Jump to content

Authorizenet (authnet) Error 99


Recommended Posts

I have authnet set up see attached:

[Authnet settings Screenshot from 2015-11-30 10:13:24.png]

When I click on checkout, the page refreshes, and I have to click on checkout again.

It brings me over to authorize.net and I get a 99 error

See attached screenshot

[Authnet-error 99 Screenshot from 2015-11-30 10:10:27.png]

I called authnet because the error was happening on their site.

The information I got from them was the error is either the Transaction Key. I get a new one and entered it while the rep from authnet was on the phone. It was entered correctly, as was the API login ID.

The rep told me the error 99 is caused either because the wrong transaction key and/or wrong API Login ID was entered. We doublechecked and found it was correct.

OR

it is caused because

"Amount has to be set in scripting prior to the generation of the fingerprint hash
may not be properly posting all required fields for AIM
x_login
x_underscorefp_sequence
x_fp_timestamp
x_fp_has
x_amount"

The error log and system error log on my system are clean. (No errors registered)

Thank you in advance for your help.

Authnet settings Screenshot from 2015-11-30 10:13:24.png

Authnet-error 99 Screenshot from 2015-11-30 10:10:27.png

AN update from an email just received from authnet:

Issues with these values or with the generation process can cause Error 99. The three most likely causes of Error 99 are:

 1) The Transaction Key that you have embedded in your script is not correct. Just to be sure, generate a new transaction key, disable the old transaction key, enter the new value in your script and test the connection.
2) The amount has to be set in your scripting prior to the generation of the fingerprint hash. This usually means that the amount should be set in a previous form and posted to the script that generates the fingerprint hash.

3) You may not be properly posting all the required fields for SIM.

 The following fields must be present in your payment form request in order for the transaction to be accepted:

1. API Login ID (x_Login)
 2. The sequence number of the transaction (x_FP_Sequence)
 3. The time when the sequence number was generated (x_FP_Timestamp)
 4. The Fingerprint Hash (x_FP_Hash)
 5. The amount of the transaction (x_Amount)

4) If you are attempting to pass the field x_currency_code with your payment form request, you must include this field in your fingerprint hash generation. Since Authorize.Net currently handles transaction amounts in the merchant's local currency by default, you may alternately stop passing x_currency_code.
Link to post
Share on other sites

The control panel is set for SIM (customer is taken to Authorize.net's site to complete transaction). The module's SIM mode, not AIM, creates a fingerprint. The module's AIM mode, not SIM, will log a request in the Request Log.

My Authorize.net module in SIM mode is working fine.

I have two concerns:
$fp_sequence = $this->_basket['cart_order_id'].time();
$fp_timestamp = time();

The 'x_fp_sequence' is specified to be 'numeric'. So, if the cart_order_id has alphabetic characters (not including dashes, apparently), this may not be acceptable.

The 'x_fp_timestamp' contains the UTC unixtime value. PHP's time() function relies on your PHP installation having the server be at the correct time -- the server's local time with the correct matching PHP.INI config setting for date.timezone.

Link to post
Share on other sites

So I need my host to fix this then? (time stamp)

I have it set for SIM currently, and that is where I am getting the errors.

I also have not done anything to edit any of the internals - with the exception of the look.

So the fp_sequence is stock as installed.

The test order # is: 151130-150953-2043

Edited by LaughingHorse
additn to reply
Link to post
Share on other sites

I adjusted the store setting in the control panel to CST which is what the server is.

I am still getting the Authnet-error 99

I have the Timezone set to America/Chicago

The UTC Offset is at 0

Do I need to change that as well to -6 hours (the current difference)

And if so, will I need to change it back when time changes in the Spring.

Further:

I'm about to implement a SSL. When I do that so I need to switch to AIM?

If so, should I wait to try and fix the error 99 issue till the SSL is installed?

 

Also do I need to change anything regarding the

Password Required Mode
Link to post
Share on other sites

Do not change the UTC Offset. There is nothing to be concerned about with respect to daylight savings time.

Ignore the Password Required.

