Troubleshooting RSA MFA Agent for Microsoft AD FS
Article Number
Applies To
RSA ID Plus
RSA SecurID
RSA Cloud Authentication Service (CAS)
RSA Authentication Manager (AM)
Issue
If the issue is occurring with a new or recently modified deployment, it is always prudent to double-check that the components are all configured correctly. Use the below documentation pages to find the setup/install/administration guides for your RSA product versions:
- RSA MFA Agent for AD FS Documentation
- RSA Authentication Manager Documentation
- Cloud Authentication Service Help - Table of Contents
- RSA ID Plus Documentation to find RSA authenticator documentation
General Microsoft AD FS Troubleshooting information: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-overview .
For assistance with suspected AD FS server issues or questions about the Microsoft articles referenced in this RSA KB, please contact Microsoft Support.
Resolution
The CAS steps below should be done if any part of the authentication is processed by the RSA Cloud Authentication Service.
The AM steps below should be done if any part of the authentication is processed by RSA Authentication Manager.
When using AM as a secure proxy for CAS, do both AM and CAS steps.
Use the links in the steps below for detailed instructions.
Note: It is vital that all logs collected cover the same timeframe as known authentication attempt(s) so that events can be accurately correlated between all components.
Basic Troubleshooting
Use the below steps to get started with troubleshooting:1. Do authentication(s) that reproduce the issue. Capture screenshot(s) and/or video of error messages or incorrect behavior to explain the issue. Note the date, time (with time zone) and user id of each attempt.
2. CAS : from the Cloud Admin Console's User Event Monitor, select Include Verbose Logs. Capture screenshot(s) or "print to PDF" showing all events for the user around the time the issue was reproduced at step 1. If there are no events for the user around that time, capture all events around that time without filtering for the user (this should reveal the events for any "user not found" issue).
3, AM: from the Security Console, generate an Authentication Activity report for the user, covering the time frame of the attempt at step 1. If there are no events for the user around that time, generate the report for all users, so that the report includes events for any "user not found" issue.
2. CAS : from the Cloud Admin Console's User Event Monitor, select Include Verbose Logs. Capture screenshot(s) or "print to PDF" showing all events for the user around the time the issue was reproduced at step 1. If there are no events for the user around that time, capture all events around that time without filtering for the user (this should reveal the events for any "user not found" issue).
3, AM: from the Security Console, generate an Authentication Activity report for the user, covering the time frame of the attempt at step 1. If there are no events for the user around that time, generate the report for all users, so that the report includes events for any "user not found" issue.
4. Review the events captured in steps 2 and/or 3 to find root cause.
- CAS : If there are no events in the User Event Monitor around that time, it means the authentication did not reach the Cloud.
- AM: If there are no events in the Authentication Activity report around that time, it means the authentication did not reach AM.
5. If help is needed from RSA Support to find root cause, raise a Support case , and include:
- the date, time(s), time zone and user id(s) when the issue was reproduced at step 1
- a description of each authentication attempt at step 1 and the results of each
- the logs, screenshots, video, etc
- names of the RSA products used, and their versions
Advanced Troubleshooting
Basic troubleshooting may indicate that detailed data is needed from some components for in depth analysis. Follow the steps below to get any additional items you suspect may be useful to Support, based on what you know of the issue so far. Support may also later request for some of these items to be provided. The high level steps for advanced troubleshooting are:A. Enable detailed logging
B. Reproduce the issue
C. Gather the required data to send to Support
D. Restore the original logging levels
B. Reproduce the issue
C. Gather the required data to send to Support
D. Restore the original logging levels
Detail instructions for those steps are below.
Step A: Enable Detailed Logging
MFA Agent Logs
On all AD FS server(s):
- Save a backup copy of the file C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\config\log4net.config to another folder.
- Edit file C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\config\log4net.config using any text editor, such as Notepad
- Search through the file for the line with "levelMin" in it. It should look like this:
<levelMin value="INFO" />
- Change INFO to DEBUG, so the line looks like this:
<levelMin value="DEBUG" />
- Save the changes
- Restart Microsoft Active Directory Federation Services (adfssrv). See section "Restart AD FS Services" in the RSA® MFA Agent for Microsoft AD FS Administrator's Guide for your MFA Agent version.
- Wait for AD FS to be running again before proceeding with the next step.
CAS IDR Logs
On all IDRs, Set the Identity Router Logging Level to Debug.
AM AM Logs
On the primary and all replicas, Configure Logging . Make a note of the current Trace Log level (so you can change it back to that later), then set Trace Log to Verbose.
RSA Authenticator app
Enable enhanced logging in the app. Follow the steps for your app's platform, in the KB article How to capture enhanced RSA Authenticator app logs for troubleshooting purposes .Microsoft AD FS Trace Log
On all AD FS servers: follow the steps in this Microsoft article to enable the Trace Log in AD FS: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#use-tracelogMicrosoft AD FS Auditing
On all AD FS servers: follow the steps in this Microsoft article to increase the Auditing level, making a note of the current Auditing level so it can be set back to that later:https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#event-auditing-information-for-ad-fs-on-windows-server-2016 .
Microsoft AD FS Security Auditing
On all AD FS servers: follow the steps in this Microsoft article to enable Security Auditing:https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#security-auditing
Microsoft Windows Communication Foundation and Windows Identity Foundation messages
On all AD FS servers: follow the steps in this Microsoft article to enable Windows Communication Foundation and Windows Identity Foundation messages:https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#windows-communication-foundation-and-windows-identity-foundation-messages
Step B: Reproduce the issue
Do authentication(s) that reproduce the issue. Capture screenshot(s) and/or video of error messages or incorrect behavior to explain the issue. Note the date, time (with time zone) and user id of each attempt.
