Troubleshooting Cloud Authentication Service User Issues

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Sep 15, 2017
Version 17Show Document
  • View in full screen mode
  

The following table contains information that help desk administrators can use to troubleshoot Cloud Authentication Service user issues.

 

RSA SecurID Authenticate App Installation

                    
Issue Resolution

An Android user cannot see the RSA SecurID Authenticate app in Google Play.

Instruct the user to upgrade to Android version 4.4 or later to see the RSA SecurID Authenticate app.

A user cannot open or install the RSA SecurID Authenticate app.

Confirm the following:

 
  • The user has internet connectivity.
  • The user has downloaded and installed the RSA SecurID Authenticate app from Google Play (Android), App Store (iOS), or Microsoft Store (Windows).
  • The user can see the app icon in the application folder or home screen.
 

Device Registration

 
                                                
Issue Resolution

A user cannot register a device.

Investigate these areas:
  • Confirm that the user has internet connectivity.
  • Confirm connectivity between the Cloud Administration Console and the identity source. For instructions, see View Identity Router Status in the Cloud Administration Console.
  • Confirm that the user has an active account in the LDAP directory server and that the account password is not expired.
  • In the Cloud Administration Console, confirm that the user exists.
  • Confirm that the user is using the correct username (email address), password (LDAP directory server), and Company ID. The Company ID must match the value configured in the Cloud Administration Console under Company Settings. For more information, see Configure Company Information and Certificates.
  • In the Cloud Administration Console, check if the user already has a registered device. If so, delete the user's current device as described in Delete a Cloud Authentication Service User's Device.
  • Review the RSA SecurID Authenticate logs for connectivity and device registration errors.
Instruct the user to complete device registration as follows:
  1. Launch the app.
  2. Accept the EULA.
  3. Enter the User ID and Company ID that you provided and the network password.

A user believes that device registration is complete. However, RSA SecurID Access instructs the user to install the RSA SecurID Authenticate app.

In the Cloud Administration Console , click Users > Management, navigate to the user's Devices page, and confirm that the device is listed. If the device does not appear, instruct the user to complete device registration again.

A user is concerned about the RSA SecurID Authenticate for Android app requesting multiple permissions during device registration.

The RSA SecurID Authenticate app requests the minimum number of permissions required for the application to function. For more information, see the privacy policy on the EMC website at http://www.emc.com/legal/emc-corporation-privacy-statement.htm.

An iOS or Android user sees the following error message in the RSA SecurID Authenticate app: Untrusted Connection.

If your company uses Secure Sockets Layer (SSL) interception, users will see this message during device registration.

Instruct users to complete device registration using a Wi-Fi network that does not use SSL interception, such as a cellular data or a home Wi-Fi network. They can use corporate Wi-Fi after device registration is complete.

If users see this message after device registration is complete, consult your company's IT team to resolve the issue.

A user is prompted to complete device registration, although the user has already completed device registration.

The user might see this message if you have deleted the user's device in the Cloud Administration Console . Instruct the user to complete device registration again.

A user with Android operating system 5.0 or below changes the method to unlock the lock screen (if any) that secures the device. For example:
  • PasswordA to PasswordB
  • PIN to NONE
  • NONE to Swipe

After doing so, the user is unexpectedly asked to complete device registration again.

Due to an Android operating system issue, the user must repeat device registration.

Review the RSA SecurID Authenticate for Android logs for this event.

A user completes device registration on one device and then gets a new device. The user needs to complete device registration on the new device.

Delete the user's current device before the user completes device registration on the new device. For instructions, see Delete a Cloud Authentication Service User's Device.

Instruct the user to complete device registration again.

A user receives the following error message when registering a device: Unsuccessful RSA SecurID Access Setup. You have another device registered with RSA SecurID Access. Contact your administrator.

The user either already has a registered device or performed a factory reset on an existing registered device and tried to re-register.

In the Cloud Administration Console , delete the user's current device. For instructions, see Delete a Cloud Authentication Service User's Device.

Instruct the user to complete device registration again.

Review the RSA SecurID Authenticate logs for this event.

An Android user receives one of the following unsuccessful setup messages and cannot complete device registration or add another company:

  • This device or the software running on it is not supported.

