Skip to content

Administrator manual

Description

Excalibur utilizes the user’s smartphone to act as a secure hardware token for any and all authentication and authorization needs. The ultimate goal is to move all forms of authentication and authorization away from passwords, replace them seamlessly with smartphone-based strong but user friendly multi-factor authentication.

One of the core innovations of Excalibur is its ability to defeat all attacks on credentials as Excalibur is able to automatically change a password on each login. In the Excalibur user flow – the password is no longer entered by the user – the user never even knows the password, it is just a random string used in the background, seamlessly injected into the login process by Excalibur. The user instead just interacts with the smartphone – using it to provide various authentication factors as required by the defined security policy.

Excalibur supports all main platforms and authentication protocols - due this fact the company can use an old applications which reguire own integration. To deal with such situations, Excalibur supports an operating mode in which the password does not change automatically (Static mode).

This allows a heterogeneous implementation - e.g. - Login with Excalibur to the Windows , or login with password to old applications which are not the part of SSO Excalibur system

Static Dynamic mode can be configured for selected or all users by the needs of the company.

In static password mode, deployments develop easily and pose no risk to the organization - because a password can always be used.

Architecture

Client part

Excalibur Token - Excalibur uses the smartphone as a security token, that is why we call the smartphone with Excalibur application the Excalibur Token. It is used for interaction with the User - entering authentication factors, showing session history and providing capability to remotely lock / terminate active sessions. Excalibur Token utilizes phone-based biometry and hardware-backed secure element whenever possible.

Excalibur Client - in the context of Excalibur - Client is any end-point which requires login or authorization of the user via its Token. Client also provides an Excalibur login screen - Excalibur Credential Provider (CP​) which is in case of login into OS launched on main screen. Clients also mean integration into endpoint SW points, such as integration into VPNs or websites.

Server part

Excalibur Server (application) - provides a persistent network & storage central point, must be reachable by all components, also provides the Management Interface - Dashboard as well as WebSDK​ which takes care of communication and operations with integration components.

Excalibur Facade - Active Directory integration component, must be installed on at least one Active Directory server, runs as a system service and integrates with AD via Directory Replication Service (DRS) Remote Protocol with fallback to LDAP. User does not communicate with this component.

Excalibur CA (cloud) - The Excalibur Certificate Authority manages intermediate (company) certificates for companies that use the Excalibur Enterprise system. It also issues (user) certificates for Excalibur Enterprise system components in these companies upon request (Certificate signing request). The existence of Excalibur CA in the system architecture is conditioned by two aspects:

  • securing and control of licensing - in the form of the period of validity of the company certificate, which is issued only for the contractual / agreed period.
  • elimination of single point of failure - placement of the company certificate in the cloud (outside the company administration) increases the security of the system in case of company compromise. In this case, the attacker is unable to issue valid user certificates.

User management

User roles in Excalibur Enterprise system- Dashboard.

User - is the end-user who is using Excalibur to Authenticate, Authorize against the company client by using an own token and manage a sessions if client allows it. or Verify. The user can also authenticate their colleagues (if allowed and required), change their authentication factors and also change the expired password on the client (if necessary). Each user can also log in to the Excalibur Dashboard, where a regular user can only see their account details, their own actions and sessions.

Manager - In addition to user privileges, the manager has access in the DAasboard to other data related to his account, as well as to the accounts of users he / she manages and also has the ability to remotely terminate their sessions. The manager cannot change security rules (he can only view them) and also does not have access to multiple parts of the Dashboard, such as groups, roles, security policies or auditing. A manager is a role that routinely verifies sensitive actions or actions with incidents of his subordinates.

Administrator - in addition to Manager privileges, the administrator has access to all data available in the Dashboard, he also has the right to change security policies, geofences, groups and other settings for anyone. The Administrator is also the person in the company designated to install and configure Excalibur, as well as the person responsible for configuring the company's environment in accordance with Excalibur's requirements. It is the highest user role in Excalibur as well as in the Dashboard.

