RSA MFA Agent for Microsoft Windows Log Events
This page provides the details of the events logged by the RSA MFA Agent for Microsoft Windows in the Windows Event Viewer.
For each event category, the corresponding table(s) lists the event ID, severity, and the corresponding message and its parameters. Parameters values appear according to the specific details of each event. For event messages that include parameters, parameters are indicated throughout this page within the message text as <parameter name>.
The MFA Agent events are categorized as follows:
- Authenticator & General Authentication Events (1000–1021)
- Evidence Collection Events (1100–1110)
- Windows Authentication Events (1200–1203)
- Offline Authentication Events (1300)
- Reserve Password Events (1400–1405)
- FIDO/Passwordless Authentication Events (6600–6620)
- Credential Provider Filter Starting Events (2000–2002)
- Windows Agent Service Starting Events (3000–3008)
- Offline Authentication Service Starting Events (4000–4016)
- Authentication Server Service Starting Events (5000–5004)
- Test Authentication Tool Starting Events (9000)
- Azure Authentication Starting Events (8000)
- Passwordless Auth Services Messages Events (7000–7008)
Note: This page lists the events for the RSA MFA Agent version 2.5 and earlier. The list of events is updated with each Agent release.
Authenticator & General Authentication Events (1000–1021)
| Event ID | Severity | Message |
|---|---|---|
| 1000 | Exception | (Reserved for exceptions) |
| 1001 | Success Audit | Successful authentication to RSA. User: <username>, Method: <authentication method> |
| 1002 | Failure Audit | Unsuccessful authentication to RSA. User: <username>, Method: <authentication method> |
| 1003 | Info | Authentication to RSA canceled by user. User: <username>, Method: <authentication method> |
| 1004 | Error | Unsuccessful authentication to RSA Authentication Service. User: <username>, Reason: <reason> |
| 1005 | Success Audit | Successful offline authentication. User: <username>, Method: <authentication method> |
| 1006 | Failure Audit | Unsuccessful offline authentication. User: <username>, Method: <authentication method> |
| 1007 | Failure Audit | Unsuccessful offline authentication. No offline data available. User: <username>, Method: <authentication method> |
| 1008 | Info | Offline authentication canceled by user. User: <username>, Method: <authentication method> |
| 1009 | Error | Unsuccessful authentication to RSA. This computer cannot connect to RSA. |
| 1010 | Error | Unsuccessful authentication to RSA Authentication Service. The policy <policy name> was not found. |
| 1011 | Error | Unsuccessful authentication to RSA Authentication Service. The user <username> was not found. |
| 1012 | Error | Unsuccessful authentication to RSA Authentication Service. The user <username> has to install and register the RSA Authenticator app. |
| 1013 | Error | Unsuccessful authentication to RSA Authentication Service. The user <username> cannot authenticate with any methods in the policy <policy name>. |
| 1014 | Error | Unsuccessful authentication to RSA Authentication Service. The user <username> is disabled in RSA. |
| 1015 | Error | Unsuccessful authentication to RSA Authentication Service. The user <username> is denied access by the policy <policy name>. |
| 1016 | Failure Audit | Unsuccessful authentication for user: <username>. Passcode can not be reused. |
| 1017 | Info | User <username> does not need to perform additional authentication based on the Cloud Access Service access policy. |
| 1018 | Info | The user <username> was not found, but this computer is configured to not require additional authentication for an unknown user. |
| 1019 | Info | User <username> does not need to perform additional authentication. RSA authentication is not enabled on this computer. |
| 1020 | Info | User <username> does not need to perform additional authentication based on the Local Authentication Settings Challenge Group policy. |
| 1021 | Error | Unsuccessful authentication to RSA Authentication Service. The policy <policy name> is not supported. |
Evidence Collection Events (1100–1110)
| Event ID | Severity | Message |
|---|---|---|
| 1100 | Info | System attribute collection is enabled on this computer. |
| 1101 | Info | System attribute collection is disabled on this computer. |
| 1102 | Success Audit | Sent system attributes from this computer for the user <username> to RSA. |
| 1103 | Failure Audit | Unsuccessful collection of system attributes from this computer for the user <username>. |
| 1104 | Success Audit | Successful collection of location from this computer for user <username>. |
| 1105 | Failure Audit | Unsuccessful collection of location from this computer for user <username> within the specified timeout. |
| 1106 | Success Audit | Collected IP address for user <username>. |
| 1107 | Failure Audit | Unsuccessful collection of IP address from this computer for user <username>. |
| 1108 | Info | Location collection timeout value is configured to <timeout value> seconds. |
