[KBA-00679] Controller synchronization fails with a "BuildCards Error -1011" warning - Security Center 5.2 SR4 - 5.5 SR1

series
Security Center 5.2 SR4 - 5.5 SR1
revised_modified
2016-06-30

[KBA-00679] Controller synchronization fails with a "BuildCards Error -1011" warning

This article explains why you might receive a "Buildcards Error -1011" warning when a controller unit attempts to synchronize.

Symptoms

When a controller fails to synchronize, a Buildcards error -1011 warning appearing on the Synchronization page.

Cause

This error is often caused by either insufficient privileges, a recently added invalid or duplicate credential, or credentials with different bit lengths. When there are different bit lengths, in certain situations, the unit generates duplicate credentials internally. The root cause is a hardware limitation of HID Vertx units, because their build card service does not take into consideration the bit length information in their compiled database. This can result in duplicate hexadecimal encoded entries (this is specific to the encoding algorithme).

Example

26-bit card internal representation ABC00000000000<p>36-bit card internal representation ABC00000000000000000

36-bit card internal representation ABC00000000000000000

In this case, the unit reverses the hexadecimal representation internally. After that, the leading zeroes are trimmed, generating the duplicate credential ABC.

NOTE: During host lookups, the bit length information is sent to AM and it is able to distinguish the credential used.

Workaround

The first thing to check with any Buildcards error is whether the Access Manager service user has the necessary privileges to write to the VertXTempFiles folder and its subfolders. In 3.0 and 4.0, with hotfix 700/701, the VertXTempFiles folder is located in the Security Center installation folder. Otherwise, it is under C:\Windows\system32.

There are 3 possible workarounds:

Workaround 1

If this is caused by different bit length credentials, the simplest solution is to use only single bit length credentials.

Workaround 2

Set RemoveDuplicateCredentials setting in vertxconfig.gconfig to true. In this case, the duplicate credentials are not sent to the unit, but there is a host lookup on card swipes. As a side effect, whenever the unit is offline the duplicate credentials do not work. The host-lookup fails and access is denied.

Workaround 3

ATTENTION: Make sure this error is caused by an invalid credential. Otherwise, if the credential is valid, the user with the deleted credential does not have access.

If the Access Manager service user is able to write but this error is still present, it is most likely caused by a recently added invalid credential which must be removed.

To track down which credential is causing the issue, do the following:
  1. Navigate to the VertXTempFiles folder and open the subfolder corresponding to the MAC address of one of the controllers that does not synchronize.
  2. Open the Buildcards.log file.
  3. Look for the Duplicate Hex Card Number message, followed by the information for both credentials. Write down the uniqid for both.
  4. Open SQL Management Studio Express and run the following query (using default DB names):

    Use Directory

    Select * from dbo.credential where UniqueNumericId = 'xxxx'

    Note: [xxxx = uniqid from first credential]

    Only one result should appear. The value in the card number data is now 0...1|26 - values of 0 for all fields.
  5. Copy the information in the Cardholder field, which provides the GUID of the associated cardholder.
  6. Run the following query:

    Use Directory

    Select * from dbo.Cardholder where Guid = '<value copied from dbo.credential query>'

    The result provides you with the name of the associated cardholder.
  7. In Config Tool, look up that cardholder and its associated credential(s). If this credential is unused, delete it. Otherwise, repeat Steps 4-7 with the uniqid determined in Step 3.