Skip to content

Errors documentation

Intro

Excalibur utilizes a user’s smartphone to act as a secure hardware token for any and all authentication and authorization needs inside of an enterprise. It utilizes the user's smartphone to verify authentication factors such as Location, PIN, Fingerprint, Face scan, etc. according to a security policy of a company or given user / users group (the security policy). Thus, Excalibur enables seamless, multi-factor and passwordless authentication.

Info

For more information on how Excalibur works from a user perspective and how to use it, please refer to the Excalibur User Manual.

To discuss Excalibur errors, 3 basic aspects of Excalibur need to be briefly introduced: Components Excalibur consists of, User roles involved in interaction with these components and Actions users can take in Excalibur.

Excalibur Components

Server- Provides a persistent network and storage central point, and therefore must be accessible to all components. It also provides a web-based management interface - the Dashboard, as well as WebSDK, which takes care of communication and operations with integration components. The server is usually deployed on-premise.

Token- The Excalibur mobile application utilizes the user’s mobile phone as a hardware security token - therefore in Excalibur, we call the mobile phone the token. It is primarily used to interact with the user - input of authentication factors, viewing of sessions and their history as well as providing remote locking / logout of sessions. Token uses the biometric sensor if available and HW secure element if supported by the phone.

Client- In the context of Excalibur, the client is usually a PC. The client component provides the Excalibur login screen that is displayed on top of the default Operating System login screen / lock screen. This is achieved by utilizing the Excalibur Credential Provider (CP).

Facade- is the component that interacts with the Active Directory (AD) and thus must be installed on at least one AD server. It runs as a system service and interacts with the AD utilizing the Remote Protocol Directory Replication Service (DRS) resp. LDAP as a backup option.

CA- Excalibur Certificate Authority (CA) issues certificates to other Excalibur components. For security reasons, Excalibur provides cloud-based CA as-a-service - so that even if the customer infrastructure is fully compromised the attacker will not gain control over provisioning of new user tokens.

And lastly Company - referring to an organization, in which all the components (Server, Token, Client, Facade) are deployed.

User Roles

User- is a person, an end-user who uses Excalibur to Authenticate and Authorize against Company’s Client(s) and integrations, utilizing his/hers personal Token, and if available on a given Client, manage his/hers sessions. User might also Verify his/hers colleagues (if allowed and required), Reset his/hers own authentication factors, as well as expired password on a Client (if applicable). Every user can also log into the Dashboard, where a regular User only sees own account details, Actions and Sessions.  

Manager- additionally to User privileges, Manager can see additional data in the Dashboard related to his/hers account and data of Users he/she manages resp. supervises, and also has a right to remotely terminate their sessions. Manager cannot change security policies (only view them), and also doesn’t have an access to various parts of the Dashboard such as Groups, Roles, Security policies or Audit. Manager is the role which usually verifies more sensitive actions or actions with incidents of his/hers subordinates.

Administrator- additionally to Manager privileges, Administrator has an access to all data available in the Dashboard, as well as a right to change security policies, geofences, groups and other settings to anyone. Administrator is also a person within the Company designated to install and configure Excalibur, as well as responsible for configuration of Company’s environment in accordance with Excalibur requirements. This is the highest user role in Excalibur and the Dashboard.

There are also user roles with specific access privileges in the Dashboard such as the Service Desk operator or Auditor, but they won’t be discussed in the scope of this document.

And lastly Excalibur Support - while not a user role, nor an end-user within the Company, Support refers to a point of contact in Excalibur, which helps a personnel responsible for Excalibur within the Company to fix problems they cannot resolve.

It’s important to note that even the Administrator is unable to modify events history within Excalibur, which includes Actions log, Timeline, Sessions, Incidents, Verifications and Errors as they have been happening.

User Actions

From a user perspective, following are the most common actions divided into 2 categories:

Basic Actions

Registration

User needs to register first to perform any other action in Excalibur. Registration starts on a Client where user clicks “Register” on the Excalibur login screen and proceeds with self-registration following on-screen instructions. During registration, user sets all authentication factors required by the security policy on his/hers Token, which initializes it.

Authentication

Authentication or Login is an action based on a direct user intent and the only one in Excalibur which can operate in an online as well as offline mode. User performs his/hers intent by scanning a login QR code from a Client with his/hers Token. The login QR code is dynamically changing - by default Client generates a new one every 15 seconds with 90 seconds validity. Authentication factors are then verified based on the security policy and if it succeeds, in online mode the User is automatically logged into the Client, while in offline mode, the User is presented on his/hers Token with an OTP code, which he/she needs to manually enter on the Client’s Excalibur login screen to log in.

Authorization

Authorization or Confirmation action is a push notification based action for example, VPN Login (in which a username needs to be entered) will trigger a push notification for a Token of a User specified by the username. On the Token, the User is asked to confirm given action with the exact specification of what is being confirmed. Authentication factors are then verified based on the security policy and if it succeeds, User’s action is authorized. RADIUS is currently the primary use-case of Authorization.

Tokenless Authentication

If a user forgets his/hers Token, or there’s any other reason a user cannot use or doesn’t have his/hers Token at the moment, there’s a backup option to utilize a Tokenless Authentication. In this case, User begins the process on Client’s Excalibur Login screen, selects “Forgotten phone”, inserts his/hers name, PIN and a reason why his/hers Token isn’t available at the moment. If entered name and pin are verified successfully, this request triggers a usual Verification process in which any verifier designated to verify this user based on the security policy, verifies the action either in person or remotely. Based on user’s Security policy, verifiers have the option to select a time interval (once, hour, 8hours, day) on theirs tokens during which the user can login without further verification on a particular computer. For further tokenless login on this computer, User must type username, PIN and give the reason.

Factors Reset

Registered users have an option to reset his/hers authentication factors on his/hers Token. Firstly, authentication factors are verified based on the security policy and if it succeeds, User proceeds to set new factors.

Show Password

If Company’s security policies allows users to show their current password on token`s screen, than this action is available in account settings for selected Company. Firstly, authentication factors are verified based on the security policy and if it succeeds, User’s  currently active password stored in Active Directory is shown on his token’s screen.

Set Geofence

If Company’s security policies allows action Set Geofence on tokens, than users can store their home or temporary locations thru special interactive screen found in application settings. Firstly, user must define locations on screen’s map by manually touching on dedicated location and confirming popup dialog. Next authentication factors are verified based on the security policy and if it succeeds, User defined location is synchronized between all registered companies.

Special Actions

Verification

In case of verification a User with appropriate privileges, e.g. Manager (Verifier) using his/hers Token confirms another User's (Initiator) identity and action. Verification begins when User triggers an action or incident, which requires Verification based on the security policy. From verifiers perspective, Verification begins either directly by scanning a verification QR code from initiator’s Token, or by receiving a push notification, or via Dashboard. Verification can be configured in the security policy as a required action for any Basic Action or any policy violation - incident. Basic Action’s flow is then modified to accommodate the Verification after the usual authentication factors verification succeeds on the Initiator’s side. If successful, the Verifier is prompted to confirm the action using his/hers authentication factors on his/hers Token. Every security policy change also requires a verification of the change by Administrator.

