Troubleshooting Cloud Access Service User Issues

a month ago

The following table contains information that help desk administrators can use to troubleshoot Cloud Access Service (CAS) user issues.

RSA Authenticator App Installation

Issue	Resolution
A user cannot open or install the RSA Authenticator app.	Confirm the following: The user has internet connectivity. The user has downloaded and installed the app from the relevant app store. The user can see the app icon in the application folder or home screen.

Authenticator Registration

Issue	Resolution
A user cannot register an authenticator. A user sees one of the following error messages: Unable to Complete Setup. Contact your administrator. Cannot register. Contact your administrator.	Investigate these areas: If the user sees the "Unable To Complete Setup" message, confirm that the user is allowed to complete authenticator registration. If a policy prevents the user from completing registration, the User Event Monitor displays messages indicating this. If the user sees the "Cannot register" message, confirm with your setup administrator that your company allows users to complete registration with the Authenticator the user is trying to register. Confirm that the user has internet connectivity. Confirm connectivity between the Cloud Administration Console and the identity source. For instructions, see View Identity Router Status in the Cloud Administration Console. Confirm that the user has an active account in the identity source and that the account password is not expired. In the Cloud Administration Console, confirm that the user exists. Confirm that the user is using the correct username or email address, password (identity source), and Company ID. The Company ID must match the value configured in the Cloud Administration Console under Company Settings. For more information, see Configure Company Information and Certificates. In the Cloud Administration Console, check if the user already has a registered authenticator. If so, instruct the user to delete the authenticator in My Page, or you can delete the user's current authenticator as described in Manage Users for Cloud Access Service . When using the RSA Authenticator app, review the app logs for connectivity and device registration errors.
A user believes that registration is complete. However, RSA instructs the user to install the RSA Authenticator app.	In the Cloud Administration Console, click Users > Management, navigate to the user's Authenticators page, and confirm that the authenticator is listed. If the authenticator does not appear, instruct the user to complete registration again.
A user is concerned about the RSA Authenticator app for Android requesting multiple permissions during registration.	The RSA Authenticator app requests the minimum number of permissions required for the application to function. For more information, see the privacy policy at https://www.rsa.com/en-us/company/privacy.
An iOS or Android user sees the following error message in the RSA Authenticator app: Untrusted Connection.	If your company uses Secure Sockets Layer (SSL) interception, users will see this message during registration. Instruct users to complete registration using a Wi-Fi network that does not use SSL interception, such as a cellular data or a home Wi-Fi network. They can use corporate Wi-Fi after registration is complete. If users see this message after registration is complete, consult your company's IT team to resolve the issue.
A user is prompted to complete registration, although the user has already completed registration.	The user might see this message if you have deleted the user's authenticator in the Cloud Administration Console . Instruct the user to complete registration again.
A user receives the following error message when registering a device: Unsuccessful RSA Authenticator Setup. You have another device registered with RSA. Contact your administrator.	The user either already has a registered device or performed a factory reset on an existing registered device and tried to re-register. Instruct the user to delete the device in My Page. Or in the Cloud Administration Console , delete the user's current device. For instructions, see Manage Users for Cloud Access Service . Instruct the user to complete registration again. Review the RSA Authenticator app logs for this event.

Applications

Issue	Resolution
A user cannot sign into the application portal.	In the Cloud Administration Console , click Users > Event Monitor. The user event monitor shows the following reasons for unsuccessful application portal sign-in: Authentication failed. Credentials used to sign in are associated with multiple user accounts. An internal server error occurred. The concurrent session limit has been reached. A password reset is required. Also, check that the user is included in the scope of the identity source that was added to RSA. Identity sources are configured in the Cloud Administration Console and enable users to access protected applications in the application portal.
A user expects to have access to an application but cannot see the application.	Sign into the Cloud Administration Console. If the issue is limited to one user, see Access Policies for more information. If no user can see the application, see Application Availability and Visibility for more information.
A user receives HTTP error 500 when trying to access an application that has been added to RSA using either the HTTP Federation (HFED) Proxy or trusted headers methods.	Confirm that the application web server has a valid SSL certificate that has been signed by a certificate authority (CA) that the identity routers trust. For more information, see Cloud Access Service Certificates.