There are also user roles with specific permissions in the Dashboard, such as Service Desk or Auditor.

Warning

It is important to note that even the administrator is not able to edit the history of Excalibure events, such as the event log, timeline, sessions, incidents or verifications, and errors as they occur in the event sequence.

Activities and procedures

List and description of administrator activities

Excalibur Facade

  • Installation and update of service system.
  • Restart/\Stop in case of crash service.
  • Obtaining and sending logs / dumps for debugging purposes

Excalibur Server

  • Installation and update of application server.
  • Change the configuration parameters of application server (certificates, ports, log levels...).
  • Obtaining and sending logs from clients and facades for debugging purposes
  • Monitoring the operation of the Excalibur system via application monitoring.
  • Adding (WebSDK) components, changing security policies, group administration…

Excalibur Client

  • Installation and update of service system.
  • Restart/\Stop in case of crash service.
  • Obtaining and sending logs / dumps for debugging purposes

List of parameters and configuration files

Excalibur Server

Directory structure - /opt/excalibur

  • 📁 3.2.1* - folder with Excalibur Server aplication files. ( * Number of current installed version of Excalibur Server)
  • 📁 config - folder contains the configuration files for the server and individual subsystems.
  • 📁 excalibur.sh - script to start server.
  • 📁 gorush.sh - script to start gorush server (push messaging).

/opt/excalibur/config/excalibur.json - main server configuraton.

  • version - current installed version.
  • hostname - hostname of excalibur server.
  • port - port settings for individual system components.
  • tls - certificate settings for pre https (dashboard).
  • database - specific settings for database connector.
  • mysql - host, user, password, database, port.
  • oracle - host, password, connectString.

Warning

Changes in the main configuration will not take effect until the server is restarted!

/opt/excalibur/config/logger.json - logging configuration (e.g. levels).

/etc/logrotate.d/excalibur - configuration of rotation of logged records.

/etc/cron.d/excalibur - crontab for archivation folder with application logs.

Note

The server is periodically restarted every 8 hours to prevent the freeing of allocated system resources. Night mode allows to process manual and zombie sessions.

Excalibur Client

Clients (currently) do not have any editable configuration and are delivered preconfigured for a specific company as part of the installation delivery.

Directory structure - C:\Program Files\Excalibur Enterprise

  • 📁 cache - unsent, temporarily stored application (flow) actions logs.
  • 📁 data - static data of the application.
  • 📁 dumps - memory dumps in case of application crash.
  • 📁 logs - logs from the running application.
  • 📁 ExcaliburClient.exe - executable file (service) of the client.
  • 📁 ExcaliburCredentialProvider.dll - library for Credential Provider.
  • 📁 ExcaliburCredentialProviderUI.exe - executable file for Credential Provider.

Note

Excalibur Client uses its own entries in the system registry under the key HKEY_LOCAL_MACHINE \ SOFTWARE \ Excalibur Enterprise \ Excalibur, which must not be edited / deleted, as this would have a direct impact on the client's functionality.

Excalibur Facade

The facade (currently) does not have any editable configuration and is delivered preconfigured for a specific company as part of the installation delivery.

Directory structure - C:\Program Files\Excalibur Enterprise AD Facade

  • 📁 data - static data of the application.
  • 📁 dumps - memory dumps in case of application crash.
  • 📁 logs - logs from the running application.
  • 📁 ExcaliburADFacade.exe - executable file (service) of facade.

Note

Excalibur Facade uses its own entries in the system registry under the key HKEY_LOCAL_MACHINE \ SOFTWARE \ Excalibur Enterprise \ Excalibur AD Facade, which must not be edited / erased, as this would have a direct impact on the functionality of the entire system.

Start, stop of all application

In the case of the Excalibur Enterprise system, it is not possible to talk about starting / tracking the entire application, as several components are involved in its operation. However, shutting down the Excalibur Server component can be considered a proper system shutdown. Correct launch is the launch of the Excalibur Server and Excalibur Facade components.