  • An error occurred.
  • If the user receives the "error occurred" message, instruct the user to try again.
  • If the user receives the "not supported" message, the user might have a rooted or non-compliant device or a device that does not have Google Play Services. In these situations, the user cannot complete device registration or add a company.

Applications

                          
Issue Resolution

A user cannot sign into the application portal.

In the Cloud Administration Console , click Users > Event Monitor. The user event monitor shows the following reasons for unsuccessful application portal sign-in:

 
  • Authentication failed.
  • Credentials used to sign in are associated with multiple user accounts.
  • An internal server error occurred.
  • The concurrent session limit has been reached.
  • A password reset is required.

Also, check that the user is included in the scope of the identity source that was added to RSA SecurID Access. Identity sources are configured in the Cloud Administration Console and enable users to access protected applications in the application portal.

A user expects to have access to an application but cannot see the application.
Sign into the Cloud Administration Console.
A user receives HTTP error 500 when trying to access an application that has been added to RSA SecurID Access using either the HTTP Federation (HFED) Proxy or trusted headers methods.Confirm that the application web server has a valid SSL certificate that has been signed by a certificate authority (CA) that the identity routers trust. For more information, see Trusted Certificate Authorities for HFED or Trusted Headers Applications.
RSA SecurID Access does not display Eyeprint ID as an available authentication option to a user, even though the user is accessing an application that is assigned to an assurance level that includes Eyeprint ID.
  • Confirm that the user's device is an EyeVerify supported device. For the list of supported devices, see http://www.eyeverify.com/supported-devices.
  • Confirm that the user has enrolled in Eyeprint ID. Confirm that the user sees Enrolled next to Eyeprint ID in the My Account screen.
  • If the user does not see Enrolled, instruct the user to enroll in Eyeprint ID in the My Account screen. If the user cannot see Eyeprint ID on the My Account screen, the user has an unsupported device.
 

Authentication Methods

                                                                
Issue Resolution

Authentication is unsuccessful.

Investigate these areas:
  • Confirm that an internet connection is available.
  • Determine the authentication method that the user provided for authentication. Sign into the Cloud Administration Console, click Users > Event Monitor, and view the events associated with the user to see which authentication method or assurance level has been applied.
  • Fingerprint Verification, Eyeprint Verification, and Approve authentication methods require push notifications. Determine whether the device is receiving notifications.

    If notifications are disabled, instruct the user to open the app and pull down on the home screen to retrieve notifications.

  • If the authentication method is RSA SecurID Authenticate Tokencode or password, determine if the method is locked for that user.

    If an action requires a locked method, the authentication will not succeed. If applicable, the logical AND operator requires that both methods are successfully validated.

    For instructions on how to unlock the RSA SecurID Authenticate Tokencode, see Unlock All Tokencodes for a User. For information on password lockout, see Configure Session and Authentication Method Settings.

  • If the authentication method is SecurID Token, access RSA Authentication Manager and do the following:
    • Check if the user entered the RSA SecurID PIN and tokencode incorrectly.
    • Check if the user's token is disabled.
    • Check if the user account is locked.
  • Review the RSA SecurID Authenticate logs for connectivity and unsuccessful authentication errors.
 
  • An Android user cannot authenticate with Fingerprint Verification.
  • An iOS user cannot authenticate with Fingerprint Verification.
  • An iOS user with a Touch ID-capable device that is running iOS 8 or later cannot authenticate with Fingerprint Verification.

RSA SecurID Access supports Fingerprint Verification only on a Touch ID-capable device that is running iOS 8 or later or a Samsung or Android version 6.0 or later device with a fingerprint sensor. The user must also set up Touch ID or register a fingerprint.

If the RSA SecurID Authenticate is installed on a Touch ID-capable device that was recently upgraded from iOS 7 to iOS 8, the user must reinstall the RSA SecurID Authenticate and repeat device registration to authenticate with Fingerprint Verification.

