Login
      Contents x
      Troubleshoot AirLock User Issues
      • 23 Aug 2024
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Contents

      Troubleshoot AirLock User Issues

      • Updated on 23 Aug 2024
      • 1 Minute to read
      • Print
      • Dark
        Light
      • PDF
      Article summary

      Issue

      If your user receives an error message upon accessing Axiad AirLock, it is likely a missing or malformed registry entry or Group Policy configuration.

      Solution

      Review the Event Log

      1. Open the Windows Event Viewer.

      2. Open the Applications and Services Logs > Axiad folder.

      3. Locate the event log.

      4. Review the error events.

      Additional Log Files to Review

      In addition to the event log, review:

      • The Lockdown Service log (Service.log). By default, this file is located in the C:\Program Files\Axiad\AirLock\folder.

      • The AirLock client log (Shell.log). By default, this file is located in the C:\Users\<your user>\AppData\Local\Axiad\AirLock\ folder.

      AirLock Known Limitations

      Potentially, your issue is caused due to a limitation with the AirLock product. Be sure that your environment does not include these, or that your users are attempting to do any of these actions.

      Multiple Certificate Renewal

      If the user has more than one token / smartcard with certificate(s) on it, then on renewal, AirLock will not be able to determine exactly which one requires renewal and will simply bring the user to the My Identities page. The user will then have to manually select the token / smartcard and perform the update action.

      Entra ID-joined Machines

      For Entra ID-joined machines, AirLock will not be able to determine if Certificate-based Authentication (CBA) is performed and will always prevent access to the desktop.

      Remote Desktop Session

      The Keyboard Filter (preventing the use of Ctrl-Alt-Del to escape) is not available over RDP, therefore the user can potentially escape the AirLock session.

      CORS Requirement

      The entry URL for Kiosk mode is https://<up.domain.com>/user?mode=kiosk, which will not work unless the IdP includes CORS support. As a result, when integrating with ADFS < 2019, or Azure/Entra ID for SSO, Kiosk mode cannot be entered.

      Kerberos SSO Documentation Bug

      The Authorized Domains for Kerberos SSO GPO must include a wildcard; but the examples provided in the GPO documentation are invalid. A valid example is *.<customerdomain>.com

      Unified Portal (UP) Custom Logout Page

      Setting a custom logout page in the UP may prevent AirLock from entering the hard-coded logout landing page and that results in a stuck Kiosk session.

      Access to the Registry Editing Tool

      1. AirLock needs to read the system’s registry in order to retrieve the AirLock and browser configuration information. The following GPO can prevent AirLock from retrieving the registry values:

      1. If the user is prevented from using Reg tool, then the portal’s allowed entries cannot be retrieved and will generate the following errors under My Identities and during certificate renewal:

      Was this article helpful?
      What's Next
      900 Lafayette St. Suite 600
      Santa Clara, CA 95050
      United States
      Social
      Change password!
      Changing your password will log you out immediately. Use the new password to log back in.
      Change profile
      Success!
      First name must have atleast 2 characters. Numbers and special characters are not allowed.
      Last name must have atleast 1 characters. Numbers and special characters are not allowed.
      Enter a valid email
      Enter a valid password
      Your profile has been successfully updated.
      Logout