Reason for refusal unknown client continent ap. Typical mistakes continent ap. Testing the communication channel in the program "Channel Checker"

Solving problems with connecting the cryptographic protection system "Continent-AP"

1. "Error 721" The remote computer is not responding .... ………………. ……. …… ... ... ... ... 2

2. "Error 628" The connection was closed ………………. ………. ………… .. ……… .2

3. "Error 629" The connection was closed by the remote computer ……….… ..… .2

5. "Error 703" The connection requires some data from the user, but the application does not allow user interaction .. …………… .. ………….… .4

6. "Error 734" The PPP control protocol was interrupted. ………………….… ..4

7. "Error" The server denied access to the user. Reason for refusal Multiple user login is prohibited …… .. ……………………………………………. ……… ...… 4

8. "Error" key signing 0x8009001D (The vendor library is not initialized correctly) …………………………………………………………………………………………………………………………………………… ..... 4

9. "Error" in the key signature 0x80090019 (The set of keys is not defined) ………….… ... 5

10. Key signature error 0x8009001F (Invalid keyset parameter). …………………………………………………………………. ……………… .. ..5

11. "Error" key signing 0x00000002 (The specified file cannot be found) ... ... ... 5

12. The server denied access to the user. Reason for refusal: user login blocked ............................................ .................................................. ...............................5

13. The integrity of the files is violated. Contact your system administrator ……… ..5

14. "Error 850" The computer does not have the type of EAP required to authenticate the dial-up connection ............................. ..............5

15. "Error" Insert the key carrier. Keyset does not exist …… .. ……… 5

16. "Error" Insert the key carrier (The "devices" field is empty) ……………… .6

17. "Error" The icon located in the tray is missing .. ……………………… ..… 6

18. The server denied access to the user "Wrong type of key usage" ...... 6

19. The server denied access to the "Client-Cert not found" user …………… .........… .7

20. “Error” When trying to establish a connection, the following message appears: “The integrity of the Subscriber Station files is violated. Contact your system administrator "………………………………………………………………… ... …… .17

The subscriber station allows establishing remote secure connections using the Continent 3 PPP Adapter modem emulator. When connecting a Continent-AP subscriber station, the following error messages may appear:

    Error 721 The remote computer is not responding (see Figure 1).

1.1 You may not have an Internet connection.

1.2 Some programs are blocking ports. Disable antivirus, firewall.

1.3 Uninstall, if installed, the firewall that comes with the Continent-AP program.

1.4. If you are using a wired Internet, your provider may have blocked the ports required for the Continent-AP program to run. To check, establish an Internet connection via a USB modem.

If the Internet is working, make sure that Continent-AP is configured in accordance with the requirements of the sections " Configuring an additional IP address of the access server"(Page 7) and" Server connection"(Page 14) in the document" User's manual for installing and configuring the cryptographic information protection system "Continent-AP" version 3.6»Posted on the website

2. "Error 628" The connection was closed.

See Error 721.

3. "Error 629" The connection was closed by the remote computer.

See Error 721.

This error occurs when a user manually enters an IP address in the properties of the TCP / IP protocol, while the server should automatically issue them. To fix it given error, you need to go to the Continent-AP connection settings. (see fig. 2).

In the "Network" tab, select the line "Internet Protocol TCP / IP" and click the "Properties" button (see Fig. 3).

In the window that opens (see Fig. 4) set the following switches:

    "Obtain an IP address automatically";

    Obtain DNS Server Address Automatically.

5. "Error 703" The connection requires some data from the user, but the application does not allow user interaction.

Go to the Continent-AP settings - on the "security" tab, the "parameters" button, the button - "properties", "reset the stored certificate".

6. "Error 734" The PPP link control protocol was interrupted.

6.1 Focus on the error that appears before this one.

6.2 Check system date.

7. "Error" The server denied access to the user. Reason for refusal Multiple user logins are prohibited.

Wait a few minutes and re-establish the connection, if the connection has not been established, call the RSBI of your UFC.

8. "Error" key signing 0x8009001D (The vendor library is not initialized correctly).

The license of the CryptoPro Cryptographic Protection Fund has expired.

9. "Error" key signing 0x80090019 (The set of keys is not defined).

9.1 Delete remembered passwords (Control Panel => CryptoPro => Service => Delete memorized passwords).

9.2 The certificate may have expired. Check the expiration date by opening the user.cer file.

10. "Error" key signing 0x8009001F (Invalid keyset parameter).

11. "Error" key signing 0x00000002 (The specified file cannot be found).

Install the new version of Continent-AP.

12. The server denied access to the user. Reason for refusal: "User login blocked."

You have been blocked on the UFC server. Call the RSBI department and find out the reason for the blocking.

