8 Replies Latest reply on Feb 3, 2014 11:33 PM by JKeinanen

    Problems with securing PDF document with certificates, recipients listed as "unknown"

    JKeinanen

      I'm trying to secure PDF with certificates.  I've created self-signed user certificate in our domain which has auto-enrolled to users and certificates have been saved to active directory. I've configured directory server and I can search for users in our domain and set their permissions in Adobe Acrobat but when I save the document and reopen it all recipients are shown as "unknown" in "Select recipients" window, except our domain root certificate and my certificate. Sometimes this happens immeadiately after saving, when opening document next time, but sometimes recipient list shows correctly after reopening document and those recipients can actually open protected document, but it changes later to show users as "unknown" and then they cant open document anymore. What am I doing wrong?

        • 1. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
          JKeinanen Level 1

          As I didn't got any help from here, I chatted with adobe support chat at thursday. It took 1,5 hours before agent understood that he cant help with the issue and he needs to escalate it to upper support level. He promised that upper level agent will call me at friday, needless to say, no call at all. Adobe: this is first time when I have to use your support and I hope its last too, this is not way to give great customer experience!

          • 2. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
            Steven.Madwin Adobe Employee

            Hi JKeinanen,

             

            I'm sorry tech support wasn't able to help you. I'll make sure they get a note on how to handle this in the future.

             

            Before I get into what is going on here's a bit of background on Certificate Security. Acrobat actually encrypts the PDF file using a symmetrical key (that is, the same key is used to encrypt and then later decrypt the PDF file). This key, which will be either 128-bits or 256-bits long is then itself encrypted once per recipient. If you have selected 10 recipients (i.e. 10 users that can open the file) the symmetrical key would be encrypted 10 times. Every time Acrobat encrypts the symmetrical key it adds a line to the recipient table, in essence one row per recipient. This table contains three columns, the first column is the digest of the recipients public-key (which you selected from the server), the second column is the encrypted symmetrical key and the third column is the permissions for that particular recipient (e.g. whether or not they can print or copy).

             

            Digests are a quick a secure method of identifying a Public-Key Certificate (PKC) and if you look at the PKC in a certificate viewer you'll see the SHA-1 thumbprint listed. It's this thumbprint that Acrobat uses to identify the corresponding PKC.

             

            Now to your issue. When Acrobat builds the list of recipients where you are seeing "unknown" it is looking in the Acrobat Address Book file (aka the list of Trusted identities) for the PKC that corresponds to the digest. Since you never added the recipient's PKCs to your list of Trusted Identities Acrobat has no idea what to name to use so you see "unknown". Had Acrobat found the corresponding PKC in the Trusted Identities then it would have parsed the data in the PKC, extracted the common name (the CN value in the Subject extension) and put that in the list. To get rid of the "unknowns" you need to import the PKC for each recipient. I can give you the steps, but I need to know which version of Acrobat you are using because the UI tends to change a bit between versions.

             

            As an aside, you should see your name in the list because Acrobat not only looks in the list of Trusted Identities, but also the list of Digital IDs. I'm sure you encrypted the file for yourself as well as the other recipients or you never would have been able to get it open to see the list of "unknowns". Even if you add all of the recipients to the list of Trusted Identities, which will fix this for you, each of the recipients would only see their name in the list and everyone else (including you) would appear to them as "unknown". Of course they too could import the other recipients PKCs into their Trust Identities list, but I'm betting that that's just not going to happen.

             

            I hope this helps. Reply to this post if you have any other questions and I'll be able to help you.

            Steve

            • 3. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
              JKeinanen Level 1

              Hi Steve,

               

              thanks for you reply. I got actually response from Adobe support at last week: they said that it is a bug and their engineers are working on it to get it fixed and there will be fix released later.

               

              I tested that I exported one user's certificate from Active directory (via AD users and computers snap-in) and added it to my computer trusted identities list, then my Acrobat recognizes that user name and this certificate protection works as excepted. I had already added our domain root certificate to trusted identities list (as I though it would use certificate chain for trusting and therefore trust all individual user certificates) but I assume this method doesn't work. I'm 99% sure that previously when I added user from AD directory server, he wasn't able to open document then, but now it seems to work that when I add user from directory server, he can open document, although that user shows on my computer as "unknown" (as I haven't added that user to trusted identities).