Issue

Resolution

A user cannot sign into the application portal.

In the Cloud Administration Console , click Users > Event Monitor. The user event monitor shows the following reasons for unsuccessful application portal sign-in:

Authentication failed.
Credentials used to sign in are associated with multiple user accounts.
An internal server error occurred.
The concurrent session limit has been reached.
A password reset is required.

Also, check that the user is included in the scope of the identity source that was added to RSA. Identity sources are configured in the Cloud Administration Console and enable users to access protected applications in the application portal.

A user expects to have access to an application but cannot see the application.

Sign into the Cloud Administration Console.

If the issue is limited to one user, see Access Policies for more information.
If no user can see the application, see Application Availability and Visibility for more information.

A user receives HTTP error 500 when trying to access an application that has been added to RSA using either the HTTP Federation (HFED) Proxy or trusted headers methods.

Confirm that the application web server has a valid SSL certificate that has been signed by a certificate authority (CA) that the identity routers trust. For more information, see Cloud Access Service Certificates.

Authentication Methods

Issue	Resolution
Authentication is unsuccessful.	Investigate these areas: Confirm that an internet connection is available. Determine the authentication method that the user provided for authentication. Sign into the Cloud Administration Console, click Users > Event Monitor, and view the events associated with the user to see which authentication method or assurance level has been applied. Device Biometrics and Approve authentication methods require push notifications. Determine whether the device is receiving notifications. If notifications are disabled, instruct the user to open the app and pull down on the home screen to retrieve notifications. If the authentication method is RSA Authenticate OTP, SMS OTP, Voice OTP, or password, determine if the method is locked for that user. If the method is locked, the authentication will not succeed. If applicable, the logical AND operator requires that both methods are successfully validated. For instructions on unlocking these methods, see Manage Users for Cloud Access Service . For information on password lockout, see Configure Session and Authentication Method Settings. If the method is Authenticate OTP, make sure the user's phone is configured to the correct local time. If the authentication method is SecurID OTP, access Authentication Manager and do the following: Check if the user entered the SecurID PIN and OTP incorrectly. Check if the user's token is disabled. Check if the user account is locked. Review the RSA Authenticator app logs for connectivity and unsuccessful authentication errors.
A user sees the following error message in the browser when trying to authenticate: Cannot Contact Your Mobile Device.	When RSA detects an unexpected error while trying to contact a user's mobile device, this error appears. Instruct the user to try again in a few minutes, or to select a different authentication method. (If the application is assigned an assurance level that does not have optional methods, then authentication fails.)
A FIDO authenticator user sees the following error message in the browser when trying to register or authenticate: An Error Occurred.	This message might appear if CAS detects the authenticator as counterfeit or compromised.
A user wants a simple way to copy the RSA Authenticate OTP into a mobile browser.	The user can tap the tokencode to copy it.
A user taps Approve in the RSA Authenticator app but is not authenticated to the application.	A user has one minute to tap Approve after the Approve screen appears in the app. It is likely that the user tapped Approve near the end of that timeout interval. Review the RSA Authenticator app logs for timeout events. Confirm if the user's device has an internet connection.
A user cancels the Sending Sign-in Request screen in the browser, selects Approve, and then sees the tokencode screen in the in browser.	Instruct the user to do the following: Cancel the authentication screen in the RSA Authenticator app. Go to the home screen in the app. Enter the RSA Authenticate OTP in the browser screen.
A user expresses concern about RSA storing face prints in CAS.	CAS does not store fingerprints or faceprints.
A user cannot reset the PIN used to view the RSA Authenticate OTP.	In certain situations, an iOS user must use device biometrics to reset the PIN. Instruct the user to set up biometrics, then tap View OTP on the home screen, and follow the instructions. In certain situations, an iOS user must first delete all accounts that require additional authentication to view the RSA Authenticate OTP, then complete registration again for those accounts. Instruct the user to do this. Then instruct the user to tap View OTP on the home screen, and follow the instructions.
A Windows user cannot create a Hello PIN when the app prompts the user to do so.	Windows Hello must be enabled to use Biometrics as a Windows authentication option. To confirm that Windows Hello is enabled, work with your IT group.
A Windows user is not receiving notifications for the Approve or Biometrics options.	If you want the user to receive notifications, ensure that the user's PC can contact the Windows Notification Service. For more information, see Cloud Access Service User System Requirements. If notifications cannot be enabled, instruct the user to open the app and pull down on the home screen to retrieve notifications.

