Tag: Authentication

Categories
Knowledge Support Support exacqVision Server Categories Products

Authentication and Encryption (Server/Client)

For client-server communication, we use 128 bit AES encryption in combination with Diffie-Hellman key exchange.  By default, the key is updated every 5 minutes.  This is true for all data except video stream, audio stream and blob (map images, etc…) data.

For server-camera/device communication, the encryption is camera dependent and does not use SSL.  We use HTTP Basic or HTTP Digest Authentication for all data except video and audio streams.

Categories
Knowledge Support Support exacqVision Enterprise Categories Products

ESM API landing page is not password protected

Description

Using the <host>/api URL, it will take you to the ESM deprecated landing page. If you do not have a session in ESM, you can see these landing page and discover endpoints.

You are not able to use the endpoints, but we want to password protect landing pages too.

Categories
Knowledge Support Support exacqVision Client Categories Products

Legacy Authentication disabled by default on new installations

Description 

“Legacy Authentication” refers to the less secure connection methods used prior to our current authentication mode introduced in exacqVision Server/Client version 6.8.  This article explains how to enable legacy authentication mode, so newer clients using advanced authentication methods can connect to older server software versions.

Product 

  • exacqVision Client
  • exacqVision Server

Steps to Reproduce 

  1. Using exacqVision Client version 9.8 or higher, navigate to the Add Systems page.
  2. Add a server running exacqVision Server version 6.6 or earlier.

Expected Results 

  • Server Connects

Actual Results 

  • Server fails to connect with the status “Secure authentication required by client. Disconnecting”
    Note: This is expected behavior.  

Solution

  • The recommended solution would be to update the exacqVision Server software to 6.8 or higher allowing it to utilize more secure connection methods.

Workaround (not recommended)

  • Set the “LegacyAuthentication” option in the edvrclient.xml file to “1” (LegacyAuthentication=”1″)
  • The edvrclient.xml default locations are:
  • Windows – %AppData%\edvrclient\edvrclient.xml
  • Linux – $HOME/.edvrclient.dir/edvrclient.xml
  • Mac – $HOME/Library/Application\\ Support/edvrclient/edvrclient.xml

<br>

Categories
Knowledge Support Support exacqVision Server

Vivotek Cameras Fail to Connect “Connection error (403)”

Description 

Some Vivotek cameras require Basic Authentication.  This should be indicated in the Notes section of the cameras test record.  The camera will not connect if digest authentication is selected.

Product 

  • Vivotek IP Cameras
  • exacqVision Server

Steps to Reproduce 

  • Add a Vivotek Camera

Expected Results 

  • Camera connects

Actual Results 

  • The camera does not connect and a connection error “Connection error (403)” is returned
Sample from exacqVision Server Logs

Solution

  • Disable the camera in the exacqVision Client
  • Access the camera configuration page via a web browser
  • Navigate to Network > Streaming Protocols > Authentication
  • Change Authentication from digest to basic for both HTTP and RTSP protocols
  • Navigate to Security > Miscellaneous
  • Uncheck  the Enable Cross-Site Request Forgery (CSRF) protection option
  • Save the changes
  • Reboot the camera
  • Access the camera configuration page via a web browser
  • Navigate to Network > Streaming Protocols > Authentication
  • Verify the authentication mode is set to basic
  • Navigate to Security > Miscellaneous
  • Verify CSRF is not enabled
  • Enable the camera in the exacqVision Client

Important: The camera seems to require a reboot to fully apply the change in authentication mode.

Categories
Knowledge Support Support exacqVision Client Products

Troubleshooting Active Directory Error Messages

Error: “Client Side Kerberos Authentication Failed”

Cause: The setspn command was not run on all Active Directory Servers, or there is a duplicate SPN.

Solution: On the DC, run the setspn command as directed in the appropriate ExacqVision Active Directory setup guide, or run setspn -X to check for duplicates. If a duplicate is found, remove the SPN attribute from all but one of the accounts.

Error: “User not authenticated in LDAP”

Cause: Windows 2000 or earlier Active Directory Domain Functional Level.

Solution: Upgrade the Functional Level of your Domain to Windows 2003 or higher.
See How to raise Active Directory domain and forest functional levels for details.

Alternate Solution:

  • If you are using ExacqVision 4.8 or newer, you can edit the StreamPI.xml file. Change the value of EnableActiveDirectoryUserDisabling from 1 to 0.
  • If you are using an ExacqVision version earlier than 4.8, contact support@exacq.com to obtain an updated DLL.

Error: The connection to the server always shows “Disconnected” in the ExacqVision Client.

Cause: The Binding DN is incorrect.

Solution: Complete the following procedure:

  1. Download Softerra LDAP Browser. (Be sure to click the tab for Browser, NOT Administrator.)
  2. Install and Run LDAP Browser.
  3. Click File and then New Profile.
  4. Enter a name for your new profile and click Next.
  5. Enter the hostname of your AD server in the Host field (or click the Lookup Servers button if you don’t know the host).
  6. Click Next.
  7. Select Currently Logged On User.
  8. Click Finish.
  9. Highlight the new profile you just created in the left panel.
  10. In the Find What box at the top of the right panel, enter the username used to connect to Active Directory in the ExacqVision software.
  11. Press Enter.
  12. After the search completes, find the correct user account.
  13. Right-click the user account and select Properties.
  14. Copy the string in the top portion of the Properties Panel (it should start with CN=).
  15. Paste this string into the Binding DN section of your ExacqVision Client and click Apply.

Error: “Connected, SPN not found”

While there are other possible causes, it’s common for a ‘Binding DN’ to be an extended string that is easy to mistype. For instance the following Distinguished Name will work, but must be typed exactly: 

CN=exacqSVC,OU=ServiceAccounts,OU=SecurityGroups,OU=Indiana,OU=US,DC=exacqts,DC=local

Any incorrect spacing or punctuation will not allow proper setting of the SPN and you will see the following Server log:

StreamPI Warning LDAP: Bind DN was not found. Unable to create SPN.

You can also try the Username instead. In this instance, the username (UPN) for that account is:

exacqSVC@exacqts.local

<br>

Categories
Knowledge Support Support exacqVision Client Categories Products

Validating ExacqVision Video (also known as Watermarking or Authentication)

The validation standard used in ExacqVision is known as HMAC, for Hashed Message Authentication Code, and uses a cryptographic hash and secret cryptographic key. HMAC is used by ExacqVision to verify the integrity of exported video.

The ExacqVision Client software calculates and writes out the message authentication code (MAC) during file export. The ExacqVision ePlayer later calculates a hash and verifies the MAC during authentication using SHA-256. The methodology ensures no alteration of the data as the hashed calculations are compared to be certain the hashes match.

To authenticate video in the ExacqVision ePlayer, select Authenticate from the Tools menu.

The following image shows a successful authentication:

Video may only be authenticated using the ExacqVision ePlayer. The ePlayer application is used to playback ExacqVision native files in .PS or .PSX file formats. It is also packaged in self-playing .EXE file exports. For more information on the features of exported file formats, refer to Article 1894.

<br>