmmm
Please submit a support ticket with debug logs so we can investigate with our Software Updater vendor
When full debug logging is enabled, an Fsdiag will gather more in depth and additional log files, which help in some problem investigations.
Debug logging can be enabled directly from the WithSecure user interface in the following products: Elements EPP for Computers, Elements EPP for Servers and Client Security 15.10 and later. Debug loggin can also be enabled using the Elements Security Center from with Endpoint protectin portal.
Steps how to enable advanced debug logging (full logging) on a Windows system for:- Open the WithSecure product user interface
- Select Settings (Cogwheel icon)
- Select Edit settings
- Click Yes on User Account Control prompt (provide admin credentials if requested)
- Select Support
- In the Tools section, enable debug logging by tapping the On/Off switch below Debug logging helps customer support to analyze issues.. -text
- Reproduce the steps that caused the original problem, take note of exact time of the problem
- Generate an FSDIAG diagnostic file by following the steps explained in this link: How to create or generate a WSDIAG diagnostics file on a Windows computer? - WithSecure Community
- Open the F-Secure product user interface
- Select Settings (Cogwheel icon)
- Select Edit settings
- Click Yes on User Account Control prompt (provide admin credentials if requested)
- Select Support
- In the Tools section, disable debug logging by tapping the On/Off switch below Debug logging helps customer support to analyze issues.. -text
Steps how to enable advanced debug logging (full logging) operation from the Elements Endpoint Protection Portal
- Login to the Elements Security Center at https://elements.withsecure.com
- Select End Point Protection using the Navigation bar.
- Select Devices using the Navigation bar.
- Select one or more devices by checking the checkbox in front of the device.
- From the Diagnostic operations button, select the option Turn on debug logging.
- Select an option for how long to enable debug logging. The default option is 2 hours.
- Click the Turn on button.
- Reproduce the problematic operation.
In case the option described above are not available, follow the steps below:
- Download the debug tool from download.f-secure.com/support/tools/CCF-logging-tool/fsloglevel.exe
- Double click fsloglevel.exe
- Select Full Logging
- Click OK
- Restart the computer
- Reproduce the steps that caused the original problem, take note of exact time of the problem
- Generate an FSDIAG diagnostic file by following the steps explained in this link: How to create or generate a WSDIAG diagnostics file on a Windows computer? - WithSecure Community
- Run the fsloglevel.exe tool a second time after submitting the logs
- Click on Normal Logging to turn off the debug mode (debug mode slows down the machine slightly)
0 -
Hi @Eddiebzh
I'm sorry to hear that you used another software application to deploy upgrades for non-Microsoft software. If you reconsider and decide to utilize our Software Updater feature for deploying non-Microsoft software, please feel free to contact our WithSecure support team.
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™0 -
Hello,
Since 2 month, There is much less error signed WAAPI_ERROR_INVALID_CREDENTIALS, but a new error appeared instead: WAAPI_ERROR_INVALID_SIGNATURE for the Audacity, PDF24, and GIMP package.
0 -
Hi @Eddiebzh
In the past, we encountered a similar case, and the following steps proved effective in resolving the customer's issue. It's likely that fssua.exe isn't trusted on the system.
Firstly, ensure that fssua.exe in the directory ...\F-Secure\PSB is trusted by following these steps:
- Right-click on the binary, fssua.exe.
- Select Properties.
- Under the Properties window, switch to "Digital Signatures."
- Select the signature and click on the "Details" button.
- Click on the "View Certificate" button.
- Under the Certificate window, switch to "Certification Path."
You should be able to determine whether the certificate(s) are trusted on the device at this point.
If necessary, investigate the counter signature for the certificate as well:
- Right-click on the binary, fssua.exe.
- Select Properties.
- Under the Properties window, switch to "Digital Signatures."
- Select the signature and click on the "Details" button.
- Select the counter signature under the "Countersignatures" box.
- Click on the "Details" button.
- Under the Digital Signature Details window, click on the "View Certificate" button.
- Under the Certificate window, switch to "Certification Path."
Check whether the certificates in the counter signature are trusted on this device.
If the certificate(s) are not trusted, ensure they are trusted.
Additionally, check the certificates for other binaries in the same directory, ...\F-Secure\PSB:
- libwa*.dll
- wa_3rd_party_host_*.exe
Ensure that the GPO is configured correctly to allow the device to receive the root CA update automatically:
- Computer Configuration / Administrative Templates / System / Internet Communication Management / Internet Communication settings / Turn off Automatic Root Certificate Update (Set as "Not Configured" or "Disabled")
Also, ensure that the CA, DigiCert Trusted Root G4, is trusted on the system. You can export the CA from a working system or download it from:
[Link: https://knowledge.digicert.com/generalinformation/INFO4231.html]
Next, import the CA into the certificate store.
If the issue persists, run the following in an elevated PowerShell window to update the root CA manually:
- Download the root CA into roots.sst:
certutil.exe -generateSSTFromWU .\roots.sst - Import the root CA into the certificate store:
$sstStore = ( Get-ChildItem -Path .\roots.sst )$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
After this, run the following command:
certutil -f –urlfetch -verify <file path to the certificate that is used to digitally sign the binary, fssua.exe>If the issue still remains, please contact our WithSecure support and provide us with the debug WSdiag logs so that we can further investigate with our backend team.
Best regards,
Sethu
Community Moderator | Technical Support Engineer
WithSecure™0
Categories
- All Categories
- 4.7K WithSecure Community
- 3.6K Products
- 1 Get Support