Troubleshooting Multi-Factor Authentication

Because multi-factor authentication for IBM Security-managed computers relies on the infrastructure of the Privileged Access Service, troubleshooting the configuration of your environment and potential connectivity issues can be challenging. To help you test and verify the proper configuration of an integrated environment, IBM Security provides several diagnostic tools.

The following IBM Security diagnostic tools are available on Windows computers:

  • Diagnostics Tool. The diagnostics tool is available through the Agent Configuration service, and is described in Viewing Windows diagnostics.
  • Privilege Elevation Service Diagnostic Information panel (formerly the DirectAuthorize Agent Control Panel) The information panel is available from the Agent Configuration service, and is described in the Administrator’s Guide for Windows.
  • The dzdiag command. The command is available from the Windows command prompt, and is described in the Administrator’s Guide for Windows.

The following diagnostic tool is available on UNIX and Linux computers:

  • The adcdiag program. The program is available from the UNIX or Linux command line, and is described in Viewing UNIX and Linux diagnostics.

Viewing Windows Diagnostics

The Verify Privilege Server Suite Agent for Windows provides logging and diagnostic services. If you have administrative access on a local computer, you can generate diagnostic information about the operation of the agent for Windows and view and save the current content of the log file from the agent configuration panel. For example, you can generate diagnostic information about user sessions, user roles, desktops, and elevated account access, as well as detailed information about auditing from the agent configuration panel.

There are three different types of diagnostics information available:

  • Centrify Audit & Monitoring Service provides the diagnostic information related to the auditing and monitoring service.
  • Centrify Identity Platform provides the diagnostic information related to Privileged Access Service, such as for MFA. This diagnostics tool runs the following tests:

    • Agent Service Connectivity Check: Checks to see if the agent is in service, and if the agent is running in a normal state. Also determines whether the agent is in a zone, or is configured to use zoneless mode.
    • Centrify Connector Connectivity Check: Determines whether all connectors in the network can be connected properly.
    • Centrify Identity Platform Certificate Validation Check: Checks whether the certificates (IWA and cloud) have been installed properly. Also determines whether the agent can be connected without a trusted certificate problem.
    • Centrify Identity Platform Connectivity Check: Determines whether a connection to the cloud tenant is functional. Checks for problems with DNS, the firewall, and proxy server settings.
    • MFA Configuration Check: Determines whether the local computer has been configured properly. If the computer is in a zone, the test also checks whether MFA complies with the configuration defined in the zone.
    • MFA Role and Permission Check: Verifies whether role permissions are set properly in the Privileged Access Service Admin Portal.
    • Offline MFA Provisioning Check: Determines if the computer has been configured with an offline MFA profile or not.
  • Centrify Privilege Elevation Service provides the diagnostic information related to privilege management.

You can view these diagnostics tools either from the Windows system tray or from the agent configuration panel.

For more details, see the Administrator’s Guide for Windows.

To view diagnostics from the Windows system tray:

  1. Log on to a computer where the Agent for Windows is installed.
  2. In the Windows system tray, right-click the Centrify icon and click Troubleshooting, then select the service for which you want to view diagnostic information (your options may vary depending on what services are enabled on the computer):

    • Centrify Audit & Monitoring Service opens a dialog box with a text-based summary of diagnostic auditing and monitoring information.
    • Centrify Identity Platform runs a series of connectivity tests and lists out the results of each test.
    • Centrify Privilege Elevation Service opens a dialog box with a text-based summary of diagnostic privilege elevation information.

To generate diagnostics or view the log file from the agent configuration panel:

  1. Log on to a computer where the Agent for Windows is installed.
  2. In the list of applications on the Windows Start menu, click Agent Configuration to open the agent configuration panel.
  3. Select the service for which you want to view information:

    • Centrify Audit & Monitoring Service opens a dialog box with a text-based summary of diagnostic auditing and monitoring information.
    • Centrify Identity Platform runs a series of connectivity tests and lists out the results of each test.
    • Centrify Privilege Elevation Service opens a dialog box with a text-based summary of diagnostic privilege elevation information.
  4. Click Settings.
  5. Click the Troubleshooting tab.
  6. Click Diagnostics to generate diagnostic information.
  7. Select the Diagnostic Information displayed, right-click, then select Copy to copy and paste the output to a file for further analysis.
  8. Click View Log to display the current log file for the local agent.
  9. Click Options to see or change the location of the log file or the level of detail recorded in the log file.

View UNIX and Linux Diagnostics

The adcdiag program performs a set of tests to check for access to a IBM Security server authentication instance, the availability of one or more connectors, whether the computer is joined to an Active Directory domain, and whether the connector you are attempting to use is configured to use integrated Windows authentication.

To perform the set of tests to verify a UNIX or Linux computer can be configured to use multi-factor authentication, run the following command:

/usr/share/centrifydc/bin/adcdiag

By default, the command displays the test results in standard output (stdout) and generates a diagnostic report in the /var/centrify/tmp directory with a dated time stamp similar to the following:

adcdiagCheckingReport_20160307_151128.log

If any of the tests returned errors or warnings, you can check the diagnostic report for additional information, including suggestions for resolving any issues found. For details about the command-line options available for the adcdiag command, see the man page for the command.

Address Certificate Errors

Depending on how your Windows environment is set up, you may have to specify a trusted host certificate in order to enable multi-factor authentication. If you do not do this, you will see an error message during installation and configuration.

In a production environment, it is strongly recommended that you specify an existing trusted host certificate from a known third-party certificate authority, such as GoDaddy or Verisign. Using a self-signed certificate in a production environment can leave your environment vulnerable to security breaches.

For details about importing a trusted host certificate, see To import the certificate manually to a local Windows computer.

Manage Passwords

Privileged Access Service cannot manage the password for a user if multi-factor authentication is required for the user to log in. You can still add a multi-factor authentication-required user account to a PAS resource – with “Manage this password” unchecked - to log in from PAS. However, you may see the status as “Failed” due to system delay. If the operation is successful, then no status will be shown for this user.

Troubleshoot Login Issues

If you have installed the agent and enabled the privilege elevation service and users can't log in for some reason, try to log in to the agent system in either Windows Safe mode or rescue mode.

We also recommend that you assign some users to the "Rescue - always permit login" role; that way, they can still log in even if the agent providing MFA isn't working for some reason. For details, see Configuring offline multi-factor authentication and rescue users.