Step C: Gather the required data to send to Support
Authentication Attempt Details
From Step B, send the following to Support:- the date, time(s), time zone and user id(s) when the issue was reproduced
- a description of each authentication attempt and the results of each
- the logs, screenshots, video, etc
- names of the RSA products used, and their versions
MFA Agent Logs
On the AD FS server(s), save the c:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\logs folder and the files within it, to a .zip file.
Note: that is the default log file folder. If no log files are in that folder, check if a custom folder location has been configured in the RSA MFA Agent configuration file at C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\config\log4net.config . Look for the file element in the configuration file.
The default file element is:
<file value="c:\\Program Files\\RSA\\RSA Authentication Agent\\AD FS MFA Adapter\\logs\\rsa_adfs.log" />
Note: that is the default log file folder. If no log files are in that folder, check if a custom folder location has been configured in the RSA MFA Agent configuration file at C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\config\log4net.config . Look for the file element in the configuration file.
The default file element is:
<file value="c:\\Program Files\\RSA\\RSA Authentication Agent\\AD FS MFA Adapter\\logs\\rsa_adfs.log" />
CAS : User Event Monitor
From the Cloud Admin Console's User Event Monitor, select Include Verbose Logs. Capture screenshot(s) or "print to PDF" showing all events for the user around the time the issue was reproduced at Step B. If there are no events for the user around that time, capture all events around that time without filtering for the user (this should reveal the events for any "user not found" issue). If there are still no users, tell Support.
AM: Authentication Activity Report
From the Security Console, generate an Authentication Activity report for the user, covering the time frame of the attempt at Step B. If there are no events for the user around that time, generate the report for all users, so that the report includes events for any "user not found" issue. If there are still no users, tell Support.
AM: Troubleshooting Logs
Follow the steps on page Download Troubleshooting Files . In the Generate Files section, choose all file types. Choose number of days for System Log to at least cover the time since the last AM reboot. Don't forget to send Support the password set for each downloaded .zip file.
CAS IDR Logs
Follow the steps in the "Tasks" section of KB How to obtain the bundle logs from an RSA Cloud Authentication Service Identity Router . This must be done on every IDR, except any embedded AM IDRs whose logs were downloaded as part of the AM Troubleshooting logs above.
RSA Authenticator app
Follow the steps for your app's platform in the KB article How to capture enhanced RSA Authenticator app logs for troubleshooting purposes to send the app's log to an email address.Microsoft AD FS Trace Log and Windows Communication Foundation and Windows Identity Foundation messages
- On all AD FS servers, to view the events, open Windows Event Viewer and navigate to Applications and Services Log > AD FS Tracing > Debug.
- To send the events to Support, save to file all events around the time of the authentication at Step B. Use CSV file format.
Microsoft AD FS Auditing and Security Auditing
- On all AD FS servers, to view the events, open Windows Event Viewer and navigate to Windows Logs > Security. AD FS audit events are the ones listed here: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#types-of-events.
- To send the events to Support, save to file all AD FS audit events around the time of the authentication at Step B. Use CSV file format.
Step D: Restore the original logging levels
MFA Agent Logs
On all AD FS server(s):
- Copy the backed up log4net.config file to its original C:\Program Files\RSA\RSA Authentication Agent\AD FS MFA Adapter\config, overwriting the edited version
- Restart Microsoft Active Directory Federation Services (adfssrv). See section "Restart AD FS Services" in the RSA® MFA Agent for Microsoft AD FS Administrator's Guide for your MFA Agent version.
CAS IDR Logs
On all IDRs, Set the Identity Router Logging Level to Standard.
AM AM Logs
On the primary and all replicas, Configure Logging . Set Trace Log back to the previous logging level.
RSA Authenticator app
Disable enhanced logging in the app. Reverse the change for your app's platform, in the KB article How to capture enhanced RSA Authenticator app logs for troubleshooting purposes .Microsoft AD FS Trace Log
On all AD FS servers: reverse the steps in this Microsoft article to disable the Trace Log in AD FS:https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#use-tracelog
Microsoft AD FS Auditing
On all AD FS servers: reverse the change in this Microsoft article to restore the original Auditing level:https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#event-auditing-information-for-ad-fs-on-windows-server-2016
Microsoft AD FS Security Auditing
On all AD FS servers: reverse the change in this Microsoft article to disable Security Auditing:https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#security-auditing
Microsoft Windows Communication Foundation and Windows Identity Foundation messages
On all AD FS servers: reverse the change in this Microsoft article to disable Windows Communication Foundation and Windows Identity Foundation messages:https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging#windows-communication-foundation-and-windows-identity-foundation-messages
Related Articles
RSA MFA Agent 3.0 for Microsoft AD FS Administrator's Guide Number of Views Troubleshooting RSA MFA Agent for MacOS Number of Views RSA MFA Agent 3.0 for Citrix StoreFront Administrator's Guide Number of Views RSA MFA Agent 9.0 for Microsoft IIS Installation and Administration Guide Number of Views Why use RSA SecurID Access AD FS SAML integration rather than the RSA Authentication Agent for Microsoft AD FS Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA SecurID Software Token 5.0.2 for Windows Desktop displays message after reboot due to roaming profile: No token stor… Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA Release Notes for RSA Authentication Manager 8.8 Installation fails with 'unzip: cannot find zipfile directory in one of /tmp/aveksa/packages/<filename.zip>' error in RSA …
Don't see what you're looking for?