13. The integrity of the files is violated. Contact your system administrator.

It is necessary to “fix” the Continent-AP program through the Control Panel =>

14. "Error 850" The computer does not have the EAP type required to authenticate a dial-up connection.

It is necessary to “fix” the Continent-AP program through the Control Panel => Add or Remove Programs, or install a new version of the Continent-AP.

SOLUTION OF TYPICAL PROBLEMS WHEN WORKING WITH "CONTINENT UP"

After installing the Continent AP program, first of all, you need to check the availability of the Continent access server with workstation... To do this, you can use the program ChannelChecker, which is located in the folder with the Continent AP distribution kit (the program distribution kit is available on the UFK website for the Saratov region http: // saratov. ***** in the section "Information for clients" - "Electronic document flow and electronic signature" - "Subscriber point Continent AP ") along the path" \ Tools \ Security Code \ PortCheck \ ChannelChecker. exe ”.

After launching the program, you must enter the address of the access server in the "Server IP address" field 78.25.64.246 and click the "Test" button as in Figure 1.

DIV_ADBLOCK5 ">


Check if the "Windows Firewall" service is running by right-clicking on the "My Computer" - "Management" icon, in the window that appears, select "Services and Applications" - "Services" from the list located on the left side of the screen. Next, find the "Windows Firewall" service on the right side of the screen, double-click the left mouse button on it.

https://pandia.ru/text/78/441/images/image003_42.jpg "width =" 355 "height =" 400 src = ">

Restart your computer and try connecting again.

Description possible mistakes when connected

1. Error 721 The remote computer is not responding.

a) This error occurs due to the inaccessibility of the access server from the workstation. It is necessary to follow the recommendations given above (check the connection using the ChannelChecker utility).

b) Also, an error can occur in the event of an incorrect disconnection of the connection (disconnection of the connection, switching off the light, etc.) - it is necessary to restart the slave. station, wait 5-10 minutes and try to connect again. If the error repeats, perform the actions according to point a).

2. Error 734 The PPP Link Control Protocol was terminated.

To fix this error, you need to go to the connection settings of the SKZI "Subscriber Point". Select the "Security" tab and click the "Options" ("Settings") button (Fig. 2).

https://pandia.ru/text/78/441/images/image005_32.jpg "width =" 353 "height =" 399 ">

A new window of the SKZI "Subscriber Point" will open. In the left window "Access Servers" select the server name located there and click the "Delete" button. In the right window "Trusted Certification Authorities" select the name of the certificate authority certificate and click the "Remove" button. Click the "OK" button to close all dialog boxes (Fig. 4). Reboot your computer.

When connecting to the access server, a message appears on the screen asking you to add the access server name and the root certificate of the certification authority to the allowed lists. Click the "Yes" button in the message box.

3. Key signing error 0x8009001D (Provider library not initialized correctly)

In most cases, it can be fixed by deleting the stored passwords in the settings of the encryption provider CryptoPro CSP.

Open the CryptoPro CSP service (Control Panel à CryptoPro CSP à Service tab). Select "Delete remembered passwords" (Fig. 5).

Select all possible options deleting passwords ("User" and "Computer") (Fig. 6).

4. Error 619: Unable to connect to the remote computer, so the connection port is closed….

The problem is solved by the methods described in paragraphs 1 and 2.

5. Error: "Access Denied:client cert not found»

Solution:

1) Reinstall user certificate and root certificate.

2) Check the correctness of the date and time at work. station.

3) Delete memorized passwords in "CryptoPro 3.6".

4) If the error is repeated after steps 1) -3) reinstall "Continent AP" and "CryptoPro".


A number of users of the Continent AP software product who have updated the program for working with Crypto-Pro cryptographic protection tools to version 4.0 and higher or have originally installed it on their own workplace, encountered an error Key Signing Error 0x80090010 (Access Denied)... At the same time, the normal operation in the Continent AP system is disrupted, it is not possible to use a certificate for signing and sending documents. Note that with earlier versions of Crypto-Pro, starting from 3.6 and up to version 3.9 releases, such errors occur mainly for the following reasons:

1. Private key expired(certificate). You can find out the current validity period of the certificate by opening the program Crypto-Pro CSP - View certificates in the container - Select the required certificate - Ok... If the certificate has expired, you need to get a new one. If the certificate was issued for a period of 2 or more years and 15 or more months have passed since its issuance, and at the same time you have installed Crypto-Pro 4.0 and higher software, then we are dealing with just that rare case inherent in 4- th version. About him below.

2. Lack of access rights to the drive on which the key is located. It also rarely happens, but it happens mainly on Windows 10 and 8.1. It is necessary to give access rights to the USB flash drive or add this disk to the antivirus exceptions.