| 1109 | Info | System can access location data because location service is on for this computer for user <username>. |
| 1110 | Warning | System cannot access location data for this computer for user <username>. |
Windows Authentication Events (1200–1203)
| Event ID | Severity | Message |
|---|---|---|
| 1200 | Info | Password credentials collected. User: <username> Domain: <domain> |
| 1201 | Success Audit | Authentication to Windows succeeded. |
| 1202 | Failure Audit | Authentication to Windows failed. |
| 1203 | Warning | Windows Password has Expired. |
Offline Authentication Events (1300)
| Event ID | Severity | Message |
|---|---|---|
| 1300 | Info | Offline authentication is disabled on this computer. |
Reserve Password Events (1400–1405)
| Event ID | Severity | Message |
|---|---|---|
| 1400 | Success Audit | Successful reserve password authentication. User: <username>, Method: <authentication method> |
| 1401 | Failure Audit | Unsuccessful reserve password authentication. User: <username>, Method: <authentication method> |
| 1402 | Info | Reserve password authentication canceled by user. User: <username>, Method: <authentication method> |
| 1403 | Info | Reserve password is disabled on this computer. |
| 1404 | Error | Reserve password length error. |
| 1405 | Error | Incorrect hash format. Review your reserve password in the policy settings. |
FIDO/Passwordless Authentication Events (6600–6620)
| Event ID | Severity | Message |
|---|---|---|
| 6600 | Error | FIDO_RP_ID is not configured. Cannot proceed with FIDO authentication. |
| 6601 | Error | Unsuccessful authentication to the Cloud Access Service. The user <username> must register the FIDO authenticator. |
| 6602 | Error | Unsuccessful authentication to the Cloud Access Service. User <username> credentials are invalid for primary authentication using FIDO security key. |
| 6603 | Error | Unsuccessful authentication to the Cloud Access Service. Security key is not supported. |
| 6604 | Error | Unsuccessful authentication to the Cloud Access Service. PIN is not set for the security key. |
| 6605 | Error | Unsuccessful authentication to the Cloud Access Service. PIN is locked after too many unsuccessful sign-in attempts. User <username> must reset the security key and re-register. |
| 6606 | Error | Unsuccessful authentication to the Cloud Access Service. Security key does not contain valid credentials for user <username>. |
| 6607 | Error | Unsuccessful authentication for user: <username>. Required Configuration not found to complete FIDO authentication. |
| 6608 | Error | Unsuccessful authentication for user: <username>. Cloud Access Service is not reachable and Virtual Smart Card is not present for the user. |
| 6609 | Success Audit | Successful Offline Primary FIDO Authentication for user: <username>. |
| 6610 | Warning | User <username> is permitted to authenticate using Windows password and MFA, if configured. User must register the FIDO authenticator with Cloud Access Service before attempting passwordless authentication. |
| 6611 | Warning | User <username> is permitted to authenticate using Windows password and MFA, if configured. User must set the FIDO PIN for the security key before attempting passwordless authentication. |
| 6612 | Warning | User <username> is permitted to authenticate using Windows password and MFA, if configured. Security key is locked after too many unsuccessful sign-in attempts. User must reset the security key and re-register. |
| 6613 | Warning | User <username> is permitted to authenticate using Windows password and MFA, if configured. User's security key contains invalid credentials. User must re-register security key with Cloud Access Service. |
| 6614 | Error | FIDO unknown exception |
| 6615 | Error | FIDO Exception |
| 6616 | Error | TPM is not present on the machine. |
| 6617 | Info | Disabling passwordless credential provider and enabling password credential provider. |
| 6618 | Error | Transactional Error occurred when communicating with Security Key. Re-insert your security key and try again. |
| 6619 | Info | The user <username> was not found, but this computer is configured to not require passwordless authentication for an unknown user. |
| 6620 | Success Audit | Access attribute updated successfully for user <username>. |
Credential Provider Filter Starting Events (2000–2002)
| Event ID | Severity | Message |
|---|---|---|
| 2000 | Info | Filtered a Credential Provider. Name: <name>, CLSID: <class ID> |
| 2002 | Warning | Unable to filter a Credential Provider because it was not in the list of available credential providers. Name: <name>, CLSID: <class ID> |
Windows Agent Service Starting Events (3000–3008)
| Event ID | Severity | Message |
|---|---|---|
| 3000 | Error | An RSA Settings group policy is improperly configured on this computer. Policy name: <policy name>, Configured setting: <setting> |
| 3001 | Info | The service started successfully |
| 3002 | Info | The service stopped successfully |
| 3003 | Info | A service component has started: <service name> |