Terminate Session

Some Client implementations enable a session status monitoring as well as a remote termination. When a User decides to terminate a session via Excalibur, he/she is offered two actions: Lock and Logout. User on his/hers Token is prompted to confirm either of the two and upon dialog confirmation, given session on a Client is locked / logged out. Locked session persists User’s environment state on a Client as it was left, and Token keeps it in the sessions list with status “Locked”. Logout terminates a user session, thus all unsaved changes are lost. After logout, given session is cleared from Token’s sessions list and moved to the sessions history. This action doesn’t involve the usual factors verification.

Expired Password Reset

If Company’s Active Directory policy requires users to change their password regularly or if Administrator sets that user must change his/hers password on the next login, User will be prompted to do so at the end of the next usual Authentication process on a Client, where User is automatically prompted to enter a current password as well as to set a new one on the Excalibur Login screen. This action alone doesn’t involve the usual factors verification.

TIP: For more information on Excalibur design, topology and technical explanation of its functionality, as well as its components interaction, please refer to the Excalibur Whitepaper.

Errors and Statuses

Errors

There are various characteristics of every error for consideration such as which User role(s) might be presented with an error and which might be able to resolve it, on which component(s) error originates (Source component) and on which it might be presented to the User (Destination component), as well as for which Action(s) given error occurs. Destination components on which the User can encounter an error are the Token and Client, while the main gateway for errors and logs for the Managers, Administrators and Service desk operator is the Dashboard, with a few exceptions when these errors might occur on their personal Tokens, because they were involved in an administrative action (such as the Verification) they were taking.

Based on how errors might be produced in Excalibur, they could be categorized as follows:

User Action Errors - are triggered by some user action, and usually begin on the Client (integration) or the Token. The Source Component of this error might be any Component involved in the action, and Destination Component is usually the one user had begun the action on.

Administrative Action Errors - are triggered by actions of administrative personnel, mostly performed in the Dashboard, but sometimes also on their Tokens, if their Tokens were involved in the given action (such as Verification) in the first place. The Source Component of this error might be any Component involved in the action, and Destination Component is usually the one administrative personnel used to perform the action on.

Excalibur System Errors - are mainly triggered by an internal functioning of Excalibur Components - their internal actions, interaction with each other as well as an interaction with platforms they run on, networking and other IO operations, also by installation / uninstallation and configuration of these components, and a few can be triggered by some user action. Generally, they are reported to the Server where they are processed and logged to be available for a review by the responsible personnel via Excalibur Dashboard. System Errors are usually non-resolvable by the User, so if they are triggered by some user action, an actual error is always logged on the Server, but might not be propagated in the same form to the User. Lastly, few System Errors might be encountered by Administrators when they install and configure Excalibur components, which are directly presented and explained in these components.

Statuses

Besides Errors, there are also Statuses which have an informative character of the application / Action state and are usually triggered by some user action or external circumstances such as networking issues. Because these statuses are fairly common and there are only a few of them, they will be categorized together with errors they might result into in their own section in the beginning.

Document Structure and Denotation

In this document, errors will be examined by Actions and their flow in which they can occur, categorized under Excalibur components on which they are presented to a respective user (Destination Components). An emphasis will be given to the most common errors, and errors that can occur in case of multiple actions will be grouped together and generalized in the beginning and subsequently referenced in the document.

All the errors in this document are clearly denoted by the prefix err, while statuses are denoted by the prefix stat. Errors’ and Statuses’ origins - Source components are denoted in a postfix of each error / status title by the name of respective Component in parentheses, specifically: (Server), (Token), (Client), (Facade), (WebSDK).

Example:

err: sample_error (Token)

This example denotes an error named “sample_error” originated from component Token.

For dynamic values, which are inserted by Excalibur based on current Action and its context, placeholders are used in the document. Placeholders are denoted with “{ACTION}” and they are used for generalized errors / statuses that occur with multiple Actions, and later replaced in a context of each Action.

Token Perspective

This perspective discusses errors which Destination Component is the User’s Token. Every category / Action further examined under this perspective is denoted by the prefix Token.

Token: General Errors

This category groups all the errors that might occur for various Actions but have the same meaning for all of them. Thus, a description of these errors is generalized.

More frequent:

err: request_timeout (Token)

Actionsauthenticate, register, reset, verify, authorize, terminate (lock, logout), show password, set geofence
ResolverUser - retry
Desc{ACTION} was unsuccessful due to network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the {ACTION} again.

err: cancelled (Token)

Actionsregister, reset, verify, authorize
ResolverUser - retry
Desc{ACTION} was cancelled.
FixIf you wish so, try the {ACTION} again.

err: company_not_initialized (Token)

Actionsauthenticate, reset, verify, authorize, terminate (lock,logout), show password, set geofence
ResolverUser - register and retry
Desc{ACTION} isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: invalid_credentials (Facade)

Actionsauthenticate, register, expired pass reset
ResolverUser - retry with correct credentials
Desc{ACTION} was unsuccessful because entered username or password isn't correct.
FixPlease provide correct credentials and try again.

err: policy_failed (Server)

Actionsauthenticate, register, reset, verify, authorize, show password, set geofence
Resolver User - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this {ACTION} attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this {ACTION} attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this {ACTION} attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain {ACTION} such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the {ACTION} again once available, or contact your Administrator if the current security policy isn’t suitable for you.

err: invalid_qr (Token)

Actionsauthenticate, register
ResolverUser and Admin - report a bug, Support - debug and bugfix
DescScanned QR code for {ACTION} is invalid.
FixThe QR code was scanned properly, yet its content is invalid, which is an unexpected behaviour. It is likely that the user scans the code that is not generated by Excalibur. Please report this issue to your Administrator.
Admin FixPlease report a bug to our Support. A photo of invalid QR code might be helpful.

