Troubleshooting RSA MFA Agent for Microsoft Windows
2 months ago
Article Number
000067934
Applies To

RSA Product Set: SecurID and ID Plus
RSA Product/Service Type: MFA Agent for Microsoft Windows
Version(s): All supported versions

Issue

This article summarizes steps that should be taken to troubleshoot the RSA MFA Agent.

Basic Troubleshooting

Advanced Troubleshooting

Resolution

Basic Troubleshooting

Initial checks that can be done to troubleshoot before calling RSA Support:

 

  • Check the list of common issues and solutions in the Installation and Administration Guide for your RSA MFA Agent version.  See section "Issues and Resolutions" in the "Troubleshooting" chapter.
  • On the Windows computer that is encountering the issue, look for errors logged in the following location of Windows Event Viewer, around the date and time that the problem occurred:
    • Applications and Services Logs > RSA MFA Agent

If no recent events are logged, check in Windows services.msc that the RSA MFA Agent service is running.   The service must be running, and must be set to start automatically at startup.  If need be, start the RSA MFA Agent then check if the issue still occurs.

 

Advanced Troubleshooting

Do the steps below in the order shown to get the data that Support will need to troubleshoot.  Follow the links provided for detailed instructions. 

Include AM steps if the MFA Agent is connecting to RSA Authentication Manager, or is using AM as a secure proxy for the Cloud.

Include CAS steps if the MFA Agent is connecting to the RSA Cloud, or is using AM as a secure proxy for the Cloud.

 

  1. Enable trace logging in GPO for the RSA MFA Agent.  For instructions, see chapter Troubleshooting, section "Enable Tracing" in the Installation and Administration Guide for your RSA MFA Agent version.  Make a note of the current configuration so you can change it back to that later.  Then, set the following:
    • Specify logging options: set to Enabled 
    • Log level must be set to Verbose . 
    • Components to Log tick all checkboxes
    • Path to to store log files:  make a note of the path. If nothing is specified, it will be C:\ProgramData\RSA\Log Files.
  2. CAS: If the user is not receiving push notifications when expected, enable Enhanced Log Connection in the RSA Authenticator app.  See How to capture enhanced RSA Authenticator app logs for troubleshooting purposes  .
  3. AM: Configure logging on all AM servers for Trace Log.  Make a note of the previous log level so it can be set back to that later.
  4. Reproduce the issue or wait for it to occur.  Note the date, time (with timezone) and user id of the attempt.  Record video or take photos of unusual behaviour and errors.
  5. AM:  set Trace Log back to its original log level on all AM servers.  Do not leave it at Verbose longer than necessary.  It will generate huge amounts of log data which can have adverse effects.
  6. CAS: Disable Enhanced Log Connection in the RSA Authenticator app, if it was enabled.
  7. Optionally, set the RSA MFA Agent logging back to its original settings in GPO.   See the Notes section at the end of this KB article.
  8. Send to Support selected Logs & Reports from the table below, depending on the nature of the issue.  RSA Support will advise which ones to send.
Logs & ReportsInstructions
Details of testSend to Support the date, time (with time zone), user id, videos, photos, error messages and descriptions of tests done at step 4. 
RSA MFA Agent LogsAll files from the RSA MFA Agent's "Path to store log files" location (see step 1 above).  We recommend saving the whole folder to a Zip file.
CAS User Event Monitor

In the User Event Monitor:

  1. Select Include Verbose Logs
  2. Filter by the user's email address then look for events around the time the issue was reproduced at step 4 above.  If there are no events displayed for the user around that time, clear the email address filter and look again for events around that time for the test user or any unknown user.  If no events at all were logged around that time, inform Support.
  3. Click Generate Report.  For Number of Events select Maximum Size. Click Generate Report to confirm. 
  4. Click Report Details and confirm the data there matches what you just generated.  
  5. Click Download.  Send the downloaded CSV file to Support.
AM Authentication Activity Report & Troubleshooting Files
  • From the AM primary, generate an Authentication Activity Report  of all events around the time the issue was reproduced at step 4 above .  If no events were logged around that time, inform Support.
  • Download Troubleshooting Files from all AM servers.  In the Generate Files section, select all options.  Be sure to note the password that you set for each file, and send that to Support too.
RSA Authenticator appLogs from the user's RSA Authenticator app that was used at step 4.  See How to capture enhanced RSA Authenticator app logs for troubleshooting purposes .  
Windows Event Viewer

From Windows Event Viewer, save events in both .evtx and .txt formats

For the .evtx file, when prompted choose Display information for these languages, then select English.

Save all events since the last time the computer was powered on before the issue was reproduced at step 4 above.

Support will tell you which, if any, of the below Event Viewer categories we need to see:

  • Windows Logs > Application
  • Windows Logs > Security
  • Windows Logs > System
  • Applications and Services Logs > RSA MFA Agent
  • Applications and Services Logs > Microsoft > Windows > Crypto-DPAPI >  Operational

 

Notes

If possible, leave trace logging enabled for the RSA MFA Agent until the issue has been remediated in case logs are needed for another instance of the problem.   The Number of Log Files and Size of Log Files settings (in the Specify Logging Options configuration in GPO Policy) will limit the amount of disk space that trace logging consumes.

 

Examples of important events recorded in Windows Event Viewer logs:

  • Windows Logs > Application : install events for the RSA MFA Agent
  • Windows Logs > Security : audit records of activities on the Windows computer
  • Windows Logs > System : Windows startup events that confirm if and when the RSA MFA Agent service was started, and that of other services it depends on.  Errors from important Windows components such as SChannel.
  • Applications and Services Logs > Microsoft > Windows > Crypto-DPAPI >  Operational : events related to Windows' encryption of offline data and other sensitive information saved on the local computer by the RSA MFA Agent. 
  • Applications and Services Logs > RSA MFA Agent : day-to-day operational events recorded by the RSA MFA Agent.   These are documented in the RSA MFA Agent's Installation and Administration Guide , in "Chapter 5: Troubleshooting", section "Windows Event Messages Written by the MFA Agent".

Related Articles

Trending Articles

Don't see what you're looking for?