Troubleshooting the Authentication Test

If the authentication test is unsuccessful, follow the recommended troubleshooting methods in the following table based on the system behavior that you observed during the test.

System Behavior

Action

Browser displays the default logon page for your web-based application instead of the Authentication Manager logon page.

  • Verify that you generated and deployed the RBA integration script correctly. For more information, see the implementation guide for your web-based application.

  • Verify that the integration script file for your web-based application is encoded as ISO-8859-1 (also referred to as Latin-1) or ASCII. Other file encoding formats are not supported.

Web-based application redirects you to a logon page that does not load.

  • Verify that your browser allows JavaScript. For more information, see your browser documentation.

  • Verify that your browser has cookies enabled. For more information, see your browser documentation.

  • Verify that you are using a supported browser. For a list of supported browsers, see the RSA Authentication Manager Setup and Configuration Guide.

  • Do one of the following:

    • For a deployment with a web tier, verify that the URL resolves to the virtual host and virtual host port.

    • For a deployment without a web tier and with a load balancer, verify that the URL resolves to the load balancer and the load balancer port.

    • For a deployment without a web tier and a load balancer, verify that the URL resolves to the primary instance and primary instance port.

  • Verify that all firewalls are configured to allow inbound traffic to the host and port that are specified in the URL.

  • Verify that the Domain Name System (DNS) server has the appropriate hostnames and IP addresses for RBA. See Planning for Domain Name System Updates.

  • Also, verify that any Network Address Translation (NAT) or load balancers do not interfere with requests that must be routed to an Authentication Manager host, which is either the web tier or an Authentication Manager instance, depending on your deployment scenario.

    These actions can resolve issues in which the browser enters a redirect loop.

  • Verify that web tier instances can communicate with the primary and replica instances. Also, if your deployment includes a load balancer, verify that it can communicate with the web tier instances.

If none of these methods resolves the issue, RSA recommends the following:

Generate and redeploy the integration script to the logon page for your web-based application. For more information, see the implementation guide for your web-based application.

The web-based application redirects you to a page with the error message “Agent Integration Error”.

  • Verify that you created an agent record in Authentication Manager. For more information, see Add an Authentication Agent.

  • Generate and redeploy the integration script to the logon page for your web-based application. For more information, see the implementation guide for your web-based application.

  • If your deployment includes a load balancer, verify that the load balancer has persistence configured. Persistence, which is also called “session affinity” or “sticky sessions,” allows a load balancer to send a client to the same server during a session. For Authentication Manager, the load balancer must send the client to the same Authentication Manager instance or web tier during an authentication session. For more information, see your load balancer documentation.

  • Find a more detailed error message in rsa-console.log. For instructions, see.Download Troubleshooting Files

Page error occurs after you log on as the test user.

Verify that you are using a supported deployment scenario for RBA. For supported deployment scenarios, see the RSA Authentication Manager Planning Guide.

After you enter the logon credentials for the test user, you are prompted to log on again.

Do the following:

  • Verify that the account settings in Authentication Manager allow the test user to log on. The user must exist and belong to the default security domain (SystemDomain), and the account must be enabled. The account must not be expired, and the user must not be locked out. For more information, see Enable a User Account.

  • Verify that the RBA policy for the default security domain (SystemDomain) allows automatic enablement and silent collection. For more information, see Risk-Based Authentication Policies.

  • Verify that the user is enabled for RBA, if RBA does not allow automatic enablement.

  • Verify that the Authentication Activity Monitor displays all the required log entries. You will see the following entry types: authentication method success with password and SecurID, authentication method success with RBA, artifact generation success, and artifact delivery success.

If this does not resolve the issue, RSA recommends clearing the node secret for Authentication Manager and your web-based application. For more information on clearing the node secret for Authentication Manager, see Manage the Node Secret. For more information on clearing the node secret for your web-based application, see your web-based application documentation.

Related Tasks

Testing Your Risk-Based Authentication Integration