Less frequent:

err: outdated_version (Token)

Actionsauthenticate, register
ResolverAdmin - assist with compatibility issues / report a bug
DescYou try to interact with an old (incompatible) version of Excalibur.
FixPlease address compatibility issues with your Administrator.
Admin FixPlease verify user’s token and server versions in the Dashboard. Most likely user has an outdated version of Excalibur app on a smartphone. If the Server is outdated, then it should be updated. If there is no new server / token version available, or the error persists after the update, please contact our Support.

err: unknown_user (Token, Server)

Actionsauthenticate, verify
ResolverUser - re-register, Admin - assist with re-register / report a bug
Desc{ACTION} was unsuccessful because your User data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: system_error (Server)

Actionsauthenticate, register, reset, verify, authorize
ResolverUser - report, Admin and Support - debug and bugfix
Desc{ACTION} was unsuccessful due to Excalibur system error.
FixPlease try the {ACTION} again and if it repeatedly fails, contact your Administrator.

err: factor_initialization_failed (Server)

Actionsregister, reset
ResolverUser - retry / report, Admin and Support - debug and bugfix
Desc{ACTION} was unsuccessful because factors initialization failed.
FixPlease try the {ACTION} again and if it repeatedly fails, contact your Administrator.

err: signature_verification_failed (Server)

Actionsauthenticate, register, reset, verify, authorize
ResolverUser - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc{ACTION} was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: missing_signature (Server)

Actionsauthenticate, register, reset, verify, authorize
ResolverAdmin + Support - debug and bugfix
DescUnexpected error.  {ACTION} was unsuccessful because {ACTION} intent data were missing digital signature.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: unknown_intent (Server)

Actionsauthenticate, register, reset, verify, authorize
ResolverAdmin + Support - debug and bugfix
DescUnexpected error. {ACTION} was unsuccessful because {ACTION} intent data are missing.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: bad_message (Client)

Actionsauthenticate, terminate(lock, logout)
ResolverAdmin + Support - debug and bugfix
DescUnexpected error. {ACTION} was unsuccessful because Server sent a message with a bad format, corrupted or no data.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

Token: Statuses

Statuses describe application state rather than show an error to the User. Statuses might result in errors based on current circumstances. This category groups all the statuses which Destination Component is the User’s Token. They might occur for various Actions but have the same meaning for all of them, thus their description is generalized.

stat: verify

Actionsauthenticate, register, reset, verify, authorize
ResolverColleague / Supervisor (Manager) / Service Desk / Admin - verify user
DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your {ACTION}.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

stat: otp

Actionauthenticate
ResolverUser - wait / use OTP / check connection and retry

err: token_offline (Token)

Actionauthentication
ResolverUser - wait / use OTP / check connection and retry
DescLogin is taking longer than usual due to phone connection issues. Meanwhile, you can also log in with this OTP code.
FixEven though your phone’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your phone’s connection after this action.

err: client_offline (Server)

Actionauthentication
ResolverUser - wait / use OTP / check connection and retry
DescLogin is taking longer than usual because of computer connection issues. You can log in with this OTP code.
FixEven though your computer’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your computer’s connection after this action.

stat: networking

Actionsauthenticate, register, reset, verify, transfer identity, terminate(lock, logout)

err: connectivity (Token)

Actionauthenticate, register, reset, verify, authorize
ResolverUser - wait / check connection and retry
Desc{ACTION} is taking longer than usual due to phone connection issues. Retrying…
FixPlease wait until your {ACTION} attempt finishes and if it fails, check your phone’s connection and try again.

Token: Authentication

Authentication is one of the Basic Actions which is based on a User intent of scanning a dynamically changing login QR code from the Client of choice. Its aim is to log in User into any of Company’s supported Clients (integrations), into which the User should have an access after successful multifactor verification.

The same as applicable for all the Basic Actions, Authentication might involve an additional Verification step based on Company security policy. Basic Authentication process could be divided into five phases:

  1. Preparation on Token (online, offline)
  2. Processing on Server (online)
  3. Factors verification (online, offline)
  4. Verification against Active Directory (online)
  5. Processing on Client / WebSDK (online)

Next section consists of errors which may occur during some phase of authentication process (flow).

Phase 1 - Preparation on Token

This phase is initiated by User after scanning Excalibur login QR with his token from the computer's screen or WebSDK component’s login page. QR code is then decoded and it’s content is validated locally on token. Based on data from QR, authentication intent is constructed and send over the network to the server for processing. Immediately after scanning the status screen is displayed on User’s token to show current authentication status, status of factors verification or to show following errors.

err: invalid_qr (Token)

ResolverUser and Admin - report a bug, Support - debug and bugfix
DescScanned QR code for login is invalid.
FixThe QR code was scanned properly, but its content is invalid, which is an unexpected behaviour. It is likely that the user scans the code that is not generated by Excalibur. Please report this issue to your Administrator.
Admin FixPlease report a bug to our Support. A photo of invalid QR code might be helpful.

err: company_not_initialized (Token)

ResolverUser - register and retry
DescLogin isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: request_timeout] (Token)

ResolverUser - retry
DescLogin was unsuccessful due to the network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the login again.

err: outdated_version (Token)

ResolverAdmin - assist with compatibility issues / report a bug
DescYou try to interact with an old (incompatible) version of Excalibur.
FixPlease address compatibility issues with your Administrator.
Admin FixPlease verify user’s token and server versions in the Dashboard. Most likely user has an outdated version of Excalibur app on a smartphone. If the Server is outdated, then it should be updated. If there is no new server / token version available, or the error persists after the update, please contact our Support.

stat: networking > err: connectivity (Token)

ResolverUser - wait / check connection and retry
DescLogin is taking longer than usual due to phone connection issues. Retrying …
FixPlease wait until your login attempt finishes and if it fails, check your phone’s connection and try again.

stat: OTP > err: token_offline (Token)

ResolverUser - wait / use OTP / check connection and retry
DescLogin is taking longer than usual due to phone connection issues. Meanwhile, you can also log in with this OTP code.
FixEven though your phone’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your phone’s connection after this action.

Phase 2 - Processing on Server

If authentication flow comes into this phase, we can call it from now online login or online authentication, because communication channel between token and server is established and active. All accounts matching and policy verifications are done on the server against online security policies. Most of errors in this section comes from account’s data incosistency or policy verification failures during authentication.

err: unknown_account (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescLogin was unsuccessful because your User data on the Server are corrupted or missing, which might be due to a registration that didn’t finish successfully.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: unknown_user (Token)

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescLogin was unsuccessful because your User data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: unknown_company_key (Token)

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescLogin was unsuccessful because your Company data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: signature_verification_failed (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug, Support - bugfix
DescLogin was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this login attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this login attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this login attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain login such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the login again once available, or contact your Administrator if the current security policy isn’t suitable for you.

err: system_error (Server)

ResolverAdmin - debug, Support - bugfix
DescLogin was unsuccessful due to Excalibur system error.
FixPlease try the login again and if it repeatedly fails, contact your Administrator.

err: unknown_intent (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Authentication was unsuccessful because authentication intent data are missing.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: missing_signature (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Authentication was unsuccessful because authentication intent data were missing digital signature.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

Phase 3 - Factors verification

During authentication user must verify his identity by providing security factors based on Company security policy. Some factors as PIN or biometry requires some user interaction. In that case, token should show appropriate screen to gather those factors. All factors that needs to be verified are displayed as an icons on indicator at the top of the token’s status screen.   Different icon colours are used to indicate status of that factor (red - failure, green - success). Every failure during this phase causes into error policy_failed besides of state for additional verification.

err: policy_failed (Server, Token)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this login attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this login attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this login attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain login such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the login again once available, or contact your Administrator if the current security policy isn’t suitable for you.

stat: verify

DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your authentication.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

