000033697 - How to troubleshoot and fix most invalid proof and failed to send day data errors on the RSA Authentication Agent 7.x for Windows

Document created by RSA Customer Support Employee on Aug 15, 2016Last modified by RSA Customer Support on Oct 4, 2019
Version 7Show Document
  • View in full screen mode

Article Content

Article Number000033697
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for Windows
RSA Version/Condition: 7.2.1, 7.3.1, 7.3.3[99]
IssueWhen a Windows laptop with the RSA Authentication Agent for Windows installed is not physically on the the Authentication Manager network (the corporate LAN); for example, at home or hotel, the agent needs offline days in order to authenticate a user's passcode.  These offline days must be downloaded to the Windows agent before that agent disconnects from the Authentication Manager network. Offline days can be downloaded (or refreshed) through a VPN connection.

One explanation for why offline days do not download is "Invalid proof of authentication data provided by the agent."  However, invalid proof is a description of an exception and not necessarily an error.  That being said, there have been several bugs with invalid proof that were found and fixed, so updating to the latest agent may be recommended.
  • The following error messages display in the authentication activity log, sometimes repeating every two seconds from the same Windows agent.  For example, 

Offline authentication data download requested by user <userID> from agent <agent_name>' using token < SecurID_token_serial_number> failed with error message 'Invalid proof'


 


Offline Authentication Data Download Failed.  Invalid proof of authentication data provided by the agent



If invalid proof messages are shown every one to two seconds in the authentication activity monitor, as in the example below, this is tracked as AAWIN-2421 (Authentication Agent for Windows 7.3.3 [103] agents get invalid proof every 1-2 seconds), and is fixed by RSA Authentication Agent 7.3.3 [114] or later.

 

RTM


  • The DAService (da_svc).log will show either of the following errors:

DaSvcProofDownloader::process() exiting: DPS_DA_REQUEST_DATABASE_ERROR (212)


or 


DA_REQUEST_DATABASE_ERROR
DPS_DA_REQUEST_DATABASE_ERROR (212) {noformat} 
Cause
There were several bugs affecting offline authentication (OA) or disconnected authentication (DA) dayfile downloads throughout 2016-2018.  The issues and errors described above were fixed by RSA Authentication Agent 7.3.3 [114] for Windows, released in January 2018.  

However RSA Authentication Agent 7.3.3[99] did not contain the fix though it remained on RSA Link downloads throughout 2018.  GA versions of 7.4.2[122] and 7.4.3 posted to RSA Link during 2019 both contain the fixes for the invalid proof exceptions shown in the Issue section above.  As of October 2019, the only known issue in the RSA Authentication Agent for Windows with invalid proof is for fixed passcodes and emergency offline codes, not with hardware or software tokens.

A proof is generated and stored on the Windows agent when you successfully authenticate.  The proof is for a specific user ID with a single token serial number (or fixed passcode,  if allowed) on a specific Windows agent during a specific time period (valid for 24 hours from successful authentication).  When a Windows agent is on the Authentication Manager network (corporate LAN), either physically or through a VPN, the agent presents the proof to any RSA Authentication Manager server to request more offline days.  If the Authentication Manager primary or replica server can validate the proof, offline days will be downloaded to that agent for that user and token.

Reasons for an invalid proof include, but are not limited to, the following:
  • The proof is expired, which will happen if you authenticated more than 24 hours ago.
  • The request may not have been sent from the agent to the Authentication Manager server; for example, if port 5580 TCP  is blocked by a firewall.
  • The Windows agent's Offline Authentication Local service is not running.
  • A server.cer from the agent installation that is wrong or corrupt.
  • Using an alias during authentication instead of the real user ID.
  • Overlapping identity sources so that the same user appears in more than one identity source, whether it be two external LDAP identity sources or an external LDAP source and the internal database.
  • Bugs in older agents; that is, Authentication Agent 7.3.3[99] for Windows and earlier.
  • Offline Authentication policy restrictions.  For example, a user has a PINless token and PINless tokens are not enabled under your OA policy.
Logging out of the session or screen locking and re-authenticating would generate a new proof.  So would a test authentication from the same token.  See Workarounds below.
ResolutionThe quickest and best fix for all offline issues is to download and install RSA Authentication Agent 7.3.3. [114] for Windows or later

If you cannot update the agent version, or are currently running RSA Authentication Agent 7.4.2[122] for Windows or later, and the workarounds do not help, please gather the following information:
  • An Authentication Activity report from the RSA Authentication Manager Security Console covering the time period when the Invalid proofs were seen.   
    1. In the Security Console, navigate to Reporting > Reports > Manage Existing if you have already created an Authentication Activity report or Add New if you do not.  
    2. If you have an Authentication Activity report created, run the report job.
    3. If you need to create one,

  1. On the Select Template page, select the Authentication Activity template
  2. Click Next.
  3. From the Security Domain menu, select the security domain where you want the report to be managed.
  4. In the Report Name field, enter a unique name for the report.
  5. Select one of the following options for Run As:  The administrator running the report job or the report creator. 
  6. Under Output Columns, move the items that you want to display in the report from the Available column to the Show in Report column.Under Input Parameter Values, either enter values or leave the fields blank.
  7. Under Email Recipients, either select the checkboxes or leave them blank:
  8. Click Save.