  • A user cannot complete Eyeprint ID enrollment.
  • A user is enrolled in Eyeprint ID but cannot authenticate with Eyeprint Verification.
  • Instruct the user to move to a location with more light and look into the app screen window with both eyes.
  • Instruct the user to clean the camera lens.
  • If the user has enrolled in Eyeprint ID but still cannot authenticate, instruct the user to recreate the Eyeprint in the My Account screen. The user must provide the password entered during device registration. If the user uses the RSA SecurID Authenticate app with multiple companies, the user must provide the password of the first company in the app Companies list.
  • Review the RSA SecurID Authenticate logs for additional information.
A user with multiple companies in the RSA SecurID Authenticate app questions how Eyeprint ID works with these multiple companies.

The user needs to enroll in Eyeprint ID one time, and then the RSA SecurID Authenticate app uses the same Eyeprint for all companies in a user's RSA SecurID Authenticate app.

For security purposes, when enrolling in Eyeprint ID, recreating the Eyeprint, or unenrolling Eyeprint ID, the RSA SecurID Authenticate app prompts the user for the password of the first company in the Companies list in the app. For example, a user completes device registration for Company A. The user does not use Eyeprint Verification for Company A. The user adds Company B to the app. The user must use Eyeprint Verification for Company B, so the user enrolls in Eyeprint ID in the app. The RSA SecurID Authenticate app prompts the user to enter the password for Company A.

A user sees the following error message in the browser when trying to authenticate: Cannot Contact Your Mobile Device.

When RSA SecurID Access detects an unexpected error while trying to contact a user's mobile device, this error appears.

Instruct the user to try again in a few minutes, or to select a different authentication method. (If the application is assigned an assurance level that does not have optional methods, then authentication fails.)

A user wants a simple way to copy the RSA SecurID Authenticate Tokencode into a mobile browser.

  • On iOS, the user can tap the numbers in the tokencode and then tap Copy.

  • On Android, the user can long-press the numbers in the tokencode.

  • On Windows, the user can tap or click the area around the tokencode and then select Copy.

A user taps Approve in the RSA SecurID Authenticate app but is not authenticated to the application.

A user has one minute to tap Approve after the Approve screen appears in the app. It is likely that the user tapped Approve near the end of that timeout interval.

Review the RSA SecurID Authenticate logs for timeout events.

A user cancels the Contacting Your Mobile Device screen in the browser, sees the RSA SecurID Authenticate Tokencode screen in the browser, and a different authentication screen appears in the RSA SecurID Authenticate.

Instruct the user to cancel the authentication screen in the RSA SecurID Authenticate app, go to the home screen in the app, and enter the RSA SecurID AuthenticateTokencode in the browser screen.

A user expresses concern about RSA SecurID Access storing fingerprints in the Cloud Authentication Service.

The Cloud Authentication Service does not store fingerprints.

A user expresses concern about RSA SecurID Access storing the Eyeprint data in the Cloud Authentication Service.

Eyeprint data is stored locally on the device. Cloud Authentication Service does not store Eyeprint data.

A user can view the tokencode on the app home screen without providing additional authentication, although an administrator has enabled the setting to require additional authentication to view the tokencode.

Instruct the user to restart the RSA SecurID Authenticate app.

Restarting the app forces this setting to take effect.

A user cannot reset the PIN used to view the RSA SecurID Authenticate Tokencode.
  • Confirm that the user's device is online and the user enters the network password.
  • In certain situations, an iOS user must use Fingerprint Verification to reset the PIN. Instruct the user to add at least one fingerprint to use for Touch ID. Then instruct the user to tap View Tokencode on the home screen, and follow the instructions.
  • In certain situations, an iOS user must use the My Account screen to delete all companies that require additional authentication to view the RSA SecurID Authenticate Tokencode, then complete device registration again for those companies. Instruct the user to do this. Then instruct the user to tap View Tokencode on the home screen, and follow the instructions.

A Windows user cannot create a Windows Hello PIN to view the RSA SecurID Authenticate Tokencode.

Windows Hello must be enabled for the user to authenticate to view the tokencode. To confirm that Windows Hello is enabled, work with your IT group.

 

General

                                                              
Issue Resolution

A user needs to back up and restore a mobile device.

 

On iOS and Windows devices, the RSA SecurID Authenticate data is not included in a system backup. On Android devices, the RSA SecurID Authenticate app is not included in a system backup.