Phase 4 - Verification against Active Directory

Errors in this section comes from credentials verification on Active Directory component - Facade. Presence of these errors indicates troubles with the user's AD account.

err: invalid_credentials (Facade)

ResolverUser - retry with correct credentials
DescLogin was unsuccessful because entered username or password isn't correct.
FixPlease provide correct credentials and try again.

err: no_such_user (Facade)

ResolverUser - retry with correct credentials / contact Admin, Admin - Enroll user into AD
DescLogin was unsuccessful because the provided username doesn't exist in the company's Active Directory.
FixPlease provide an existing AD user or contact your Administrator to enrol a user into the AD.

err: signature_verification_failed (Facade)

ResolverUser - re-register, Admin - assist with re-register / report a bug, Support - bugfix
Desc{ACTION} was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

Phase 5 - Processing on Client

Final phase of authentication is to log in User into their operating system or webservice. Before signing in, status of the client is controlled to check if there is nothing that will block login. In cases of offline authentication, OTP code generated on token is verified and used to login User.

stat: OTP > err: client_offline (Server)

ResolverUser - wait / use OTP / check connection and retry
DescLogin is taking longer than usual because of computer connection issues. You can log in with this OTP code.
FixEven though your computer’s internet connection seems to be unstable at the moment, your authentication attempt still continues in the background until it expires. You can either wait until your online login attempt finishes or use this OTP code for offline login meanwhile. Please check your computer’s connection after this action.

err: bad_message (Client)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Authentication was unsuccessful because the Server sent a message with the bad format, corrupted or no data.
Admin FixThis is an unexpected behaviour that might be caused by corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: cp_not_found (Client)

ResolverUser - re-connect to RDP and retry
DescLogin was unsuccessful because Excalibur Login screen is no longer active on your computer. Your RDP connection dropped or ended.
FixPlease, re-connect to the desired RDP and try to login again.

err: bad_login_token (Client)

ResolverUser - retry
DescLogin was unsuccessful because the login QR you used had expired.
FixPlease scan a new login QR code and try to log in again.

err: bad_token_id (Client)

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescLogin was unsuccessful because an invalid phone was used for the login attempt.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: pair_error (Client)

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescLogin was unsuccessful because the pairing of Excalibur on your phone and computer failed.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: pair_timeout (Client)

ResolverUser - re-register, Admin - assist with re-register
DescLogin was unsuccessful because the pairing of Excalibur on your phone and computer has timeout.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in self-registration. If the problem persists or you cannot self-register, please contact your Administrator.

err: password_decrypt_error (Client)-

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescLogin was unsuccessful because Excalibur was unable to decrypt the login password.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in self-registration. If the problem persists or you cannot self-register, please contact your Administrator.

err: no_cp_response (Client)

ResolverUser - restart and retry, Admin - report a bug
DescLogin was unsuccessful because Excalibur login screen on your computer doesn't respond at the moment.
FixPlease try to restart your computer and try to login again. If the new attempt fails again, please contact your Administrator.

err: system_locked (Client)

ResolverUser - wait for log off and retry
DescLogin was unsuccessful because the computer is locked by another user.
FixPlease wait until another user logs off from the computer and try to login again.

err: decrypt_failed (Client)

ResolverUser - try another login
DescLogin was unsuccessful because the computer has corrupted configuration.
FixPlease try to login again and if it is not succeed, then contact your administrator.

err: already_logged (Client)

DescUser - user sees successful authentication on his/hers phone screen. Admin - admin sees error generated for debug purposes.
FixNo action must be done.

err: login_failed (Client)

ResolverUser - check Excalibur Login screen than retry login.
DescProbably something on system inhibits to show Excalibur logon screen, or login to the computer
FixIf a problem is shown on the client, solve the problem. Retry login

err: account_disabled (Client)

ResolverUser - contact administrator, Administrator - debug and resolve
DescYour account has been disabled in Active Directory or Excalibur Dashboard . Please contact your administrator.
FixEnable account in Active Directory / Excalibur Dashboard for current user.

err: no_ldap_for_domain (Client)

ResolverUser - contact administrator, Administrator - debug and resolve
DescDetermine what is shown to user; client doesn't access on requested domain
FixProblem with domain configuration. Configure your domain

err: bad_signature (Client)

ResolverUser - retry and contact administrator, Admin - report a bug
DescLogin was unsuccessful because ? cryptography inconsistency ?. Please try again and contact your administrator.
FixTry to login again. If the new attempt also fails, please contact your Administrator.

err: not_supported (Client)

ResolverUser - retry online
DescLogin was unsuccessful because offline Excalibur authentication with OTP isn’t supported on this device.
FixFor some use-cases like RDP, Storefront and such, offline authentication might not be needed or desired, thus some devices might not support it. Please make sure your smartphone has an internet connection and try again.

err: invalid_data (WebSDK)

ResolverAdmin and Support - debug and bugfix
DescLogin was unsuccessful because data used for login was invalid or targeted Client (integration) isn’t available.
FixPlease report this issue to your Administrator

Err: expired_credentials (Client)

Resolver User - Type a new password into form shown on Excalibur logon screen
DescLogin was unsuccessful because user’s current credentials has expired and need to be changed
FixType old and new password when you are asked by Excalibur Client, if it is not succeed, then contact your administrator.

Err: static_credentials (Client)

ResolverUser - type new password
DescLogin was unsuccessful because User’s password has been changed in Active Directory or locally in Windows and needs to be provided.
FixType the new password when you are asked by Excalibur Client, if it is not successful contact your administrator.

Err: ldap_error (Client)

ResolverUser - contact administrator, Administrator - debug and bugfix
DescUnexpected error with directory service server happened. Please contact your administrator.
FixCheck if LDAP/AD server is running and client has direct connection to it and verify LDAP/AD server configuration.

Other errors

err: no_such_domain

ResolverUser - contact administrator, Administrator - debug and bugfix
DescFind out what is displayed to the user, User does not have access to the required domain
FixDomain configuration problem. Please configure the domain

err: secret_decrypt_failed (Client)

ResolverUser - re register account, Administrator - assistance with re-registration / report an error
DescLogin has been unsuccessful. Excalibur can’t decrypt the login password.
FixTo resolve this error, the new registration is needed. Please, start with scanning of registration QR code given by selfregistration. If the problem persists or you are unable to self-register, please contact your Administrator

err: unknown_client (Client)

ResolverUser - report to Service Desk, Service Desk- report error, Administrator - reinstall client
DescLogin failed because the Excalibur client has a corrupted certificate.
FixUninstall client from PC and install new client again.

Token: Registration

Registration is one of the Basic Actions which needs to be done before any other action in Excalibur is available the User. It’s based on a User intent of scanning a registration QR code obtained in a self-registration process. Its aim is to register the User into Excalibur, during which authentication factors required by a security policy are set and User’s Token is initialized.

