Troubleshoot ZTA Enrollment Error "Posture Registration Error. Failed to Register with Duo Desktop"

Available Languages

Download Options

  • PDF     (729.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (893.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (508.7 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:December 12, 2023
Document ID:221234

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to resolve "Posture Registration Error. Failed to Register with Duo Desktop".

    Problem

    When a user tries to enroll in ZTA, the error is printed in the Cisco Secure Client notification popup:

    Posture Registration Error. Failed to Register with Duo Desktop.

    ZTNA Error Enrrolment

    To check the issue, verify the logs based on the next steps:

    • Open Duo Desktop > Settings > Preferences Button
    • Enable Detailed Diagnostic reports

    Duo Desktop

    Replicate the issue and then run the DART (Diagnostic And Reporting Tool).

    • Open Secure Client
    • Click on Diagnostics

    Secure ClientCisco Secure Client - Generate DART

    • Continue with the wizard; do not modify the Default option to gather all the information

    Secure Client - DARTGenerating DART

    The bundle logs after that are on your Desktop.

    • Under the DART file, access to Cisco Secure Client > Zero Trust Access > Logs
    • Open ZeroTrustAccess.txt

    The ZTNA error is in the next log:

    • (DHA 'DhaRequestEnrollment' failure response reported error : 'Unable to sign health payload')

    ZTNA errorZTA - Error logs

    The bundle logs after that are on your Desktop.

    • Under the DART file, access to Cisco Secure Client > Duo Desktop > DHA_Logs
    • Open DuoDeviceHealth.log

    The Duo Desktop error is in the next log:

    • (ERROR|DuoDeviceHealthLibrary.Utilities.Services.ServerCertificateService|Invalid server certificate found; not in pinned list (11))

    Duo Desktop errorDuo Desktop - Error Logs

    Error "Invalid server certificate found; not in pinned list"  In Duo Desktop, there is an incorrect certificate that was used as a result of traffic inspection, decryption, or proxying.

    For more information, check How do I resolve the debug log error "Invalid server certificate found; not in pinned list" in Duo Desktop?

    Solution

    • Ensure that *.duosecurity.com is listed as an exception in any SSL decryption/inspection/injection, proxying, or firewall infrastructure in your environment or Secure Access.
    • Ensure that sseposture-routing-commercial.k8s.5c10.org  is listed as an exception in any SSL decryption/inspection/injection, proxying, or firewall infrastructure in your environment or Secure Access.
    • Ensure that sseposture-routing-commercial.posture.duosecurity.com  is listed as an exception in any SSL decryption/inspection/injection, proxying, or firewall infrastructure in your environment or Secure Access.

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    12-Dec-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Amit Arora
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products