Start, stop of individual moduls

Excalibur Server

From the point of view of the operating system, Excalibur Server is a classic daemon running in the background, which is primarily controlled using the init.d script (/etc/init.d/excalibur) directly on the server where it is installed. It is started automatically at boot of the operating system and stopped correctly when shutting down / restarting the operating system.

Start: $ sudo /etc/init.d/excalibur start

Stop: $ sudo /etc/init.d/excalibur stop

In the administration console (Dashboard) it is possible to restart the server by clicking in the Overview section and the Server tab.

Excalibur Facade

From the point of view of the operating system, Excalibur Facade is a standard system service, the start / stop of which can be performed either by means of the system Task Manager or by entering a query on the Service Control Manager.

Start by SCM*: > sc start ExcaliburADFacade

Stop by SCM*: > sc stop ExcaliburADFacade

( execute with administrator privileges)*

Excalibur Client

From the point of view of the operating system, Excalibur Client is a standard system service, the start / stop of which can be performed either by means of the system Task Manager or by entering a query on the Service Control Manager.

Start by SCM*:
> sc start ExcaliburClient

Stop by SCM*:
> sc stop ExcaliburClient

( execute with administrator privileges)*

Procedures for determining the status of the application

Excalibur Server

The current status of the Excalibur Server can be obtained in several ways. The most relevant way is to get the status directly on the server where it is installed. Status information is also propagated to other system components, but may be distorted, e.g. due to a loss of connection to the server.

Server - with direct access to the server, the status of the application server is determined using the following command, which summarizes and prints status information:

$ sudo /etc/init.d/excalibur status

Excalibur is running 6 processes
Excalibur is listening on 4 sockets
Disk usage is 46 percent
Excalibur cumulative CPU usage is 0 percent
Excalibur cumulative memory usage is 11.6 percent

Dashboard - information about the server status, current version, and utilization of associated processes (workers / threads) can be found in the Overview section on the Admin Console and on the Server tab.

Token a Client - the status of the application server and its functionality from the end user's point of view can be found both in the mobile application (in the settings section Companies ) and on the computer login screen based on the color of the connection indicator.

Excalibur Facade

The current status of Excalibur Facade can be obtained in several ways. The most relevant way is to get the status directly to the Active Directory Domain Controller (ADDC) where it is installed. Status information is also propagated to other system components, but may be distorted, e.g. due to a loss of connection to the server.

ADDC - the current status can be obtained either by using the system Task Manager or by entering a query on the Service Control Manager:

> sc query ExcaliburADFacade

SERVICE_NAME: ExcaliburADFacade
TYPE               : 10  WIN32_OWN_PROCESS
STATE              : 4  RUNNING
                        (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

Dashboard - Information on the status of facades, their IP addresses, versions, occupancy can be found in the Overview section on the Admin Console and on the Server tab. We distinguish these states:

  • connected (active) - the facade is connected and processes all requirements at a given moment.
  • connected (passive) - the facade is connected, but the server does not communicate with it. In the event of an active failure, the entire communication will be automatically redirected to it.
  • disconnected - the facade was connected, but is currently unavailable.

Excalibur Client

From the point of view of the operating system, Excalibur Client is a standard system service, the current status of which can be obtained either by using the system Task Manager or by entering a query on the Service Control Manager.:

> sc query ExcaliburClient

SERVICE_NAME: ExcaliburClient
TYPE               : 10  WIN32_OWN_PROCESS
STATE              : 4  RUNNING
                        (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE    : 0  (0x0)
SERVICE_EXIT_CODE  : 0  (0x0)
CHECKPOINT         : 0x0
WAIT_HINT          : 0x0

The status of individual clients can also be monitored in the Dashboard administration console in the Computers section. However, these statuses are updated continuously, and in the event of a connection failure, the information may be temporarily out of date.