General

Issue	Resolution
A user is not receiving push notifications.	Investigate these areas: Confirm that the user's device has internet connectivity. In the Cloud Administration Console, click Users > Management, navigate to the user's Authenticators page, and confirm that the device is listed and Active. Confirm that the user has enabled the app to receive push notifications. On iOS, confirm that Alert Style is not set to None. If notifications are disabled, instruct the user to either enable notifications or open the app and pull down on the home screen to retrieve any push notifications. Review the app logs for notification events.
An iOS user does not use Alert Notification Services (APNS) but needs to use the RSA Authenticator app.	An iOS user can disable RSA Authenticator app push notifications. For mobile authentication methods, the user must pull down on the app home screen to retrieve push notifications.
An Android user does not want the RSA Authenticator app to use push notifications.	The user can disable RSA Authenticator app notifications.
A user forgets the device that has RSA Authenticator app installed on it, and wants to access an application protected by RSA.	If the application is assigned an assurance level that can be satisfied with a non-mobile authentication method such as SecurID OTP or Passkey (FIDO), and if the user possesses one of those credentials, then the user can complete authentication.
A user lost the device that has the RSA Authenticator app installed on it.	In the Cloud Administration Console , delete the user's device. Another user in possession of the lost device might be able to authenticate to a protected application if that user knows the device owner's LDAP directory password.
A user mistakenly uninstalled the RSA Authenticator app.	Instruct the user to delete the device in My Page, or in the Cloud Administration Console , delete the user's device. Instruct the user to install the app and complete registration again.
A user performed a factory reset on a device and the RSA Authenticator app was deleted.	Instruct the user to delete the device in My Page, or in the Cloud Administration Console , delete the user's device. Instruct the user to install the app and complete registration again.
An Android user is connected to the internet but continues to see the following error message: Check your internet connection.	This error appears when the user is signed into a secure Wi-Fi network but has not yet entered the password. Instruct the user to enter the network password and then continue. Review the RSA Authenticator app logs for this event.
A user is prompted to accept the EULA or enter a User ID or Email Address and Company ID again after registration.	This can occur for the following reasons: You deleted the device from the Cloud Administration Console . As a result, the user must register the device again. On Android, the user cleared data for the app. As a result, the user must register the device again. The user uninstalled and reinstalled the app. As a result, the user must accept the EULA again. Review the RSA Authenticator app logs for this event.
More than one user wants to use the same device and same app.	A user cannot sign out of the app so that another user can sign into the app. On a Windows 10 desktop, multiple users can use the same machine as long as each user has a unique account and has completed registration with the RSA Authenticator app on that account.
A user experiences an issue with the app and needs troubleshooting help.	Review the app logs. Ask the user to send you the logs using these instructions. In the RSA Authenticator app, navigate to the More screen. Tap or click Send Logs. You can also use the Cloud Administration Console Event Monitor to troubleshoot user issues. Click Users > Event Monitor.
A user expresses concern about the app requesting permission to collect usage data using Google Analytics.	The RSA Authenticator app requests user permission to collect anonymous usage data to improve the app. A user allows or denys this request during the initial opening of the app. A user can also change this setting in the RSA Authenticator More screen. The user's selection for this setting does not impact the functionality of the app.
A user sees the "Device Not Compliant" message.	The RSA Authenticator app has detected the device as jailbroken or rooted. Instruct the user to restore the device. If the user reports that the device is not jailbroken or rooted, instruct the user to email you the logs for the device using the link in the message. Then provide these logs to RSA Customer Support.

Reference Materials

Troubleshooting Cloud Administration Console Issues

Troubleshooting Cloud Access Service Identity Source Synchronization

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change