Muestra final: Mi experiencia Composición final.

• General Troubleshooting Tips • User and Token-Related Resolutions • System-Related Resolutions

Common Problems and Resolutions

The following table lists common problems, their possible causes, and the

corresponding resolutions. Topics are broken down into these categories: user and token-related, system-related, and identity source or LDAP.

Problem Possible Cause Resolution

User and Token-Related User cannot authenticate or user is getting an access denied message.

User is locked out of Authentication Manager for violating the lockout policy.

Assisting Users Who Have Been Locked Out of the System on page 74. User did not violate the

Authentication Manager lockout policy, but did violate the external identity source lockout policy (for example, an Active Directory lockout policy).

Check the identity source policy, and unlock the user in the identity source if

necessary.

Token is out of sync with Authentication Manager.

Resynchronizing Tokens on page 81.

Token has expired. Note: If the token has expired, you see a log message in the audit log.

Assign a new token, and provide emergency access if necessary. See Providing Emergency Access on page 159.

Note: To avoid having users with expired tokens, schedule a recurring report that shows tokens close to expiration. Be proactive and replace tokens before they expire.

The firewall is not configured properly or the appropriate ports are not open.

Assessing the Impact of Firewalls on

RSA Authentication Manager on page 157.

IP name resolution or agent host name is entered incorrectly.

Name and IP Address Resolution in

RSA Authentication Manager on page 162.

The agent configuration file is corrupt or invalid.

Updating an Agent Configuration File on page 164.

Authentication Manager is out of sync with Coordinated Universal Time (UTC). Note: If Authentication Manager is out of sync with UTC, all of the users are unable to authenticate.

Resynchronizing

RSA Authentication Manager with Coordinated Universal Time on page 163.

User is being prompted to enter a second tokencode.

User has violated the token policy and incorrect passcodes must be cleared.

Clearing Incorrect Passcodes on page 83.

Token is out of sync with Authentication Manager.

Resynchronizing Tokens on page 81.

Authentication Manager is out of sync with Coordinated Universal Time (UTC). Note: If Authentication Manager is out of sync with UTC, all of the users are prompted to enter a second tokencode or are unable to authenticate. The behavior they experience is based on the time discrepancy.

Resynchronizing

RSA Authentication Manager with Coordinated Universal Time on page 163.

User is being prompted to create a new PIN.

PIN has been cleared. Instruct user how to create a new PIN.

User has a new token. Instruct user how to create a PIN.

System-Related Authentication Manager does not start.

When Authentication Manager does not start, you may get a start-up error message telling you that the service failed to start.

The Authentication Manager server may fail to start for a variety of reasons (for example, minimum system requirements not met).

RSA Authentication Manager Does Not Start on page 161.

“Unable to start

Authentication Manager” message and log displays “Reached EOF” message in the Managed Server Log.

Minimum system

requirements not met or the system was running other services.

Making Sure the

RSA Authentication Manager Machine Meets Minimum System Requirements on page 153.

Make sure CPU-intensive services are not running on the Authentication Manager server.

RSA Security Console does not start.

The RSA Security Console may fail to start for a variety of reasons. For example: • The URL is incorrect. • Service start-up has been

initiated, but the service has not been given the appropriate amount of time to complete the start-up process. In this case, either the message “page cannot be displayed” appears, or you get a message that the backend servers are unavailable.

Allow at least five minutes for the service to start.

RSA Security Console Does Not Start on page 161.

RSA Security Console does not start and browser displays a blank screen.

Browser is not configured properly.

Configuring Browser Settings for the RSA Security Console on page 156.

The Microsoft Management Console snap-in does not start.

The Microsoft Management Console may fail to start for a variety of reasons. For example:

• IP address or name resolution issue

• Network connectivity issue

RSA Authentication Manager Microsoft Management Console Snap-in Does Not Start on page 161.

Authentication Manager is very slow or poor

performance.

Minimum system requirements are not met.

Making Sure the

RSA Authentication Manager Machine Meets Minimum System Requirements on page 153.

Disk space is low or filling quickly.

The system logs need to be archived, the time between archives is too long, or both.

Change the log archiving settings. See “Log Archival Utility” on page 185. Additional logging or tracing

has been enabled.

Be careful when configuring instance logging, as large logs take up a lot of disk space. The default values should be sufficient.

Lower-level security domains do not have the parent domain attributes.

Lower-level security domains do not inherit attributes from parents.

As designed.

Cannot read the trace file. The trace file is obfuscated. Call RSA Customer Support.

“Error 404 - Not Found” encountered while accessing the Security Console after running the Manage Nodes utility.

Did not restart

Authentication Manager services after server node removal.

Restart the Authentication Manager services after removing a server node using the Manage Nodes utility. When you enable or disable

the Authentication Agent auto-registration feature, the change is not reflected when you view the Security Console on a replica instance.

Outdated information is stored in the system cache.

Run the Flush Cache utility.

When you enable or disable the automatic deletion of replaced tokens feature, the change is not reflected when you view the Security Console on a replica instance.

Outdated information is stored in the system cache.

Run the Flush Cache utility.

Identity Source or LDAP Users added using the directory console (for example, Active Directory) are not visible through the Security Console.

The new information does not immediately display in the Security Console because of the cache layer.

The information displays in the Security Console after a short delay.

LDAP queries are failing after primary directory server failover.

When configured for failover, the system does not switch back to the primary directory server after failover, even if the primary is restored.

Therefore, if the secondary directory server fails after the primary directory server is restored, the system does not attempt to access the primary directory server, causing queries to fail.

Restart the application server to switch back to the primary directory server.

To avoid future service interruptions, restart the application server as soon as the primary directory server becomes operational.