Logging

In addition to the standard application logging, in the case of the Excalibur Enterprise system there is the possibility of detailed anonymized logging of specific actions (flows). These logs can be viewed on the Dashboard console in the Logger section. Logs from the Token can be sent to vendor to analyze the causes of previously undetected bugs and deficiencies.

Application logs

Excalibur Server - Excalibur Server - by default it writes its log records to two basic files. Their configuration can be found in /opt/excalibur/config/logger.json under the filte r-> level attribute.

  • 📁 /var/log/excalibur/notice.log - high level logs of all actions.
  • 📁 /var/log/excalibur/error.log - error logs for log level 0 to 4.

Description of log levels:

0 emergency   // system is unusable
1 alert       // action must be taken immediately
2 critical    // critical conditions
3 error       // error conditions
4 warning     // warning conditions
5 notice      // normal but significant condition
6 info        // informational messages
7 debug       // debug-level messages
8 devel       // development messages

Warning

A high logging level (5 and more) generates a large number of logs, which can cause disk space on the server to become full!

Excalibur Facade - application logs from the facade run are continuously stored in the c: \ Program Files \ Excalibur Enterprise AD Facade \ logs folder. If the facade is active and connected to the Excalibur Server, then it is possible to download these logs via a click in the Overview section in the Server tab.

Excalibur Client - application logs from the client run are continuously stored in the c: \ Program Files \ Excalibur Enterprise \ logs folder. If a specific client is active and connected to the Excalibur Server, then it is possible to download these logs via a click in the Computers section in detail for a specific client.

The client code also includes the Excalibur Logger client, which collects and then sends flow logs for individual performed actions during the application run.

Excalibur Token - part of the token code is the Excalibur Logger client, which collects and then sends flow logs for individual performed actions during the running of the mobile application. By default, sending of logs is disabled. User can enable it in application settings.

System logs

None of the components of the Excalibur Enterprise system generate log entries into standard system logs. In case of component crash, it is possible to find a mention of this event in the Syslog (in case of Excalibur Server), or Windows Events Viewer (in case of Exclaibur Client / Facade).

Audit logs

Audit logs are written directly to the database server and are available via the Dashbhoard administration interface in the Audit section for the Administrator and Auditor user roles.

Instructions on how to test the functionality of the application

The basic test for verifying the functionality of the entire Excalibur Enterprise system is to log in to the Excalibur Client online using the Excalibur Token (online login):

  1. Scan the login QR mobile application Excalibur.
  2. Enter authentication factors (PIN, fingerprint or Face ID).
  3. Your computer should automatically log you in.

For more information on using the mobile application, see the User Manual

Monitoring

The Excalibur Enterprise system also includes its own application monitoring, which is available within the Dasboard administration console in the Overview section [2]. Currently monitored parameters are:

  • users - number
  • sessions - type, number
  • incidents - type, number
  • actions - type, status, number
  • clients - version, status, operating system, number
  • tokens - version, status, operating system, number
  • server - process load
  • facades - status, occupancy
  • PAM - disc space usage for records
  • TRESK - status

Typical problems and their solutions

Errors and problems while using Excalibur Enterprise can occur at any stage of the application. From the user's point of view, they are first detected directly on the mobile phone screen in the form of an error message. The specific error is then propagated to the Dashboard administration console, where it can be traced based on the action, time, client in the User: Actions section on the detail screen. For more information, see the Administration Dashboard Manual.

A list of errors that occurred with instructions to resolve them

This chapter describes the most common errors. A list of all errors and their detailed description together with their solutions is described in the error condition documentation.