The same as applicable for all the Basic Actions, Registration might involve an additional Verification step based on Company security policy. Basic Registration process could be divided into three phases:

  1. Confirmation and preparation on Token
  2. Processing on Server
  3. Factors initialization

Phase 1 - Confirmation and preparation on Token

err: invalid_qr (Token)

ResolverUser and Admin - report a bug, Support - debug and bugfix
DescScanned QR code for registration is invalid.
FixThe QR code was scanned properly, but its content is invalid, which is an unexpected behaviour. It is likely that the user scans the code that is not generated by Excalibur. Please report this issue to your Administrator.
Admin FixPlease report a bug to our Support. A photo of invalid QR code might be helpful.

err: request_timeout (Token)

ResolverUser - retry
DescRegistration was unsuccessful due to a network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the registration again.

err: cancelled (Token)

ResolverUser - retry
DescRegistration was cancelled.
FixIf you wish so, try the registration again.

err: outdated_version (Token)

ResolverAdmin - assist with compatibility issues / report a bug
DescYou try to interact with an old (incompatible) version of Excalibur.
FixPlease address compatibility issues with your Administrator.
Admin FixPlease verify user’s token and server versions in the Dashboard. Most likely user has an outdated version of Excalibur app on a smartphone. If the Server is outdated, then it should be updated. If there is no new server / token version available, or the error persists after the update, please contact our Support.

stat: networking > err: connectivity (Token)

ResolverUser - wait / check connection and retry
DescRegistration is taking longer than usual due to phone connection issues. Retrying…
FixPlease wait until your registration attempt finishes and if it fails, check your phone’s connection and try again.

Phase 2 - Processing on Server

err: invitation_invalid (Server)

ResolverUser - retry / report a bug, Admin, Support - debug and bugfix
DescScanned registration QR code isn’t valid.
FixPlease try to scan the registration QR code again and if the problem persists, please report this issue to your Administrator.
Admin FixPlease report a bug to our Support. A photo of an invalid QR code might be helpful.

err: unknown_cert (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescRegistration was unsuccessful because your company certificate is corrupted.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: signature_verification_failed (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug, Support - bugfix
DescRegistration was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this registration attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this registration attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this registration attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain registration such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the registration again once available, or contact your Administrator if current security policy isn’t suitable for you.

err: system_error (Server)

ResolverAdmin - debug, Support - bugfix
DescRegistration was unsuccessful due to Excalibur system error.
FixPlease try the registration again and if it repeatedly fails, contact your Administrator.

err: unknown_intent (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Registration was unsuccessful because registration intent data are missing.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: missing_signature (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Registration was unsuccessful because registration intent data were missing digital signature.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

Phase 3 - Factors initialization

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this registration attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this registration attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this registration attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain registration such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the registration again once available, or contact your Administrator if current security policy isn’t suitable for you.

err: factor_initialization_failed (Server)

ResolverUser - retry, Admin - debug(DB error), Support - bugfix
DescRegistration was unsuccessful because factors initialization failed.
FixPlease try the registration again and if it repeatedly fails, contact your Administrator.

stat: verify

ResolverColleague / Supervisor (Manager) / Service Desk / Admin - verify user
DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your registration.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

Other errors

err: unknown_registration (Token)

ResolverUser - retry registration
DescToken reports an error after registration
FixProbably corrupted certificate during registration

err: invalid_registration (Token)

ResolverUser - retry registration, check network connection
DescToken reports an error after registration
FixRegistration unsuccesfull due problems with network

Error: bad_certificate

ResolverUser - retry registration, report to admin
DescToken reports an error during registration
FixRegistration unsuccesfull, Control certificate

Error: PrivateEncrypt failed!

ResolverUser - retry registration, report to admin
DescToken reports an error during registration
FixRegistration unsuccesfull, try again

Token: Factors Reset

Factors reset is one of the Basic Actions available to Users on their initialized Tokens. This action involves verifying authentication factors and setting the new ones, both based on the security policy. The same as applicable for all the Basic Actions, Factors Reset might involve an additional Verification step based on Company security policy. Basic Factors Reset process could be divided into four phases:

  1. Confirmation and preparation on Token
  2. Processing on Server
  3. Factors verification
  4. Factors initialization

Phase 1 - Confirmation and preparation on Token

err: company_not_initialized (Token)

ResolverUser - register and retry
DescFactors reset isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: request_timeout (Token)

ResolverUser - retry
DescFactors reset was unsuccessful due to network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the factors reset again.

err: cancelled (Token)

ResolverUser - retry
DescFactors reset was cancelled.
FixIf you wish so, try the factors reset again.

stat: networking > err: connectivity) (Token)

ResolverUser - wait / check connection and retry
DescFactors reset is taking longer than usual due to phone connection issues. Retrying …
FixPlease wait until your factors reset attempt finishes and if it fails, check your phone’s connection and try again.

Phase 2 - Processing on Server

err: signature_verification_failed (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug, Support - bugfix
DescFactors reset was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this factors reset attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this factors reset attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this factors reset attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain factors reset such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the factors reset again once available, or contact your Administrator if the current security policy isn’t suitable for you.

err: system_error (Server)

ResolverAdmin - debug, Support - bugfix
DescFactors reset was unsuccessful due to Excalibur system error.
FixPlease try the factors reset again and if it repeatedly fails, contact your Administrator.

err: unknown_intent (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Factors reset was unsuccessful because factors reset intent data are missing.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: missing_signature (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error.  Factors reset was unsuccessful because factors reset intent data were missing digital signature.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

Phase 3 - Factors verification

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this factors reset attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this factors reset attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this factors reset attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain factors reset such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the factors reset again once available, or contact your Administrator if the current security policy isn’t suitable for you.

stat: verify

ResolverColleague / Supervisor (Manager) / Service Desk / Admin - verify user
DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your factor’s reset.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively,your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

Phase 4 - Factors initialization

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this factors reset attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this factors reset attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this factors reset attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain factors reset such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the factors reset again once available, or contact your Administrator if the current security policy isn’t suitable for you.

err: factor_initialization_failed (Server)

ResolverUser - retry, Admin - debug(DB error), Support - bugfix
DescFactors reset was unsuccessful because factors initialization failed.
FixPlease try the factors reset again and if it repeatedly fails, contact your Administrator.

Token: Show password

Show password is one of the Basic Actions available to Users on their initialized Tokens. This action involves verifying authentication factors to show their current password, based on the security policy. The same as applicable for all the Basic Actions, Show password might involve an additional Verification step based on Company security policy. Show password process could be divided into three phases:

  1. Preparation on Token
  2. Processing on Server
  3. Factors verification

Phase 1 - Preparation on Token

err: company_not_initialized (Token)

ResolverUser - register and retry
DescShow password isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: request_timeout (Token)

ResolverUser - retry
DescShow password was unsuccessful due to network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the factors reset again.

err: cancelled (Token)

ResolverUser - retry
DescShow password was cancelled.
FixIf you wish so, try the Show password again.