A Security Certificate is for the benefit of your customers while at your site. Once they go to the Authorize.net hosted page, they are no longer at your site. You probably want to keep it that way because when using AIM, the customer remains at your site and, even with SSL, you now must implement PCI Compliance. You are not forced to use AIM after having installed a Security Certificate on your site.

I'll have more instruction on how to discover what the fingerprint contains.

Link to post
Share on other sites

OK, just had a long talk with someone in support of Authorize.net

She told me I need to find where CubeCart is generating the Fingerprint Code. She said it's somewhere in the back end.

x_login
x_tran_key
x_fp_timestamp
x_fp_sequence
x_amount
x_currency_code

I was also told that authorize.net "developer section' advises to avoid generating x_currency_code because it is causing issues.

They have a tool to help track down errors at
https://developer.authorize.net/api/reference/responseCode99.html

And there is a guide at
http://www.authorize.net/content/dam/authorize/documents/SIM_guide.pdf

From the Authorize.net guide (pg26)
Generating the Unique
Transaction Fingerprint
Transaction authentication for SIM is a transaction fingerprint, or a hash of merchant- and transaction-specific information using the HMAC-MD5 hashing algorithm (Hash-based Message Authentication Code) (MD5 RFC 1321 with a 128-bit hash value). The HMAC-MD5 algorithm is used only for generating
 the unique transaction fingerprint. The transaction fingerprint must be generated for each transaction by a server-side script on the merchant’s web server and inserted into the transaction request. The payment gateway uses the same mutually exclusive merchant information to decrypt the transaction fingerprint and authenticate the transaction.

You can develop a script for generating a fingerprint in two ways:

By using the API field information in
this section to customize your script.

By using a free Authorize.Net sample code available on the Developer Center at
http://developer.authorize.net

 

Link to post
Share on other sites

Let's try this. We will try to capture the values being included in the fingerprint, and then capture the fingerprint string.

In the file /modules/gateway/authorize/gateway.class.php:

Near lines 41-43, find:
$fp_sequence 	= $this->_basket['cart_order_id'].time(); // Enter an invoice or other unique number.
$fp_timestamp 	= time();
$fingerprint 	= $this->_getFingerprint($this->_module['acNo'],$this->_module['txnkey'], $this->_basket['total'], $fp_sequence, $fp_timestamp);

After that, add the following:
$GLOBALS['debug']->errorLogger(null,$this->_module['acNo'],'x_login','');
$GLOBALS['debug']->errorLogger(null,$fp_sequence,'x_fp_sequence','');
$GLOBALS['debug']->errorLogger(null,$fp_timestamp,'x_fp_timestamp','');
$GLOBALS['debug']->errorLogger(null,$this->_basket['total'],'x_amount','');
$GLOBALS['debug']->errorLogger(null,$this->_module['txnkey'],'x_tran_key','');
$GLOBALS['debug']->errorLogger(null,$fingerprint,'x_fp_hash','');

This should show the results in the debug section under PHP Errors. The data should also be logged in the CubeCart administration System Error Log.

According to the documentation, the fingerprint has four (five if you count currency code) elements and uses the x_tran_key to encode it. But the x_tran_key is never sent with the transaction request (so why it is expressed as x_tran_key, I don't know).

I haven't tried this myself, but I have every confidence it will work.

Link to post
Share on other sites

Does that go between

$fp_sequence 	= $this->_basket['cart_order_id'].time(); // Enter an invoice or other unique number.
$fp_timestamp 	= time();
$fingerprint 	= $this->_getFingerprint($this->_module['acNo'],$this->_module['txnkey'], $this->_basket['total'], $fp_sequence, $fp_timestamp);