More frequent errors

err: request_timeout
AreaExcalibur Token - authentication, registration, change of factors, verification, authorization, termination (lock, logout), password display, location setting
Symptoms, defect / incident numbererr: request_timeout
origin: Excalibur Token
Cause{ACTION} failed due to a connection problem.
SollutionUser - try again
MeasurePlease check your phone's connection (e.g. by visiting a new website) and make sure that your phone does not indicate a limited connection. To verify that your Token has no problem connecting to your corporate Excalibur Server, please visit the application settings, which should indicate a green dot at your registered company. If the connection looks OK, please try {ACTION} again.
err: company_not_initialized
AreaExcalibur Token - authentication, change of factors, authorization, termination (lock, logout), password display, position setting.
Symptoms, defect / incident numbererr: company_not_initialized
origin: Excalibur Token
Cause{ACTION} is not possible unless you register first - you are not initializing Excalibur on this phone.
SollutionUser - register and try again.
MeasureTo register (initialize) Excalibur on this phone, please start by scanning the registration QR code obtained during self-registration.
err: invalid_credentials
AreaExcalibur Token - authentication, registration, change of expired password.
Symptoms, defect / incident numbererr: invalid_credentials
origin: Excalibur Facade
Cause{ACTION} failed because the username or password you entered is incorrect
SollutionUser - Please try again with the correct login information.
MeasurePlease provide the correct user information and try again.
err: policy_failed
AreaExcalibur Token - authentication, registration, change of factors, verification, authorization, password display, location setting
Symptoms, defect / incident numbererr: policy_failed
origin: Excalibur Server
Causedefault: The security policy blocked this attempt on {ACTION} due to a failed factor verification.
pin_timeout: The security policy blocked this attempt on {ACTION} due to a failed PIN verification. You can retry in {TIMEOUT} seconds.
failed_factors: The security policy blocked this attempt on {ACTION} due to the failure to verify the following factors: {FACTORS}.
SollutionUser - try again.
Admin - assist with policy
MeasureThere are several security policies in your company that may restrict {ACTION}, such as geographic location, date and time, IP address (such as a corporate network), or the PIN / fingerprint has only been entered incorrectly. Please try {ACTION} again as soon as it is available, or contact your Administrator if the current security policy is not suitable for you.
err: invalid_qr
AreaExcalibur Token - authentication, registration.
Symptoms, defect / incident numbererr: invalid_qr
origin: Excalibur Token
CauseThe scanned QR code for {ACTION} is incorrect
SollutionUser and Admin - report an error.
Support - debug and fix bug.
MeasureThe QR code has been scanned well, but its content is incorrect. It is likely that the user is scanning code that is not generated by Excalibur. Please report this error to your administrator.
err: decrypt_failed
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: decrypt_failed
origin: Excalibur Client
CauseLogin failed because your computer has corrupted settings.
SollutionUser - perform another login.
MeasurePlease try logging in again. If the login is unsuccessful, contact the administrator.
err: static_credentials
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: static_credentials
origin: Excalibur Client
CauseThe login failed because the user's password was changed in Active Directory or locally on Windows and needs to be provided.
SollutionUser - provide the current password.
MeasureEnter a new password when Excalibur Client prompts you, if login with a new password is unsuccessful, contact your administrator.

