This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Troubleshooting end user authentication failures with the RSA SecurID Access Cloud Authentication Service

Article Number

000035621

Applies To

RSA Product Set: SecurID Access
RSA Product/Service Type: Identity Router, Cloud

Issue

When end user authentications are not working as planned, some routine steps can be taken to gather the data needed to troubleshoot the issue.  These same steps apply to single sign-on and multifactor authentications, regardless of the type of authentication used (SAML, HTTP Federation, Trusted Headers, RADIUS or Relying Party).

If required, this information can be passed to RSA for assistance with troubleshooting.

Cause

Authentication problems are usually caused by a configuration issue.  Places to look for such errors include the RSA Cloud Authentication Service (Cloud Administration Console and Identity Router), the application, network devices, digital certificates or some combination of these.

Resolution

Follow the steps below until a solution is found.
  1. Review the SecurID Access and target application configuration to check for any errors.  The following resources may be useful:
    1. Integration Guides on RSA Link for "out of the box" applications.  Search the page to see if a specific guide is available for the application with which you are working.
    2. RSA SecurID Access Help.  Application, policy, authentication, IDR setup and other configuration guidance is given here.
    3. Product documentation for the application with which you are working.
    4. Check Cloud, IDR and network configuration against the values in your deployment's Solution Architecture Workbook.
  2. Try the appropriate Troubleshooting steps for the issue.
  3. Reproduce the issue while gathering troubleshooting data:
    1. Set the Identity Router Logging Level to DEBUG on all IDRs in your deployment.
    2. Start client tracing and logging:
      • If you are using a web browser to access the application, Start a Fiddler trace for that web browser.  Make sure decrypt mode is turned on in Fiddler.
      • If you are using a client to access the application, such as a RADIUS or VPN client, start any network tracing or logging facility that may be available in the client.
    3. If you are using RSA Authentication Manager, start the Authentication Activity monitor
    4. Test:  Reproduce the issue, and note the date, time and timezone of the attempt and the URL accessed.  Capture and save screenshot(s) of all errors displayed.
    5. Stop client tracing and logging:
      • If you ran a Fiddler trace, stop and save it.
      • If you were using a client application, stop and save all available data from its network trace and logging facilities.
    6. Set the Identity Router Logging Level back to Standard on all IDRs in your deployment.
    7. Save screenshots of the User Event Monitor.  Ensure the screenshots show all activity for the end user(s) when the problem was reproduced in step d. above, including both successes and failures where appropriate.  You will need to take multiple screenshots if the results span more than one page.
      • TIP:  Maximize your browser window, then adjust results per page in conjunction with your browser's zoom function to fit more data onto the screen, and thereby require less screenshots.  However, make sure the data in the screenshot is still large enough to read.
    8. Save a screenshot of the User Management page for all end user(s) you tested with when the problem was reproduced (step d. above)
    9. Generate and Download an Identity Router Log Bundle from all IDRs in your deployment.
    10. If you are using the RSA Authenticate app for step-up authentication, save the RSA Authenticate app logs from the mobile device used during the test. 
    11. Gather applicable third-party logs.  For example:
      1. Audit, application and system logs from the application you are trying to log in to.
      2. Identity source logs, such as Microsoft Active Directory Windows events.
  4. Analyze the data gathered above to look for errors or unusual traffic.  Explore these items:
    • Event results in the User Event Monitor.  Note the UTC times of specific events for correlation to other logs.
    • Authentication Manager's Authentication Activity monitor events logged during the test (if applicable).
    • Fiddler or any client trace or log.
    • The Contents of Identity Router Log Bundle .  When the issue was reproduced, the authentication may have been sent to any IDR in your deployment (determined by your load balancer configuration) so all bundle logs must be reviewed.
    • The RSA Authenticate app logs from the mobile device used during the test (if applicable).
    • Third party logs.
If these steps do not allow you to resolve the issue, continue with the Workaround section below to get assistance.

Workaround

RSA Support

If RSA assistance is needed to help troubleshoot, contact RSA Customer Support if you have not done so already.  Save all the data gathered above to send to Support.  RSA Support will normally require these items:
  • Description of the problem (expected versus actual, frequency, scope, etc), business impact and steps to reproduce.
  • History of the problem, including:
    • Date and time (with timezone) of when the problem started
    • Application, network and configuration changes made before the problem started 
    • Any steps that have been taken to try to fix the problem
    • Date and time (with timezone) of IDR upgrades before and after the problem started
  • Timezone set in the end users' devices (browser, mobile device, etc) so we can correlate captured data to RSA and other logs.
  • Screenshots, URL(s) plus date and time (with timezone) when the issue was reproduced, as described (see step 3. above).
  • User ID(s) of affected user(s) for the test that was done.
  • Fiddler trace file or client trace and logs captured during the test done above
  • All IDR bundle logs downloaded after the test done above
  • If Authentication Manager is used:
    • Use the Authentication Activity report template to generate a report of all activity details for the test done above.
    • Current timezone set in your Authentication Manager deployment so that we can correlate the Authentication Manager's Authentication Activity events to the UTC-time events recorded by the Cloud Authentication Service. 
  • If the RSA Authenticate app is used for step-up authentication, the RSA Authenticate app logs.
  • Grant RSA Customer Support Access to Your Account and provide the configured name of the affected application(s) or authentication client(s).  If that is not possible, then please provide screenshots of the relevant configuration detail screens(s) in the Cloud Authentication Service (Application, Authentication Client, Policy, etc), showing the configuration when the problem occurs.
When you have an opened support case, you can Upload the files to RSA Customer Support for analysis


Third Party Support

Your application support team, system administrators, network administrators or vendor support should be contacted for any third-party product assistance that is required.

Notes

  • It is strongly recommended to do all the steps above in the order shown.  However, you may skip any item that is not possible in your situation.  
  • Contact RSA Customer Support if you need help with these troubleshooting steps or have questions. 
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-12 08:49 PM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.