3. Lack of access rights to the registry of protected keys... This is for those cases when the key is installed in the registry of readers and the user working with Continent AP does not have enough access rights to the corresponding branch - then a key signature error 0x80090010 may occur. Checking access rights is easy through the regedit command, following the path:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Wow6432Node \ Crypto Pro \ Settings \ Users \ (user SID) \ Keys

Key signing error 0x80090010 Continent AP. How to fix?

If all of the above solutions did not help, you most likely have Crypto-Pro version 4.0 and the problem lies in the following: the certificate for Continent AP was generated in the AWP Treasury keys generation with an action for 2 or more years. For some reason, Crypto-Pro 4 versions considers keys issued 15 or more months ago as expired. Moreover, if the certificate is not in the container, everything works fine.

To solve the problem, you need to go to the interface of the Crypto-Pro program, select the tab Service - View certificates in the container - Browse - Select the required certificate - Properties - Contents - Copy to file by checking the "Yes, export private key" checkbox and the "Export advanced properties" checkbox... Next, set a password for the certificate and a name. A file with the .pfx extension is exported. Then this file with the .pfx extension is installed again, and a container with a new name is assigned to it. The Continent AP certificate must be installed with a binding to this container with a new name, the extended properties of the certificate will be available and there will be no problems with its validity period in Crypto-Pro 4.0, the key signature error 0x80090010 (Access denied) should no longer appear.

I told you how to install the Continent AP program on Windows 7. The fact is that this program uses certificates in its work, with the help of which a secure connection and data exchange with the Continent AP access server are created. In this article I will try to tell you how to create a certificate issuance request for the AP Continent, as well as how to install this certificate into the program.

I will show, as always, with pictures, though they were made on a computer running Windows XP. So let's get started ...

After installing the Continent AP, a "gray shield" icon should appear in your tray. If you click this "shield" with the right mouse button, a context menu will appear, as shown in the picture below:



Here you need to select the "Certificates" menu item, and then "Create a request for a user certificate". The following window will open (Fig. 2):



This form must be completed. Remember to insert a blank key carrier before doing this. Indeed, after filling out this form, the generation of private keys will begin, which occurs on the rejected key carrier. This can be, for example, a USB flash drive. If you use the Crypto PRO 3.6 or higher program on your computer, then the flash drives are enabled by default. And to be more precise, "All Removable Media". I do not consider generation on a key carrier of the "Registry" type. this is prohibited in our UFC.


So, let's get back to filling out the form (Fig. 2). As you can see, it consists, as it were, of two blocks. I outlined them in yellow. If everything is intuitively clear with the upper block (you need to fill in all the fields), then I will dwell on the lower one in more detail. You must immediately check the box " paper form". By default, it is not installed. Using the" Browse "buttons, you can select a location to save files. And there will be two of them. * .Reg and * .html. The file names can be edited as you like, without changing, of course, file extensions.

By default, the program offers to save under the following name: the name of the computer on the network (I circled it in blue), the date and time of the request. As you can see from the figure, the request was created on December 10, 2015 at 9 hours 51 minutes 46 seconds on a computer named "imyacompa". The last 3 characters are added randomly. They always consist of three digits and I did not notice any system in their generation.

It is worth noting that if you downloaded the Continent AP version 3.5.68.0 from my website, then most likely there is an old printable template. After installing this program, you need to change this template. This is relevant for our region, namely Chelyabinsk region... Changing the template of the printable will affect only the printable in * .html format, it will not have any effect on the * .req file.

If your region uses an old template, then you should follow the guidelines for your region. You can download the new template from the following link. If you are in our region, then before generating keys and requesting a certificate, change the template in accordance with the instructions in the attached file.

So, having decided on the name of the files, you can start generating a certificate request by clicking the "OK" button. As mentioned above, we will get 2 * .req and * .html files, as well as private keys on a USB flash drive or any other medium.

Next, you need to act in accordance with the procedure for submitting requests for a certificate, which is valid in your UFC. Here we print a * .html file on paper, sign it by the owner of the certificate and the head of the organization. Then we transfer to the Treasury a paper copy and a * .req file on removable media and in return we receive a certificate.

So, the request was sent to the UFK, we received a certificate. By the way, time may pass between sending a request and receiving a certificate, everyone has different ways, but the main thing is to wait for the certificate. What's next? And then right-click on the "shield" of the AP Continent and do what is shown in the picture below:



Namely: go back to "Certificates", and then "Install user certificate". The arrows in Figure 3 show what to do. Before that, insert the key carrier with the private keys obtained as a result of the generation, and also prepare the certificate obtained from the UFC. I copied it to a key carrier so that it was always at hand. You can do it your way: rewrite it anywhere, the main thing is that during installation you can get to it. By the way, along with the user certificate, our UFK also issues the root certificate of the Continent AP. This certificate, when installed, must be located in the same directory as the user's one. In general, the figure below shows all this:



The root certificate of the Continent AP is the root. This certificate is required when installing Continent AP for the first time. After installing the custom certificate, the program installs the root certificate if it is not installed. Otherwise, it does nothing. But if the first time the program does not find the root, then there will be problems. Therefore, it is better to always be together with the user certificate in the same directory.