Phase 2 - Processing on Server

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this show password attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this show password attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this show password attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain show password such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the show password again once available, or contact your Administrator if the current security policy isn’t suitable for you.

Phase 3 - Factors verification

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this show password attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this show password attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this show password attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain show password such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the show password again once available, or contact your Administrator if the current security policy isn’t suitable for you.

stat: verify

ResolverColleague / Supervisor (Manager) / Service Desk / Admin - verify user
DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your action show password.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively,your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

Other errors

err: expired_credentials (token)

Resolver User - Type a new password into form shown on Excalibur logon screen
DescShow password was unsuccessful because user’s current credentials has expired and need to be changed
FixType old and new password when you are asked by Excalibur Client, if it is not succeed, then contact your administrator.

err: invalid_credentials (token)

Resolver  User - retry with correct credentials
DescShow password was unsuccessful because User’s password has been changed in Active Directory or locally in Windows and needs to be provided.
FixType the new password when you are asked by Excalibur Client, if it is not successful contact your administrator.

err: no_such_domain

ResolverUser - contact administrator, Administrator - debug and bugfix
DescFind out what is displayed to the user, User does not have access to the required domain
FixDomain configuration problem. Please configure the domain

Token: Set geofence

Set geofence is one of the Basic Actions available to Users on their initialized Tokens. This action involves verifying authentication factors to set geofence, based on the security policy. The same as applicable for all the Basic Actions, setting geofence might involve an additional Verification step based on Company security policy. Set geofence process could be divided into three phases:

  1. Preparation on Token
  2. Processing on Server
  3. Factors verification

Phase 1 - Preparation on Token

err: company_not_initialized (Token)

ResolverUser - register and retry
DescSet geofence isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: request_timeout (Token)

ResolverUser - retry
DescSet geofence was unsuccessful due to a network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the factors reset again.

err: cancelled (Token)

ResolverUser - retry
DescSet geofence was cancelled.
FixIf you wish so, try the set geofence again.

Phase 2 - Processing on Server

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this set geofence attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this set geofence attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this set geofence attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain set geofence such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the set geofence again once available, or contact your Administrator if the current security policy isn’t suitable for you.

Phase 3 - Factors verification

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this show password attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this show password attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this show password attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain show password such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the show password again once available, or contact your Administrator if the current security policy isn’t suitable for you.

stat: verify

ResolverColleague / Supervisor (Manager) / Service Desk / Admin - verify user
DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your action show password.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively,your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

Other errors

err: reached_max_locations (Token)

ResolverUser - delete unnecessary location and try again
DescSet geofence was unsuccessful due to reaching maximum number of positions.
FixIf you want to set a new position, delete unnecessary ones and try to set again

err: insert_failed (Token)

ResolverUser - report error
DescSynchronization of Set geofence  was unsuccessful due to Excalibur system error.
FixPlease try the set geofence again and if it repeatedly fails, contact your Administrator

err: system_error (Server)

ResolverUser - report error, Admin a Service Desk- debug and bugfix
DescSet geofence  was unsuccessful due to Excalibur system error.
FixPlease try the set geofence again and if it repeatedly fails, contact your Administrator

Token: Authorization

Authorization is one of the Basic Actions in which contrary to the Authentication, User triggers his / hers intent on an Excalibur integration component (e.g. Radius), triggering a push notification for the Token, where after action confirmation, process continues similarly to the Authentication. The same as applicable for all the Basic Actions, Authorization might involve an additional Verification step based on Company security policy. Basic Authorization process could be divided into four phases:

  1. Initiation on integration component (e.g. Radius)
  2. Confirmation and preparation on Token
  3. Processing on Server
  4. Factors verification

Phase 1 - Initiation on integration component (e.g. Radius)

Phase 2 - Confirmation and preparation on Token

err: company_not_initialized (Token)

ResolverUser - register and retry
DescAuthorization isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: request_timeout (Token)

ResolverUser - retry
DescAuthorization was unsuccessful due to network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the authorization again.

err: cancelled (Token)

ResolverUser - retry
DescAuthorization was cancelled.
FixIf you wish so, try the authorization again.

stat: networking > err: connectivity (Token)

ResolverUser - wait / check connection and retry
DescAuthorization is taking longer than usual due to phone connection issues. Retrying …
FixPlease wait until your authorization attempt finishes and if it fails, check your phone’s connection and try again.

Phase 3 - Processing on Server

err: timeout (Server)

ResolverUser - retry
DescAuthorization was unsuccessful because a time to perform it has elapsed.
FixPlease try the action again and authorize it before it times out.

err: signature_verification_failed (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug, Support - bugfix
DescAuthorization was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this authorization attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this authorization attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this authorization attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain authorization such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the authorization again once available, or contact your Administrator if the current security policy isn’t suitable for you.

err: system_error (Server)

ResolverAdmin - debug, Support - bugfix
DescAuthorization was unsuccessful due to Excalibur system error.
FixPlease try the authorization again and if it repeatedly fails, contact your Administrator.

err: unknown_intent (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Authorization was unsuccessful because authorization intent data are missing.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: missing_signature (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Authorization was unsuccessful because authorization intent data were missing digital signature.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

Phase 4 - Factors verification

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this authorization attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this authorization attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this authorization attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain authorization such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the authorization again once available, or contact your Administrator if the current security policy isn’t suitable for you.

stat: verify

ResolverColleague / Supervisor (Manager) / Service Desk / Admin - verify user
DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your authorization.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

err: unknown_client (Client)

ResolverUser - report to Service Desk, Service Desk- report error, Administrator - reinstall client
DescAuthorization failed because the Excalibur client has a corrupted certificate.
FixUninstall client from PC and install new client again.

Token: Verification

Verification is one of the Special Actions that might be involved in any Basic Action as an additional step, based on Company security policy. Actions involving Verification first verify user’s own authentication factors and then proceeds with verification of the action by Users superior, who either scans verification QR code from User’s Token or if the supervisor is Manager or Administrator, he / she could verify the User via Dashboard. Verification process could be divided into three phases:

  1. Confirmation and preparation on Token
  2. Processing on Server
  3. Factors verification

Phase 1 - Confirmation and preparation on Token

err: company_not_initialized (Token)

ResolverUser - register and retry
DescVerification isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: request_timeout (Token)

ResolverUser - retry
DescVerification was unsuccessful due to network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the verification again.

err: cancelled (Token)

ResolverUser - retry
DescVerification was cancelled.
FixIf you wish so, try the verification again.

stat: networking > err: connectivity (Token)

ResolverUser - wait / check connection and retry
DescVerification is taking longer than usual due to phone connection issues. Retrying …
FixPlease wait until your verification attempt finishes and if it fails, check your phone’s connection and try again.

