RSA Product Set: SecurID Access
RSA Product/Service Type: RSA MFA Agent for Microsoft Windows
Version(s): 2.0.x, 2.1.x
This article summarizes steps that should be taken to troubleshoot the RSA MFA Agent.
Check the list of common issues and solutions in the Installation and Administration Guide
for your RSA MFA Agent version, "Chapter 5: Troubleshooting", section "Issues and Resolutions".
If that does not help you to fix the problem, then on the Windows computer that is encountering the issue, look for errors logged in the following location of Windows Event Viewer, around the date and time that the problem occurred:
- Applications and Services Logs > RSA MFA Agent
If no recent events are logged, check that the RSA MFA Agent service is running. The service must be running, and must be set to start automatically at startup. If need be, start the RSA MFA Agent then check if the issue still occurs.
If help is needed from SecurID Support please do the following steps in the order shown to get a comprehensive set of data that can be analyzed for the RSA MFA Agent:
- Enable trace logging in the RSA MFA Agent. For instructions, see "Chapter 5: Troubleshooting", section "Enable Tracing" in the Installation and Administration Guide for your RSA MFA Agent version. Make a note of the current configuration so you can change it back to that later. Then, set the following:
- Specify logging options: set to Enabled
- Log level: must be set to Verbose .
- Components to Log: tick all checkboxes
- Path to to store log files: make a note of the path. If nothing is specified, it will be C:\ProgramData\Log Files.
- If the RSA MFA Agent is connected to SecurID Authentication Manager (AM), configure logging in AM for Trace Log. On the primary and all replicas, make a note of the current log level for Trace Log then set it to Verbose on all AM servers.
- Reproduce the issue or wait for it to occur, noting the date, time and user id for the attempt. Consider using a mobile phone or similar to video any unusual behaviour and/or take a photo or make a note of any error messages displayed.
- If the RSA MFA Agent is connected to SecurID Authentication Manager (AM), then immediately after reproducing the issue, set Trace Log back to its original log level on all AM servers. It is very important not to leave it at Verbose for extended periods of time, as it will generate huge amounts of log data which can negatively impact production.
- Raise a Support case if you do not have one already, then send all of the following items to Support. Or you may prefer to wait and check with the support engineer assigned to the case to determine which of these items are most likely to be needed::
- From Windows Event Viewer, save events in both .evtx and .txt formats from all of the categories below. Save all events, or at least all events since the last time the computer was last powered on before the issue was reproduced (see step 3 above):
- Windows Logs > Application
- Windows Logs > Security
- Windows Logs > System
- Applications and Services Logs > Microsoft > Windows > Crypto-DPAPI > Operational
- Applications and Services Logs > RSA MFA Agent
- All files from the RSA MFA Agent's tracing "Path to store log files" location (see step 1 above)
- Date, time and user id when the issue occurred at step 3 above, plus any videos, photos and description of the problem and error messages.
- Logs from the user's SecurID Authenticate app that was used at step 3 above. For instructions to email the logs to you from the app, see SecurID App Logging . Please give Support all files attached to the email, plus all the information (device and app details) from the body of the email.
- If the RSA MFA Agent is connected directly to the SecurID Cloud Authentication Service, or if it is connected to it via Authentication Manager as a proxy, then in the User Event Monitor take a screenshot or "print to PDF" of all User Event Monitor events for the user around the time the issue was reproduced at step 3 above. If no events were logged around that time, please inform Support.
- If the RSA MFA Agent is connected to SecurID Authentication Manager (AM):
- generate a report of all authentication activity events for the user around the time the issue was reproduced at step 3 above . If no events were logged around that time, please inform Support.
- from the authentication activity report, determine which AM server (primary or a replica) handled the authentication at step 3 above. On that AM server, download all troubleshooting files . Be sure to remember the password that was set for the troubleshooting files, and send that to Support too.
If possible, leave trace logging enabled for the RSA MFA Agent until the issue has been remediated in case logs are needed for another instance of the problem. The Number of Log Files and Size of Log Files settings (where you Specify Logging Options in the GPO Policy) will limit the amount of disk space that trace logging consumes.