Less frequent errors

err: no_ldap_for_domain
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: no_ldap_for_domain
origin: Excalibur Client
CauseUser has no reach to the domain
SollutionUser - contact the administrator
Administrator - Find out what is displayed to the user, domain configuration, account control
MeasureProblem with domain configuration. Configure your domain
err: bad_signature
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: bad_signature
origin: Excalibur Client
CauseCryptography inconsistency
SollutionUser - try again, and contact the administrator
Administrator - report a bug
MeasurePlease try logging in again. If the retry fails, contact your administrator.
err: invalid_data
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: invalid_data
origin: Excalibur WebSDK
CauseLogin failed because the data used to login is invalid or the targeted Client (integration) is not available.
SollutionUser - report a bug
Administrator - debugging
MeasureThis error requires a new registration. Please start by scanning the registration QR code obtained during self-registration. If the problem persists or you are unable to self-register, please contact your Administrator
err: ldap_error
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: ldap_error
origin: Excalibur Token
CauseUnexpected error with directory service server.
SollutionUser - report a bug
Administrator - 1. Make sure the LDAP / AD server is running and the client is directly connected to it 2. Verify the LDAP / AD server configuration
MeasureCorrect configuration of LDAP / AD server and end-point clients
err: unknown_account
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: unknown_account
origin: Excalibur Server
CauseUser data on the server is corrupted or missing
SollutionUser - re-register, report error
Administrator - assist with re-registration / report bug
MeasureThis error requires a new registration. Please start by scanning the registration QR code obtained during self-registration. If the problem persists or you are unable to self-register, please contact your Administrator
err: no_such_user (Client)
AreaExcalibur Token - registration.
Symptoms, defect / incident numbererr: no_such_user
origin: Excalibur Token
CauseThe user may have misspelled their login name, the account may not have been set up in AD, or it may have been deleted.
SollutionUser - Retry with the correct login details / contact the Administrator
Administrator - Deploy the user to AD
MeasureThis error requires checking the account in AD and re-registering after checking. If the problem persists or you are unable to self-register, please contact your Administrator
err: no_such_user (Facade)
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: no_such_user
origin: Excalibur Facade
CauseLogin failed because the username provided does not exist in the company's Active Directory.
SollutionUser - Retry with the correct login details / contact the Administrator
Administrator - Deploy the user to AD
MeasureThis error requires checking the account in AD and re-registering after checking. If the problem persists or you are unable to self-register, please contact your Administrator
err: account_disabled
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: account_disabled
origin: Excalibur Token
CauseThe account has been disabled in Active Directory or Excalibur Dashboard
SollutionUser - Contact the administrator
Administrator - Enable an Active Directory / Excalibur Dashboard account for a specific user
MeasureThis error requires check the account in AD

Less frequent errors

err: no_cp_response
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: no_cp_response
origin: Excalibur Token
CauseLogin failed because the Excalibur login screen is currently unresponsive.
SollutionUser - Restart PC, try again, contact administrator
Administrator - report a bug
MeasureThis error requires a process load check. Some processes may block Excalibur from working properly
err: bad_token_id
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: bad_token_id
origin: Excalibur Token
CauseLogin failed because an invalid phone was used to try to login.
SollutionUser - reregister, contact administrator
Administrator - assist with re-registration / report bug
MeasureThis error requires a new registration. Please start by scanning the registration QR code obtained during self-registration. If the problem persists or you are unable to self-register, please contact your Administrator
err: password_decrypt_error
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: password_decrypt_error
origin: Excalibur Token
CauseLogin failed because Excalibur was unable to decrypt the login password.
SollutionUser - re-register, contact administrator
Administrator - assist with re-registration / report bug
MeasureThis error requires a new registration. Please start by scanning the registration QR code obtained during self-registration. If the problem persists or you are unable to self-register, please contact your Administrator.
err: no_such_domain
AreaExcalibur Token - authentication
Symptoms, defect / incident numbererr: no_such_domain
origin: Excalibur Token, Klient
CauseThe user does not have access to the requested domain
SollutionUser - Contact the administrator
Administrator - Find out what is displayed to the user, debug and resolve
MeasureAdministrator - Domain configuration problem, please configure the domain
err: unknown_user
Areab>Excalibur Token - authentication, verification
Symptoms, defect / incident numbererr: unknown_user
origin: Excalibur Token
Cause{ACTION} failed because the user data on the phone is corrupted or missing, which may be due to a registration that was not completed successfully.
SollutionUser - re-register, contact administrator
Administrator - assist with re-registration / report bug
MeasureThis error requires a new registration. Please start by scanning the registration QR code obtained during self-registration. If the problem persists or you are unable to self-register, please contact your Administrator.

Further materials

Excalibur User Manual

Excalibur Administrattor Dashboard Manual

Excalibur Client Installation Manua

Excalibur AD Facade manual

Excalibur Whitepaper

Excalibur Errors Documentation