Phase 2 - Processing on Server

err: unknown_verification (Server)

ResolverUser - retry / report to Admin, Admin and Support - debug and bugfix
DescVerification was unsuccessful because verification request wasn’t registered by the Server.
FixPlease make sure your device has good Internet connection and try the action again. If it fails repeatedly, please contact your Administrator.

err: failed_verification (Server)

ResolverUser - retry / report to Admin, Admin and Support - debug and bugfix
DescVerification was unsuccessful because verification request failed.
FixPlease make sure your device has good Internet connection and try the action again. If it fails repeatedly, please contact your Administrator.

err: verified_verification (Server)

ResolverUnsolvable - already solved by someone else
DescVerification was unsuccessful because this verification request has already been verified by someone else.
FixAction is no longer needed.

err: timeouted_verification (Server)

ResolverUser - retry
DescVerification was unsuccessful because verification request has timeouted.
FixPlease wait for a new verification request from your subordinate.

err: unknown_user (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug
DescVerification was unsuccessful because your User data on this phone are corrupted or missing, which might be due to a registration that didn’t finish successfully.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: no_verify_privileges (Server)

ResolverUser - contact Admin if justified, Admin - give privileges
DescVerification was unsuccessful because you don’t have appropriate privileges.
FixIf you should have privileges to verify your subordinates’ actions, please contact your Administrator.

err: signature_verification_failed (Server)

ResolverUser - re-register, Admin - assist with re-register / report a bug, Support - bugfix
DescVerification was unsuccessful because Excalibur detected a corrupted certificate used to sign data.
FixThis error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process. If the problem persists or you cannot self-register, please contact your Administrator.

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this verification attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this verification attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this verification attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain verification such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the {ACTION} again once available, or contact your Administrator if current security policy isn’t suitable for you.

err: system_error (Server)

ResolverAdmin - debug, Support - bugfix
DescVerification was unsuccessful due to Excalibur system error.
FixPlease try the verification again and if it repeatedly fails, contact your Administrator.

err: unknown_intent (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Verification was unsuccessful because verification intent data are missing.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

err: missing_signature (Server)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error.  Verification was unsuccessful because verification intent data were missing digital signature.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a bug to our Support.

Phase 3 - Factors verification

err: policy_failed (Server)

ResolverUser - retry, Admin - assist with policy
Desc
defaultSecurity Policy blocked this verification attempt due to the failed factors verification.
pin_timeoutSecurity Policy blocked this verification attempt due to the failed PIN verification. You can try again in {TIMEOUT}s.
failed_factorsSecurity Policy blocked this verification attempt due to the failed verification of following factors: {FACTORS}.
FixThere are several company security policies that might restrain verification such as geographic location, date and time, IP address (e.g. company network) or you just entered wrong PIN code / fingerprint multiple times. Please try the {ACTION} again once available, or contact your Administrator if current security policy isn’t suitable for you.

stat: verify

ResolverColleague / Supervisor (Manager) / Service Desk / Admin - verify user
DescPlease ask your supervisor to scan this QR code with Excalibur on his/hers phone and confirm your verification.
FixThis action requires your supervisor’s approval via Excalibur on his/hers phone. When you request your nearby colleague or supervisor, provide him/her this verification QR code or alternatively, your Manager, Administrator or Service Desk operator might approve the action remotely via the Dashboard.

Token: Terminate Session (Lock, Logout)

If the Client / integration component supports sessioning, Excalibur keeps track of a session lifecycle and enables remote Terminate operations - Lock and Logout. Session lifecycle is reported to User’s Token as well as to the Dashboard, where User or his / hers Manager or Administrator can terminate it. Thus, based on its origin, Termination process could be divided into two or three phases:  

  1. Preparation on Token (starts here if initiated on Token)
  2. Processing on Server (starts here if initiated on the Server)
  3. Processing on Client

Phase 1 - Preparation on Token

err: company_not_initialized (Token)

ResolverUser - register and retry
Desc{ACTION} isn't possible until you first register (initialize) Excalibur on this phone.
FixTo register (initialize) Excalibur on this phone please start by scanning a registration QR code obtained in the self-registration process.

err: request_timeout (Token)

ResolverUser - retry
DescLock/Logout was unsuccessful due to a network problem.
FixPlease verify your phone’s connection (e.g. by visiting a new website) and make sure your phone doesn’t indicate a limited connection. To verify your Token has no problem connecting to your company’s Excalibur Server, visit app settings which should indicate a green dot next to your registered company. If connection seems OK, please try the lock/logout again.

stat: networking > err: connectivity (Token)

ResolverUser - wait / check connection and retry
DescLock/Logout is taking longer than usual due to phone connection issues. Retrying …
FixPlease wait until your lock/logout attempt finishes and if it fails, check your phone’s connection and try again.

Phase 2 - Processing on Server

err: no_accounts (Server)

ResolverUser - report and re-register, Admin - report and assist with re-register, Support - debug and bugfix
DescSession {ACTION} was unsuccessful because associated accounts are missing.
FixPlease report the issue to your Administrator. This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process.
Admin FixPlease ensure there wasn't an issue which might have caused Excalibur database inconsistency or tampering. Otherwise, this is an unexpected behaviour that might be caused by an occasional bug. Please assist User with a new registration if needed and contact our support.

err: no_session (Server)

ResolverUnsolvable - session already terminated
DescSession {ACTION} was unsuccessful because there is no session anymore.
FixAction is no longer needed.

Phase 3 - Processing on Client

err: bad_message (Client)

ResolverAdmin + Support - debug and bugfix
DescUnexpected error. Termination was unsuccessful because Server sent a message with bad format, corrupted or no data.
Admin FixThis is an unexpected behaviour that might be caused by a corrupt data, an occasional bug or an attack attempt. Please report a ug to our Support.

err: account_not_found (Client)

ResolverUser - report and re-register, Admin - report and assist with re-register, Support - debug and bugfix
DescSession {ACTION} was unsuccessful because account requested to {ACTION} was not found on the computer with logged on session.
FixPlease report the issue to your Administrator. This error requires a new registration. Please start by scanning a registration QR code obtained in the self-registration process.
Admin FixPlease ensure there wasn't an AD synchronization issue or for another reason missing account on the given Client. Otherwise, this is an unexpected behaviour that might be caused by an occasional bug. Please assist the User with a new registration and contact our support.

Other errors

err: app_hang (Token)

ResolverUser - report
DescTermination of session was unsuccessful, because the application terminated prematurely.
FixReport to Excalibur Administrator

Token: Errors on Android Platform

This is a set of platform-specific errors on Excalibur Android app. These errors originate from operations performed on the Android platform and specifics it incurs.

More frequent:

err: keystore_not_configured (Token)

Resolver User - set up secure screen lock
DescExcalibur requires an enabled system lock to provide sufficient data protection.
FixTo use Excalibur, please set up a secure system lock screen mechanism (swipe unlock gesture isn’t sufficient).

err: fingerprint_detected (Token)

ResolverUser - configure fingerprint
DescFingerprint hardware was detected, but it's not configured.
FixPlease configure fingerprint lock in settings and enrol your fingerprints to enable its usage in Excalibur.