And

$hidden = array(
				'x_type'				=> $this->_module['payment_type'], //AUTH_CAPTURE or AUTH_ONLY
				'x_login' 				=> $this->_module['acNo'],
				'x_fp_hash'				=> $fingerprint,
				'x_amount'				=> $this->_basket['total'],
				'x_fp_timestamp'		=> $fp_timestamp,
				'x_fp_sequence'			=> $fp_sequence,
				'x_version'				=> '3.1',
				'x_show_form'			=> 'payment_form',
				'x_test_request'		=> 'false',
				'x_method'				=> 'cc',
				'x_invoice_num'			=> $this->_basket['cart_order_id'],
				'x_description'			=> "Payment for order #".$this->_basket['cart_order_id'],

Thank You

Link to post
Share on other sites

Just noticed below the Fingerprint it gave me this

 

Troubleshoot a Response Code 99

  1. Verify that you are using the current transaction key. [NOTE: I am using a current transaction key]

    Obtain a new transaction key in the Merchant Interface and update all scripts that require a transaction key accordingly.

    Please note that once a new transaction key has been obtained, the old transaction key will expire and become invalid after 24 hours. Be sure that all sites using SIM are updated with the new transaction key before the old key expires.

    To obtain a transaction key:

    • Log into the Merchant Interface at: https://account.authorize.net/.
    • Click Account from the main toolbar.
    • Click API Login ID and Transaction Key.
    • Under Create New Transaction Key, enter the answer to your Secret Question.
    • To disable the old transaction key, check the box titled Disable Old Transaction Key(s). Note: If the Disable Old Transaction Key(s) box is not checked, the old transaction key will automatically expire and become invalid in 24 hours.
    • Click Submit.

    Remember to store the transaction key in a secure location. Do not share it with anyone, as it is used to protect your transactions.

  2. Check to see if you have a properly formatted value for x_amount. Verify that there is no dollar sign. The value should be strictly numeric. Additionally, our sample scripts require a numeral with two decimal places. Fingerprints created with an invalid amount value may result in Response Code 99.
  3. Compare the case of x_amount that is being posted to your script with the case of x_amount in the fingerprint generating script. Some scripting languages (such as Perl and PHP) are case sensitive. If you post x_Amount to your SIM script and the script is programmed for x_amount, the uppercase version may be ignored by the script and result in an incorrect fingerprint. Correct the case of either your post variable or the variable in the script to fix the error. Note: The sample Perl script is written to accept the amount field as x_amount. The sample PHP script is designed to accept this field as x_Amount.
Edited by LaughingHorse
Link to post
Share on other sites

Ok. There are a few things we can verify.

Did you copy/paste the Login Key and TRX Key into CubeCart's Authorize.net control panel? As opposed to manually entering it?

If so, it may be the case the string includes a trailing space or some other invisible character that the select/copy picked up from the Authorize page.

That may explain the difference in the fingerprint.

If that's not likely the cause, then we might try to verify that the encryption process is the same for your version of PHP.

Link to post
Share on other sites

Yes, I copied and pasted the key. I'll try manually entering it. run another order and see what happens. Be right back.

Got the same error messages with a different Fingerprint

 

The generated fingerprint:

E6339D021AA25A8A9AF5466717498730

Troubleshoot a Response Code 99

  1. Verify that you are using the current transaction key.

    Obtain a new transaction key in the Merchant Interface and update all scripts that require a transaction key accordingly.

    Please note that once a new transaction key has been obtained, the old transaction key will expire and become invalid after 24 hours. Be sure that all sites using SIM are updated with the new transaction key before the old key expires.

    To obtain a transaction key:

    • Log into the Merchant Interface at: https://account.authorize.net/.
    • Click Account from the main toolbar.
    • Click API Login ID and Transaction Key.
    • Under Create New Transaction Key, enter the answer to your Secret Question.
    • To disable the old transaction key, check the box titled Disable Old Transaction Key(s). Note: If the Disable Old Transaction Key(s) box is not checked, the old transaction key will automatically expire and become invalid in 24 hours.
    • Click Submit.

    Remember to store the transaction key in a secure location. Do not share it with anyone, as it is used to protect your transactions.

