When end user authentications are not working as planned, some routine steps can be taken to gather the data needed to troubleshoot the issue. These same steps apply to single sign-on and multifactor authentications, regardless of the type of authentication used (SAML, HTTP Federation, Trusted Headers, RADIUS or Relying Party).
If required, this information can be passed to RSA for assistance with troubleshooting.
Authentication problems are usually caused by a configuration issue. Places to look for such errors include the RSA Cloud Authentication Service (Cloud Administration Console and Identity Router), the application, network devices, digital certificates or some combination of these.
Follow the steps below until a solution is found.
Review the SecurID Access and target application configuration to check for any errors. The following resources may be useful:
Integration Guides on RSA Link for "out of the box" applications. Search the page to see if a specific guide is available for the application with which you are working.
RSA SecurID Access Help. Application, policy, authentication, IDR setup and other configuration guidance is given here.
Product documentation for the application with which you are working.
Save screenshots of the User Event Monitor. Ensure the screenshots show all activity for the end user(s) when the problem was reproduced in step d. above, including both successes and failures where appropriate. You will need to take multiple screenshots if the results span more than one page.
TIP: Maximize your browser window, then adjust results per page in conjunction with your browser's zoom function to fit more data onto the screen, and thereby require less screenshots. However, make sure the data in the screenshot is still large enough to read.
Save a screenshot of the User Management page for all end user(s) you tested with when the problem was reproduced (step d. above)
If you are using the RSA Authenticate app for step-up authentication, save the RSA Authenticate app logs from the mobile device used during the test.
Gather applicable third-party logs. For example:
Audit, application and system logs from the application you are trying to log in to.
Identity source logs, such as Microsoft Active Directory Windows events.
Analyze the data gathered above to look for errors or unusual traffic. Explore these items:
Event results in the User Event Monitor. Note the UTC times of specific events for correlation to other logs.
Authentication Manager's Authentication Activity monitor events logged during the test (if applicable).
Fiddler or any client trace or log.
The Contents of Identity Router Log Bundle . When the issue was reproduced, the authentication may have been sent to any IDR in your deployment (determined by your load balancer configuration) so all bundle logs must be reviewed.
The RSA Authenticate app logs from the mobile device used during the test (if applicable).
Third party logs.
If these steps do not allow you to resolve the issue, continue with the Workaround section below to get assistance.
If RSA assistance is needed to help troubleshoot, contact RSA Customer Support if you have not done so already. Save all the data gathered above to send to Support. RSA Support will normally require these items:
Description of the problem (expected versus actual, frequency, scope, etc), business impact and steps to reproduce.
History of the problem, including:
Date and time (with timezone) of when the problem started
Application, network and configuration changes made before the problem started
Any steps that have been taken to try to fix the problem
Date and time (with timezone) of IDR upgrades before and after the problem started
Timezone set in the end users' devices (browser, mobile device, etc) so we can correlate captured data to RSA and other logs.
Screenshots, URL(s) plus date and time (with timezone) when the issue was reproduced, as described (see step 3. above).
User ID(s) of affected user(s) for the test that was done.
Fiddler trace file or client trace and logs captured during the test done above
All IDR bundle logs downloaded after the test done above
Current timezone set in your Authentication Manager deployment so that we can correlate the Authentication Manager's Authentication Activity events to the UTC-time events recorded by the Cloud Authentication Service.
If the RSA Authenticate app is used for step-up authentication, the RSA Authenticate app logs.
Grant RSA Customer Support Access to Your Account and provide the configured name of the affected application(s) or authentication client(s). If that is not possible, then please provide screenshots of the relevant configuration detail screens(s) in the Cloud Authentication Service (Application, Authentication Client, Policy, etc), showing the configuration when the problem occurs.