Here, Figure 4, during installation, of course, you must select the user certificate. It is underlined by me in the picture. And the yellow folder is the private keys obtained when generating the request. There are six files with * .key extension. By the way, the keys are standard for the Crypto Pro 3.6 program. After all, it is she who generates these keys. So, having selected the user certificate, we press the "Open" button and get to the following picture:



The topmost line is the key container with private keys. And at this stage, we just have to indicate to the program the key container corresponding to our certificate. Namely, the one that was generated when creating the certificate request. In general, I will allow myself a small digression ... All EDS that are generated using Crypto Pro (you do not think that the keys are generated by the AP Continent) consist of two parts:

  • a private key is a key container that is obtained during generation;
  • the public key is a certificate obtained from the treasury.

These parts are connected (again, with the help of Crypto Pro) only if they match. It is not difficult to conclude: if one of the parts is lost or damaged, then the entire EDS stops working. And it is impossible to fix this situation, except for the generation of a new EDS. There are ways to make a copy of an EDS, but I will not touch on this in this article.

So, back to "our rams". In Figure 5, be sure to click on the top line with key container, and then click "OK". After all this has been done, you will receive the following window:



Well, here only "OK", there are no other ways ... Congratulations, the certificate is installed. It's time to test its performance. To do this, you need to do as the following picture tells us:



Right-click on the "shield", go to "Establish / break connection" -> "Establish connection Continent AP" and get into the following window:



Click where the red arrow shows (Fig. 8). If in the previous steps you followed this instruction, then you will get at least one certificate. You should choose exactly the one you just installed (see Figure 9):



After selecting it, check the box "always use this certificate when connecting. "In this case, your Continent AP will connect to the server using the specified certificate. Otherwise (if the checkbox is not checked), it will offer to select a certificate each time you connect. To find out if the certificate was selected correctly, you can use the" Properties ". It will show everything about the selected certificate. At the end, as always, the" OK "button. The process of connecting the AP Continent to the access server will begin. blue:



If you succeed the same as mine, then I am glad to congratulate you on the successful installation of the certificate for the AP continent. After you have connected to the access server, you can load the SUFD and start working in it.

P.S. And one more thing: I think that I have explained everything here in sufficient detail. But still, some questions may arise. In this case, write them in the comments below. By the way, for registered users of my site, comments appear immediately, without moderation.

And finally ... If you liked this article and you learned something new for yourself from it, then you can always express your gratitude in monetary terms. The amount can be anything. This does not oblige you to anything, everything is voluntary. If you nevertheless decided to support my site, then click on the "Thanks" button, which you can see below. You will be redirected to the page of my website, where you can transfer any amount of money to my wallet. In this case, a gift awaits you. After a successful money transfer, you can download it.



Let's analyze one of the errors of the Continent AP software package used when working with the Treasury. It sounds as follows - "The server denied access to the user. Reason: unknown client." A frequent and one of the main reasons may be the manual blocking of your organization's certificate files by specialists of the technical security department of the Federal Treasury Department. These issues are in charge of - ORSiBI (Division of the regime of secrecy and information security). Sometimes this is done in order to speed up the issue of delivery of closing documents from the organization to the Treasury. Speaking in simple words- if you get the error "The server denied access to the user. Reason: unknown client" and Continent AP - call the technical department and clarify the reason. Employees, most likely, will also name a list of documents that you need to provide them with all the necessary stamps and signatures.

What if it's not a manual lock?

Incorrect configuration of the certificate on the server by ORSiBI employees... The blocking could not be "manual", but systemic. The error in this case is that Account The Continent-AP user on the UFC access server was created with the right to access the SUFD and the user certificate under which you are trying to log in is tied to it. To resolve the issue, you need to contact the ORSiBI staff and name the organization, request a compliance check.

Problems with UFC equipment... It rarely happens, but it also happens. In this case, the mapping of the user's certificate to his FMS access rights does not work, since there is no connection between the databases. The way out in this case is to call the UFC technical support staff and clarify whether there are any problems with the equipment and when they will be eliminated.

Viruses... On the forums, users in a number of cases noted the connection of such an error with the appearance of viruses that duplicate files on removable media. More often, of course, in this case, an error appears, however, the "unknown client" error was also encountered that there are no hidden files on your flash media, the purpose of which is unknown to you. Check your system with antivirus like Dr Web Cure It! or Malwarebytes Anti-Malware, they are the best at dealing with issues like this.

mob_info