  • Verbose logs from the Windows Agent, see Notes.
  • The Authentication Manager primary imsTrace.log(s) after enabling verbose logging on the Authentication Manager  server, see Notes 
Please open a support case after getting some or all of the following information.  Note that the answer from support might be conirmation that you need to update the agent version.

  1.  Note the date and time.
  2. Download the imsTrace.log files from the primary and replica(s).  Note that if the imsTrace.log files are large, there can be more than one.  Some will have numbers in the file name.  There can be up to 30 of them.
  3. Launch an SSH client, such as PuTTY.
  4. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1. Navigate to /opt/rsa/am/server/logs.
WorkaroundAs workarounds for this issue, try to:
  1. Restart the Offline Local service on the Windows agent via the services.msc.
  2. Authenticate again with a passcode.  For example, lock the screen then unlock using a passcode.  Do not use the quick unlock option of a password or PIN only.  A Test Authentication from within the RSA Control Center would work too if you have access
  3. Restart the Authentication Manager server services.
    1. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1.  Navigate to /opt/rsa/am/server.
  2. Run the command ./rsaserv restart all


login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Tue Aug  9 12:29:10 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/server
rsaadmin@am81p:/opt/rsa/am/server> ./rsaserv restart all


  1. From a command prompt on the Windows agent, run the RSA Authentication Agent Auto-registration command: 


sdadmreg.exe -r
Notes

Enabling verbose logging on an RSA Authentication Agent for Windows



  1. On the Windows agent machine, access the RSA Control Center interface.  You may need administrator rights for this.  
  2. From Home, select Advanced Tools.
  3. Select Tracing.
  4. Set Trace Level to Verbose.
  5. Trace logs are written to C:\ProgramData\RSA\LogFiles folder by default.  Click Browse to change the location.
  6. For Components, check the Select All box.. 

LAC verbose logging


 



Enabling verbose logging on an RSA Authentication Manager server



  1. From the Security Console, select Setup > System Settings.
  2. Under Basic Settings, click Logging.
  3. Set the Trace Log value to Verbose.
  4. Click Save.  
The /opt/rsa/am/server/logs/imsTrace.log is probably the most important server log to review after enabling verbose logging. 
 

To avoid filling the server with verbose logs, do not forget to disable Verbose logging when done!


 

After the invalid proof message is seen, complete the following steps:


  1. Note the date and time.
  2. Download the imsTrace.log files from the primary and replica(s).  Note that if the imsTrace.log files are large, there can be more than one.  Some will have numbers in the file name.  There can be up to 30 of them.
  3. Launch an SSH client, such as PuTTY.
  4. Login to the primary Authentication Manager server as rsaadmin and enter the operating system password.

Note that during Quick Setup another user name may have been selected. Use that user name to login.



  1. Navigate to /opt/rsa/am/server/logs.
  2. List the directory contents.
  3. Copy all imsTrace*.log files to /tmp.


login as: rsaadmin
Using keyboard-interactive authentication.
Password: <enter operating system password>
Last login: Tue Aug  9 12:29:10 2016 from jumphost.vcloud.local
RSA Authentication Manager Installation Directory: /opt/rsa/am
rsaadmin@am81p:~> cd /opt/rsa/am/server/logs
rsaadmin@am81p:/opt/rsa/am/server/logs> ls -al imsTrace.*
-rw------- 1 rsaadmin rsaadmin 32497 Aug  2 15:56 imsTrace.log
rsaadmin@am81p:/opt/rsa/am/server/logs>
rsaadmin@am81p:/opt/rsa/am/server/logs> cp imsTrace*.log /tmp


  1. Use a secure copy client such as WinSCP or FileZilla to connect with same operating system account, and copy the imsTrace.log from /tmp to your PC. 
There are also some RSA Authentication Manager server-side performance fixes for sites with tens of thousands of Windows agents, contact Customer Support for more information or update to Authentication Manager 8.2 patch 1 or later.

Attachments

    Outcomes