  2. Check to see if you have a properly formatted value for x_amount. Verify that there is no dollar sign. The value should be strictly numeric. Additionally, our sample scripts require a numeral with two decimal places. Fingerprints created with an invalid amount value may result in Response Code 99.
  3. Compare the case of x_amount that is being posted to your script with the case of x_amount in the fingerprint generating script. Some scripting languages (such as Perl and PHP) are case sensitive. If you post x_Amount to your SIM script and the script is programmed for x_amount, the uppercase version may be ignored by the script and result in an incorrect fingerprint. Correct the case of either your post variable or the variable in the script to fix the error. Note: The sample Perl script is written to accept the amount field as x_amount. The sample PHP script is designed to accept this field as x_Amount.
Link to post
Share on other sites

Got the same error messages with a different Fingerprint.

The generated (from the tool?) fingerprint: E6339D021AA25A8A9AF5466717498730

Consider that each order's fingerprint will be different (and think about it -- it must be different) because of the order number and the exact time it is at the moment of creating the fingerprint.

The first test where you posted the image of the System Error Log: the timestamp equals:
GMT: Sat, 05 Dec 2015 17:12:08 GMT
for an order transacted at 11:12 am

So, does GMT/UTC less 6 hours equal the local time? Are you six hours from UTC? You said Chicago, so I assume so.

The folks at Authorize were not able to break apart a fingerprint?

Link to post
Share on other sites

Yes, Chicago would be -6 from GMT and the server is on CST

I can check with them regarding breaking apart the fingerprint.

I was only able to get the info to put in the test URL on Authnet today after you gave me the code to capture the errors.

 

I did generate both fingerprints from the Authnet tool.

Link to post
Share on other sites

Well, according to an Authorize.net knowledgebase article, "Because of the complex nature of the mathematical function, the individual input values used to create the digital fingerprint cannot be determined through analysis of the fingerprint."

 

Link to post
Share on other sites

Let's make another 'reveal'. In the file gateway.class.php, at the bottom, find:

  private static function _getFingerprint($api_login_id, $transaction_key, $amount, $fp_sequence, $fp_timestamp) {
    if (function_exists('hash_hmac')) {
      return hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 
    }
      return bin2hex(mhash(MHASH_MD5, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key));
  }

Change that to:
  private static function _getFingerprint($api_login_id, $transaction_key, $amount, $fp_sequence, $fp_timestamp) {
$GLOBALS['debug']->errorLogger(null,$api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^",'raw_fingerprint','');
$GLOBALS['debug']->errorLogger(null,"^".$transaction_key."^",'txn_key (ignore the carets)','');
    if (function_exists('hash_hmac')) {
$GLOBALS['debug']->errorLogger(null,'hash_hmac','encode method','');
      return hash_hmac("md5", $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key); 
    }
$GLOBALS['debug']->errorLogger(null,'bin2hex_mhash','encode method','');
      return bin2hex(mhash(MHASH_MD5, $api_login_id . "^" . $fp_sequence . "^" . $fp_timestamp . "^" . $amount . "^", $transaction_key));
  }

 

Link to post
Share on other sites

Today, 18:38     [Unknown ()] raw_fingerprint: - LOGIN CODE ^151205-183841-14691449362323^1449362323^21.41^
    Today, 18:38     [Unknown ()] txn_key (ignore the carets): - ^TRANS KEY CODE^
    Today, 18:38     [Unknown ()] encode method: - hash_hmac
    Today, 18:38     [Unknown ()] x_login: - LOGIN CODE
    Today, 18:38     [Unknown ()] x_fp_sequence: - 151205-183841-14691449362323
    Today, 18:38     [Unknown ()] x_fp_timestamp: - 1449362323
    Today, 18:38     [Unknown ()] x_amount: - 21.41
    Today, 18:38     [Unknown ()] x_tran_key: - TRANS KEY CODE
    Today, 18:38     [Unknown ()] x_fp_hash: - 878e9ae5dbee8f24acf5bbb1143626bf

**********************************************************************************************************************
*  Note: for security, I replaced the LOGIN CODE and TRANS KEY CODE with those words.  *

*  The Login code and Trans Key were correct before I changed them                                    *

**********************************************************************************************************************

 

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...