               

              I assume that I can give permissions for users even without adding them to trusted identities (when they will show as "unknown") but if I ever need to manage those permissions (f.ex. remove specific user access to protected file), I need then to have their certificates in trusted identities list to be able to find right user in user list, as otherwise all users will show as "unknown", am I right? Therefore I wonder why there's even option to select users via AD directory server if I still need to add their certificates to my trusted identities list, as there isn't any advantage when using AD directory server. I could just import their certificates to trusted identities and then select users from there, no need to use AD directory service at all?

               

              Or is there some way to use AD directory server connection to get user certificates from AD and import them to trusted identities or do I have to do it "manually" (export via AD users and computers snap-in in server)? Whats the point to use AD directory server at all?

              • 4. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
                Steven.Madwin Adobe Employee

                Hi JKeinanen,

                 

                Before I get into the techno-geeky stuff let me start with this is not a bug, and it's not going to get fixed because it's not broken. I'm sorry you were told that, but whoever told you that this is a bug is mistaken. If you still have that person’s name I'll send you my e-mail address because I'd appreciate it if you could share that info so I can get things squared away.

                 

                Let's start with just what Acrobat (and Reader as well) is trying to do. When it tries to open the file it finds out pretty quickly that the file is encrypted so it look for a small piece of plain text data that lists the name of the encryption handler. It then calls that encryption handler to do the actual decryption and waits until the file has been converted back to plain text before it does anything else.

                 

                The encryption handler (in this case it's the PPKLite.api plug in that you can find in the plug-ins folder in the Acrobat directory) now has to find the right private key to use in order to decrypt the symmetrical key that is required to decrypt the file. That table I mentioned above that contains the digests of the corresponding public-keys comes into play at this point. The encryption handler reads the table and builds a list of the digests that represent the PKCs that were used to encrypt the file. It now goes off to look through the list of digital IDs that the user has available to them to see if the digest of any of those digital IDs match any of the digests in the recipient list. If there is a match it pops up the password dialog in order to get the user to open the access door to the corresponding private key. Once the encryption handler has access to the private key it uses it to decrypt the symmetrical key, which it then in turn uses to decrypt the file. The plain text file is then handed off to the Acrobat/Reader viewer and the encryption handler goes to sleep.

                 

                That's of course if there is a match, if there is no match then you see the alert that you are denied access.

                 

                None of this is based on trust or chain building. Either you have the correct digital ID (or more precisely the correct private key) to decrypt the symmetrical key or you don't.  So far so good??

                 

                If you have selected a public-key certificate for an individual, and used that PKC to encrypt the file, and they cannot decrypt the file the only answer is they do not (well really Acrobat does not) have access to the corresponding private key. It's not enough to match names because these keys have a symbiotic relationship; it has to be the exact match, which is why Acrobat uses the digest and not the Subject Name.

                 

                Provided that a match was found the next thing the encryption handler does is go back to the table I keep referring to and match up the set of allowable permissions that were assigned to that specific user. It then passes that information on to the viewer (the viewer is really the core of Acrobat & Reader) and the viewer then enables/disables functionality as required.

                 

                That's the high level overview of decryption. Let's move back to the encryption process.

                 

                You're starting with an unencrypted (plain text) file and initiate the Certificate Security encryption process. The first thing Acrobat (no Reader here because you can't encrypt using Reader) does is call the encryption handler and let it do the work. Now PPKLite has come to life it starts collecting the information that it needs to do the actual work. The first thing it wants to know is what encryption algorithm do you want to use and just what is it that you want to encrypt (the whole file, the whole file EXCEPT the Metadata, or just the file attachments). Once it has this information the next thing it wants to know is who do you want to grant access to, but (and this is important), before it starts collecting the PKCs of the recipients it wants to make sure that you are one of the recipients. If you were to encrypt the file without including yourself once you closed the file you would never be able to get back into again. This could be especially catastrophic if there are no other copies of the file. The encryption handler looks through your available digital IDs and builds a list of all of the corresponding PKCs that have "encrypt" set in the Key Usage extension. If you don't have a digital ID that could be used to open the file later we don't prevent you from continuing, but we do throw an alert encouraging you to get a digital ID before you continue.