If a user needs to restore a device from a system backup, complete the following instructions to continue using the RSA SecurID Authenticate app on the restored device.

  1. Instruct the user to restore the device using the system backup.
  2. Do one of the following:
    • If the user is restoring to the same device, instruct the user to open the app and complete device registration.
    • If the user is restoring to a different device:
      • Delete the user's device from the Cloud Administration Console.
      • (Android only) Instruct the user to install the RSA SecurID Authenticate from Google Play.

      • Instruct the user to open the app and complete device registration.

A user is not receiving push notifications.

Investigate these areas:

 
  • Confirm that the user's device has internet connectivity.
  • In the Cloud Administration Console, click Users > Management, navigate to the user's Devices page, and confirm that the device is listed and Active.
  • Confirm that the user has enabled the app to receive push notifications. On iOS, confirm that Alert Style is not set to None. If notifications are disabled, instruct the user to either enable notifications or open the app and pull down on the home screen to retrieve any push notifications.
  • Review the app logs for notification events.

An iOS user does not use Alert Notification Services (ANS) but needs to use the RSA SecurID Authenticate app.

An iOS user can disable both ANS and RSA SecurID Authenticate for iOS push notifications. For mobile authentication methods, the user must pull down on the app home screen to retrieve push notifications.

An Android user does not want the RSA SecurID Authenticate app to use push notifications.

A user cannot disable Google Cloud Messaging (GCM) notifications, but the user can disable RSA SecurID Authenticate for Android notifications.

A user forgets the device that has RSA SecurID Authenticate app installed on it, and wants to access an application protected by RSA SecurID Access.

If the application is assigned an assurance level that can be satisfied with a non-mobile authentication method such as SecurID Token or FIDO Token, and if the user possesses one of those tokens, then the user can complete authentication.

A user lost the device that has the RSA SecurID Authenticate app installed on it.

In the Cloud Administration Console , delete the user's device. Another user in possession of the lost device might be able to authenticate to a protected application if that user knows the device owner's LDAP directory password.

A user mistakenly uninstalled the RSA SecurID Authenticate app.

Instruct the user to install the app and complete device registration again. Provide the user with the correct email address and Company ID.

A user performed a factory reset on a device and the Authenticate app was deleted.

In the Cloud Administration Console , delete the user's device and instruct the user to install the app and complete device registration again.

An Android user is connected to the internet but continues to see the following error message: Check your internet connection.

This error appears when the user is signed into a secure Wi-Fi network but has not yet entered the password. Instruct the user to enter the network password and then continue.

Review RSA SecurID Authenticate for Android logs for this event.

A user is prompted to accept the EULA or enter a User ID and Company ID again after device registration.

This can occur for the following reasons:
  • You deleted the device from the Cloud Administration Console . As a result, the user must register the device again.
  • On Android, the user cleared data for the app. As a result, the user must register the device again.
  • The user uninstalled and reinstalled the app. As a result, the user must accept the EULA again.
  • Review the RSA SecurID Authenticate logs for this event.

More than one user wants to use the same device and same app.

RSA SecurID Access supports only one device per user. A user cannot sign out of the app so that another user can sign into the app.

On a Windows 10 desktop, multiple users can use the same machine as long as each user has a unique account and has completed Authenticate device registration on that account.

A user experiences an issue with the app and needs troubleshooting help.

Review the app logs. Ask the user to send you the logs using these instructions.

 
  1. From the app More screen, tap or click Email Logs. If necessary, select the email app to use.
  2. In the new e-mail message, enter your email address, and click Send.

You can also use the Cloud Administration Console Event Monitor to troubleshoot user issues. Click Users > Event Monitor.

A user expresses concern about the app requesting permission to collect usage data using Google Analytics.

The RSA SecurID Authenticate app requests user permission to collect anonymous usage data to improve the app. A user allows or denys this request during the initial opening of the app. A user can also change this setting in the following locations:

  • iOS: Authenticate app Settings screen
  • Android and Windows: Authenticate app More screen

The user's selection for this setting does not impact the functionality of the app.

 

 

You are here
Table of Contents > Troubleshooting > Troubleshooting Cloud Authentication Service User Issues

Attachments

    Outcomes