000035621 - Troubleshooting end user authentication failures with the RSA SecurID Access Cloud Authentication Service

Document created by RSA Customer Support Employee on Oct 14, 2017Last modified by RSA Customer Support Employee on Apr 12, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000035621
Applies ToRSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router, Cloud
IssueWhen end user authentications are not working as planned, some routine steps can be taken to gather the data needed to troubleshoot the issue.  These same steps apply to single sign-on and multifactor authentications, regardless of the type of authentication used (SAML, HTTP Federation, Trusted Headers, RADIUS or Relying Party).

If required, this information can be passed to RSA for assistance with troubleshooting.
CauseAuthentication problems are usually caused by a configuration issue.  Places to look for such errors include the RSA Cloud Administration Console, the application, network devices, digital certificates or some combination of these.
ResolutionFollow the steps below until a solution is found.
  1. Review the SecurID Access and target application configuration to check for any errors.  The following resources may be useful:
    1. Integration Guides on RSA Link for "out of the box" applications.  Search the page to see if a specific guide is available for the application you are working with.
    2. RSA SecurID Access Help.  Application, policy, authentication, IDR setup and other configuration guidance is given here.
    3. Product documentation for the application you are working with.
    4. Check Cloud, IDR and network configuration against the values in your deployment's Solution Architecture Workbook.
  2. Try the appropriate Troubleshooting steps for the problem.
  3. Gather troubleshooting data:
    1. Set the Identity Router Logging Level to DEBUG on all IDRs in your deployment.
    2. Start client tracing and logging:
      • If you are using a web browser to access the application, Start a Fiddler trace for that web browser.  Make sure decrypt mode is turned on in Fiddler.
      • If you are using a client to access the application, such as a RADIUS or VPN client, start any network tracing or logging facility that may be available in the client.
    3. If you are using RSA Authentication Manager, start the Authentication Activity monitor
    4. Test:  Reproduce the issue, and note the date, time and timezone of the attempt and the URL accessed.  Capture and save screenshot(s) of all errors displayed.
    5. Stop client tracing and logging:
      • If you ran a Fiddler trace, stop and save it.
      • If you were using a client application, stop and save all available data from its network trace and logging facilities.
    6. Set the Identity Router Logging Level back to INFO, or whatever previous level it was, on all IDRs in your deployment.
    7. Generate and Download an Identity Router Log Bundle from all IDRs in your deployment.
    8. If you are using the RSA Authenticate app for step-up authentication, save the RSA Authenticate app logs from the mobile device used during the test. 
    9. Applicable third-party logs.  For example:
      1. Audit, application and system logs from the application you are trying to log in to.
      2. Identity source logs, such as Microsoft Active Directory Windows events.
  4. Analyze the data gathered above to look for errors or unusual traffic.  Explore these items:
    • Authentication Manager's Authentication Activity monitor events logged during the test (if applicable).
    • Fiddler or any client trace or log.
    • The Contents of Identity Router Log Bundle .  When the issue was reproduced, the authentication may have been sent to any IDR in your deployment (determined by your load balancer configuration) so all bundle logs must be reviewed.
    • The RSA Authenticate app logs from the mobile device used during the test (if applicable).
    • Third party logs.
If these steps do not allow you to resolve the issue, continue with the Workaround section below to get assistance.

RSA Support

If RSA assistance is needed to help troubleshoot, contact RSA Customer Support if you have not done so already.  Save all the data gathered above to send to Support.  RSA Support will normally require these items:

  • Description of the problem (expected versus actual, frequency, scope, etc), business impact and steps to reproduce.
  • History of the problem, including:
    • date and time (with timezone) of when the problem started
    • application, network and configuration changes made before the problem started 
    • any steps that have been taken to try to fix the problem
    • date and time (with timezone) of IDR upgrades before and after the problem started
  • Screenshots, URL(s), date and time (with timezone of the end user's device(s)) of the test done above.
  • User id of affected user(s) for the test that was done.
  • Fiddler trace file or client trace and logs captured during the test done above
  • All IDR bundle logs downloaded after the test done above
  • If Authentication Manager is used:
    • Use the Authentication Activity report template to generate a report of all activity details for the test done above.
    • Current timezone set in your Authentication Manager deployment so that we can correlate the Authentication Manager's Authentication Activity events to the UTC-time events recorded by the Cloud Authentication Service. 
  • If the RSA Authenticate app is used for step-up authentication, the RSA Authenticate app logs.
  • Grant RSA Customer Support Access to Your Account and provide the configured name of the affected application(s) or authentication client(s).  If that is not possible, then please provide screenshots of the relevant configuration detail screens(s) in the Cloud Authentication Service (Application, Authentication Client, Policy, etc), showing the configuration when the problem occurs.
When you have an opened support case, you can Upload the files to RSA Customer Support for analysis

Third-party Support

Your application support team, system administrators, network administrators or vendor support should be contacted for any third-party product assistance that is required.
  • It is strongly recommended to do all the steps above in the order shown.  However, you may skip any item that is not possible in your situation.  
  • Contact RSA Customer Support if you need help with these troubleshooting steps or have questions.