                 

                Here is where we’ve come to the crux of your issue. You’re using the Search mechanism and on Windows you have access to searching Active Directory depots. You search the depot, find your recipients and add them to the recipient list. Eventually, you are done with the search and have added all of the recipients at which point you may, or may not have set the Permissions (which can be set without the PKC being in the Acrobat list of Trusted Identities), either individually or en mass. You click the Finish button and Save the file and everything looks good. If you go back into the Certificate Security Settings (provided you haven’t closed Acrobat) and check the Recipients you see all of the names. Why you see the names I’m going to get back to, but I do have the answer for you.

                 

                If you close Acrobat, and then re-open the file and get back into the setting at this point all of the names, except for yours, are displayed as “Unknown”, and this is the crux of your question. The reason you saw the names before you closed Acrobat is when you selected the users PKC from the Active Directory depot the PKC was read into memory. Acrobat needed to load the whole thing into memory in order to use the public-key to encrypt the symmetrical key and also needed to get the digest (also known as a hash in computer lingo) of the PKC to add to the recipients table. While you were within the same session of Acrobat the names show up, but when you close Acrobat all of the memory allocated to it by the operating system is released (if it’s not that’s a whole lot of bigger problems) and all of the PKCs that were loaded into memory disappear into the ether. When you restart Acrobat there are no PKCs to be found that match up to the digests in the table and thus, you see “Unknown”. Had you added those certificates to the list of Trusted Identities then Acrobat could have made the match, extracted the name form the cert, and built the recipient list using names.

                 

                Finally, you asked why is there an option to select recipients via AD if you have to add them to the list of Trusted Identities. I’m proffering that the certs don’t need to be in the list of Trusted Identities in order to successfully apply and use Certificate Security; you only need them there if you want to come back later and see the names. 

                 

                Steve

                • 5. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
                  JKeinanen Level 1

                  Hi Steve,

                   

                  thanks for your reply, I understand now how this works. I tested this now exporting users certificates from AD and imported them to my Adobe Acrobat "Trusted certificates" -container. Now the issue is that after setting permissions, when I reopen the document security properties it displays now all user names as expected, but when I click on any user (except myself) all permissions-settings are now displayed a "Unknown" and also Permissions...-button is grayed out. What I should do to have users permissions settings visible?

                  • 6. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
                    Steven.Madwin Adobe Employee

                    Hi JKeinanen,

                     

                    I see what you are referring to, and for that I don't have an answer off the top of my head. I'll check on this and get back to you, but it won't be until next week.

                     

                    In the mean time, if you do want to reset the permissions for a particular user you can remove them and add them anew, at which point you'll have the opportunity to set the permissions. This is only a work-around, I realize that what you really want is to see the permission set in order to know if you need to change it, and that this may mean you are doing unnecessary steps.

                     

                    Steve

                    • 7. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
                      JKeinanen Level 1

                      Hi Steven,

                       

                      we have still that issue where user permissions are displayed as "unknown", also we have now another issue. I'm responsible for managing permissions for two different protected documents, suddenly both of these documents started to crash Adobe Acrobat when I try to open them, here's more information about this issue:

                       

                      - If I try to open these documents on any computer using Adobe Acrobat or Adobe Reader, software crashes, so issue is not computer-related

                      - I can open these documents on my computer when logged in as another user, so issue seems to be related to my account

                      - I deleted my personal certificate + requested new one and using another user account (which has write permissions to these PDFs) I removed my old certificate and added this new certificate but it didn't help.

                      - If I create new PDF document and configure certificate protection to it, I can open that new document without issues.

                       

                      So issue seems to be isolated to these two documents and only to my account. This is very bad situation as I should be able to manage permissions of those files, but now I'm unable to do my work. What I should do now to get access to these files back?