| 3004 | Info | A service component has stopped: <service name> |
| 3005 | Error | A service component did not start: <service name> Error: <error> |
| 3006 | Error | The service encountered an error. Error: <error> |
| 3007 | Info | The service is starting |
| 3008 | Info | A service component is starting: <service name> |
Offline Authentication Service Starting Events (4000–4016)
| Event ID | Severity | Message |
|---|---|---|
| 4000 | Info | Deleted all offline data for user <username>. The offline data is no longer valid for use on this device. |
| 4001 | Success Audit | Downloaded <number of offline days> days of offline data for user <username>. |
| 4002 | Success Audit | Downloaded offline eac data for user <username>. |
| 4003 | Failure Audit | Failed to download offline data for user <username>. RSA returned <error>. |
| 4004 | Failure Audit | Failed to download offline eac data for user <username>. RSA returned <error>. |
| 4005 | Info | Deleted all offline data for users on this computer. |
| 4006 | Info | Deleted offline eac data for user <username>. |
| 4007 | Success Audit | Deleted all offline data for local user accounts on this computer. |
| 4008 | Success Audit | Downloaded offline metadata for agent <client ID>. |
| 4009 | Failure Audit | Failed to download offline metadata for agent <client ID>. RSA returned <offline metadata response>. |
| 4010 | Success Audit | Downloaded offline metadata for user <username>. |
| 4011 | Failure Audit | Failed to download offline metadata for user <username>. RSA returned <offline metadata response>. |
| 4012 | Failure Audit | Unsuccessful offline authentication. The user <username> reached maximum number of authentication failure limit |
| 4013 | Failure Audit | Unsuccessful offline authentication for user: <username>. Passcode can not be reused. |
| 4014 | Success Audit | Successful offline authentication. User: <username>, Method: <authentication method> |
| 4015 | Failure Audit | Unsuccessful offline authentication. User: <username>, Method: <authentication method> |
| 4016 | Failure Audit | Failed to download offline data for user. WPI certificate not available. Please contact Administrator. |
Authentication Server Service Starting Events (5000–5004)
| Event ID | Severity | Message |
|---|---|---|
| 5000 | Error | Failed to retrieve a policy. Policy name: <policy name>. Exception: <exception message> |
| 5001 | Error | An error occurred while Initializing servers. Check configuration. |
| 5002 | Error | An error occurred while Initializing servers. Exception: <exception message> |
| 5003 | Error | Updated server status to down. Server url: <server URL> |
| 5004 | Error | Updated server status to down. Exception: <exception message> |
Test Authentication Tool Starting Events (9000)
| Event ID | Severity | Message |
|---|---|---|
| 9000 | Warning | RSA authentication is not enabled on this computer. User <username> is allowed to test authentication. |
Azure Authentication Starting Events (8000)
| Event ID | Severity | Message |
|---|---|---|
| 8000 | Error | Failed to retrieve a policy. Policy name: <policy name>. Exception: <exception message> |
Passwordless Auth Services Messages Events (7000–7008)
| Event ID | Severity | Message |
|---|---|---|
| 7000 | Success Audit | Virtual smart card created successfully for user <username>. Reader name - <reader name>, Instance Id - <instance ID>. |
| 7001 | Failure Audit | Virtual smart card creation unsuccessful for user <username>. |
| 7002 | Success Audit | Virtual smart card reader terminated with instance Id - <instance ID>. |
| 7003 | Failure Audit | Virtual smart card reader termination unsuccessful with instance Id - <instance ID>. |
| 7004 | Success Audit | Signin certificate enrolled successfully for user <username>. |
| 7005 | Failure Audit | Signin certificate enrollment unsuccessful for user <username>. |
| 7006 | Failure Audit | Smart card creation unsuccessful. Trusted Platform Module is not ready. |
| 7007 | Failure Audit | Smart card creation unsuccessful. Trusted Platform Module is not found. |
| 7008 | Failure Audit | Smart card readers reached maximum limit. No new smart card can be created. |
Related Articles
RSA Governance & Lifecycle Integration: Epic Electronic Medical Records EMR Summary Number of Views Configure Microsoft Entra ID Joined Devices for RSA MFA Agent 2.5 for Windows Number of Views RSA MFA Agent 2.5 for Microsoft Windows Third-Party Licenses Number of Views Barracuda Networks CloudGen Firewall - RSA MFA API (REST) Configuration - RSA Ready Implementation Guide Number of Views Web tier does not come back online after upgrade to Authentication Manager 8.1 SP1 Number of Views
Trending Articles
Troubleshooting RSA SecurID Access Identity Router to RSA Authentication Manager test connection failures RSA SecurID Software Token 5.0.2 Downloads for Microsoft Windows RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Governance & Lifecycle 8.0.0 Administrators Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory
Don't see what you're looking for?