Less frequent:

err: keystore_authenticate (Token)

ResolverUser - lock and unlock
DescExcalibur utilizes your phone’s secure keystore, which locked after a while. Please unlock it with your screen lock to continue using Excalibur.
FixTo unlock your phone's secure keystore please lock your phone and unlock it with your secure screen lock. Please note that Smart Lock or other vendor specific unlock extensions might not unlock the keystore.

err: playservices_resolvable (Token)

ResolverUser - fix PlayServices
DescProblem with Google Play Services was detected.
FixPlease fix detected problem according to Google Play Services instructions.

err: playservices_fatal (Token)

ResolverUnsolvable
DescUnfortunately, this device doesn't support Google Play Services required to run this app.
FixThere’s no action to take if Google Play Services aren’t supported by the device vendor.

err: auto_date_time (Token)

ResolverUser - enable time sync
DescTime and date on this device aren’t automatically synchronized. Accurate time is required for some Excalibur operations, such as OTP offline logins.
FixPlease enable time and date synchronization with online sources in device settings.

Client: Authentication

Authentication is one of the Basic Actions which is based on a User intent of scanning a dynamically changing login QR code from the Client of choice. Its aim is to log in User into any of Company’s supported Clients (integrations), into which the User should have an access after successful multifactor verification.The same as applicable for all the Basic Actions, Authentication might involve an additional Verification step based on Company security policy. The special type of authentication is offline authentication, when client or token are disconnected, thus authentication factors cant be verified on  the server. The login is realized with OTP code shown on the token which is rewrited to the client by the user. The following errors may occur on the client side during the authentication process.

err: Client not found (Client)

Resolver Service Desk - report to administrator
Desc Client report an error after QR code scanning, Client is not connected to the server
Fix Corrupted registry, Client can not register on server. Delete registry and reinstall client.

err: wrong_otp (Client)

Resolver User - Try again with right OTP code, Reregister account and try again, Service Desk - report to administrator
Desc Client displays an error after rewriting OTP code
Fix The OTP code is probably wrong rewrited. OTP code is uppercase sensitive. Character set: 0-9, a-z, A-Z. Large i, small L can be interchanged as well as zero and large O. Certificates may be corrupted.

Client: Registration

Registration is one of the Basic Actions which needs to be done before any other action in Excalibur is available to the User. It’s based on a User intent of scanning a registration QR code obtained in a self-registration process or invitation email. Its aim is to register the User into Excalibur, during which authentication factors required by a security policy are set and User’s Token is initialized. The same as applicable for all the Basic Actions, Registration might involve an additional Verification step based on Company security policy. The following errors may occur on the client side during the registration process.

err: wrong_logon_name (Client)

Resolver User - Try again with correct credentials. Service Desk, Administrator Administrator  - check account in Active Directory
Desc Client displays an error after credentials providing
Fix Probably wrong credentials, or account is not created in Active Directory, or is it deleted

err: no_such_user(Client)

Resolver User - Try again with correct credentials. Service Desk, Administrator Administrator  - check account in Active Directory
Desc Client displays an error after credentials providing
Fix Probably wrong credentials, or account is not created in Active Directory, or is it deleted

err: invalid_credentials (Client)

Resolver User - Try again with correct credentials. Service Desk, Administrator  - check account in Active Directory
Desc Client displays an error after credentials providing
Fix Probably wrong credentials, or account is not created in Active Directory, or is it deleted.

err: timeout (Client)

Resolver User - try again
Desc Client displays an error
Fix Time for action elapsed

err: ldap_error (Client)

Resolver User - report error, Administrator - debug a bugfix
Desc Client displays an error after credentials providing. An unexpected error occurred with the directory service server.
Fix Check that LDAP / AD server is launched, Check connection between client and server, Check configuration of LDAP / AD server

err: sql (Client)

Resolver Service Desk - report to Administrator, Administrator - check connection with database
Desc Client displays an error after credentials providing. 
Fix Excalibur database is not available

err: Please try again later(Client)

Resolver User - check network connection, Service Desk - report to Administrator, Administrator  - check server / facade availability
Desc Client displays an error after credentials providing.
Fix The client cannot connect to the server during registration. There may be a problem with internet connection

err: You can't register the account because email attribute is not set (Client)

Resolver Service Desk - report to Administrator, Administrator - add an email to AD account. User- try registration again
Desc Client displays an error after credentials providing.v
Fix You may have forgotten to write the user's email when creating the account. Email serves as a unique identifier for generating a registration QR

Client: Credentials saving

If the password has been changed or expired, Excalibur will prompt the user to create a new password or confirm the already changed password.The following errors may occur on the client side during the password changing or submitting..

err: timeout (Client)

Resolver User - try again with correct password
Desc Client displays an error
Fix Time for action elapsed

err: Passwords does not match (Client)

Resolver User- try again with correct password
Desc Client displays an error after change of expired credentials.
Fix Probably, the password for verification does not match with previous one

err: The password does not meet the password policy requirements. Check the minimum password length , password complexity and password history requirements (Client)

Resolver User- try again with correct password which agree with security policy, Service Desk - Find out the rules for creating new passwords in the company. Assistance during password changing
Desc Client displays an error after change of expired credentials.
Fix Probably the new password has already been used, or does not reach the required length or does not comply with the security policy

Client: Tokenless login

Tokenless login is one of the Basic Actions which is based on a User intent of filling the credentials and reason why the user can not use online login to the Client of choice. Its aim is to log in User into any of Company’s supported Clients (integrations), into which the User should have an access after successful multifactor verification.The same as applicable for all the Basic Actions, Tokenless login might involve an additional Verification step based on Company security policy. The following errors may occur on the client side during the Tokenless login process.

err: wrong_logon_name (Client)

Resolver User - try again with correct credentials. Service Desk, Administrator - check account in AD
Desc Client displays an error after credentials providing
Fix Probably wrong credentials, or account is not created in Active Directory, or is it deleted. For Tokenless login, the account must be registered on at least one phone, otherwise the client will report this error

err: PIN is incorrect (Client)

Resolver User - try again with correct PIN
Desc Client displays an error after providing the PIN
Fix Probably wrong PIN

Other errors

Other errors are errors that occur outside of the actions described above and have a direct impact on the functionality of the client.

err: Connection problem (Client)

Resolver User - check the network connection, choose other network if it is available, Login with OTP password, Service Desk - report to Administrator - check server availability
Desc Client displays that is not connected to Excalibur server
Fix PC is not connected to network, or Excalibur Server is not available

err: CPUI is not loaded (Client)

Resolver User, Service Desk - Check that client is installed on the client, Service Desk - report to Administrator -  Check the path for loading of CPUI,
Desc The client is not loaded after starting the PC
Fix The CPUI load path may not be available, or the Client may not be available on the specified path. Possible uninstallation or incorrect installation of the Client