                       

                      Here's details of Adobe Acrobat crash from my computer event logs (there's total of 5 events on each crash):

                       

                      Faulting application name: Acrobat.exe, version: 11.0.4.63, time stamp: 0x52288928

                      Faulting module name: ntdll.dll, version: 6.1.7601.18247, time stamp: 0x521ea8e7

                      Exception code: 0xc0000374

                      Fault offset: 0x000ce753

                      Faulting process id: 0x2024

                      Faulting application start time: 0x01cf1836300c2f8d

                      Faulting application path: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat.exe

                      Faulting module path: C:\Windows\SysWOW64\ntdll.dll

                      Report Id: a1b9dc7c-8429-11e3-8131-534e57000000

                       

                       

                      Faulting application name: Acrobat.exe, version: 11.0.4.63, time stamp: 0x52288928

                      Faulting module name: PPKLite.api, version: 11.0.4.63, time stamp: 0x522887d7

                      Exception code: 0xc0000005

                      Fault offset: 0x000b9c10

                      Faulting process id: 0x2a5c

                      Faulting application start time: 0x01cf183665694f8c

                      Faulting application path: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrobat.exe

                      Faulting module path: C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\plug_ins\PPKLite.api

                      Report Id: a367da9c-8429-11e3-8131-534e57000000

                       

                      Fault bucket 3845057269, type 5

                      Event Name: FaultTolerantHeap

                      Response: Not available

                      Cab Id: 0

                       

                       

                      Problem signature:

                      P1: Acrobat.exe

                      P2: 11.0.4.63

                      P3: 52288928

                      P4: ffffbaad

                      P5:

                      P6:

                      P7:

                      P8:

                      P9:

                      P10:

                       

                       

                      Attached files:

                      C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\FTH45BB.tmp\fthempty.txt

                       

                       

                      These files may be available here:

                       

                       

                       

                       

                      Analysis symbol:

                      Rechecking for solution: 0

                      Report Id: a1bc266c-8429-11e3-8131-534e57000000

                      Report Status: 0

                       

                      Fault bucket 3886876983, type 1

                      Event Name: APPCRASH

                      Response: Not available

                      Cab Id: 0

                       

                       

                      Problem signature:

                      P1: Acrobat.exe

                      P2: 11.0.4.63

                      P3: 52288928

                      P4: StackHash_f3b2

                      P5: 6.1.7601.18247

                      P6: 521ea8e7

                      P7: c0000374

                      P8: 000ce753

                      P9:

                      P10:

                       

                       

                      Attached files:

                      C:\Users\joel.keinanen\AppData\Local\Temp\WER4648.tmp.WERInternalMetadata.xml

                       

                       

                      These files may be available here:

                      C:\Users\joel.keinanen\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Acrobat. exe_2542757bce68cbd9637d6b3f9c810fa2ebec99_2ad45e4a

                       

                       

                      Analysis symbol:

                      Rechecking for solution: 0

                      Report Id: a1b9dc7c-8429-11e3-8131-534e57000000

                      Report Status: 0

                       

                      Fault bucket 3868193853, type 1

                      Event Name: APPCRASH

                      Response: Not available

                      Cab Id: 0

                       

                       

                      Problem signature:

                      P1: Acrobat.exe

                      P2: 11.0.4.63

                      P3: 52288928

                      P4: PPKLite.api

                      P5: 11.0.4.63

                      P6: 522887d7

                      P7: c0000005

                      P8: 000b9c10

                      P9:

                      P10:

                       

                       

                      Attached files:

                      C:\Users\joel.keinanen\AppData\Local\Temp\WER50F2.tmp.WERInternalMetadata.xml

                       

                       

                      These files may be available here:

                      C:\Users\joel.keinanen\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_Acrobat. exe_d96901cab8843641527a41c28f383fb76d0b84e_28b868e4

                       

                       

                      Analysis symbol:

                      Rechecking for solution: 0

                      Report Id: a367da9c-8429-11e3-8131-534e57000000

                      Report Status: 0

                      • 8. Re: Problems with securing PDF document with certificates, recipients listed as "unknown"
                        JKeinanen Level 1

                        Dear Adobe,

                         

                        is it possible to get proper support to your products in any cost? We cant wait for weeks or your replies in business-critical applications. If there's any similar solutions from other companies, feel free to recommend them.