Workstation Troubleshooting

HYPR Workforce Access Client

Windows

This page explains how to troubleshoot the HYPR Workforce Access Client for Windows and shows how underlying errors are captured in the log files. For end user and direct testing support, the application UI also generates error codes that can be used to identify a root cause.

Log File Location

Logs are located under the C:\Program Files\HYPR\Log directory.

Relevant Registry Entries

The Windows Registry keys for the HYPR Workforce Access Client are stored at the following location:

HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access

The following HYPR registry values control logging and troubleshooting:

Value NameTypeDescriptionmsiexec Parameter
Certificate Revocation TimeoutREG_DWORDAmount of time in milliseconds to wait before a certificate revocation list request fails. The default value is 3000.N/A
Certificate Template TimeoutREG_DWORDAmount of time in milliseconds to wait before a certificate initialization from template request fails. The default value is 30000.N/A
HyprCPLogFileREG_SZSets the logging file name for the credential provider.N/A
HyprKspLogFileREG_SZSets the logging file name for the key storage provider.N/A
Log LevelREG_DWORDSets the logging level for the NT service to one of the following:
0=NONE (no logging)
1=FATAL (only Fatal Errors)
2=ERROR (only Fatal and Error)
3=WARN (only Fatal, Error and Warning)
4=INFO (only Fatal, Error, Warning and Info)
5=DEBUG (only Fatal, Error, Warning, Info, Debug)
6=TRACE (only Fatal, Error, Warning, Info, Debug, Trace)
The default value is 4=INFO.
N/A
Proxy BypassREG_SZComma-delimited list of regular expressions used to to bypass the proxy server (e.g. [a-z]+.contoso.com$, 192.168.\d{1,3}.\d{1,3} The first bypasses the proxy for all servers in the contoso.com domain; the second bypasses the proxy for all services whose IP address begin with 192.168.).HYPRPROXYBYPASS
Proxy ServerREG_SZThe host-name and port for the proxy server (e.g, proxy.hypr.com:8080). HYPRPROXYSERVER
Web Socket Default Retry IntervalREG_DWORDNumber of seconds to wait when a web socket failure occurs before retrying the connection. The default value is 2.HYPRWEBSOCKETDEFAULTRETRYINTERVAL
Web Socket Send TimeoutREG_DWORDAmount of time in seconds to wait before a server request fails. The default value is 5.HYPRWEBSOCKETSENDTIMEOUT
Web Socket SSL Pinning Retry IntervalREG_DWORDNumber of seconds to wait before retrying if an SSL pinning error has occurred. The default value is 180.HYPRWEBSOCKETSSLPINNINGRETRYINTERVAL

Error Codes

Most error codes returned by the HYPR Workforce Access Client are visible to the end user via the application UI. Further troubleshooting support is possible in conjunction with the log files produced by the workstation application.

A list of possible errors can be found here.

Common Errors

Certificate Expiration

Error Cause

If RL for the Root CA is expired, users will not be able to authenticate with HYPR. The following error log could diagnose this.

Error Log

07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: performing online authentication
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateExpired - checking for expiration
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: [email protected]
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - checking for revocation
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_DumpCRLDistributionPoints: CRL Distribution Point - ldap:///CN=TESTDOMAIN%20DEV%20Issuing%20CA1,CN=ismicadv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdev,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_DumpCRLDistributionPoints: CRL Distribution Point - http://crl.testdev.net/TESTDOMAIN%20DEV%20Issuing%20CA1.crl
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - calling CertVerifyRevocation
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - revocation check took 0 milliseconds
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - revocation check failed (dwIndex=0, dwError=80092014, dwReason=00000000)
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: unable to communicate with domain controller (dwStatus=1355)

Resolution

Update the certificate and restart the environment.

Mac

Application Components

  • Launch daemon installed into /Library/HYPR/HyprOneService.bundle
  • Registration application installed into /Applications/HyprUnlock.app
  • PAM module installed into /Library/HYPR/HyprPam.so and configured in /etc/pam.d/authorization
  • Auth plugin installed into /Library/Security/SecurityAgentPlugins/HyprAuthPlugin.bundle

Logs

Log files are located in the /Library/Logs folder.

  • HyprOneService writes a log files to /Library/Logs/HYPR/HyprOneService.log and /Library/Logs/HYPR/HyprOneAgent.log
  • HyprPam.so writes a log file to /Library/Logs/HYPR/HyprPam.log
  • HyprAuthPlugin writes a log file to /Library/Logs/HYPR/HyprAuthPlugin.log

Application System Process

The background HyprOneService launch daemon can be controlled
with the following commands.

📘

Note

/Library/LaunchDaemons/ is in the /root directory.

Stop

sudo launchctl unload /Library/LaunchDaemons/com.hypr.login.plist

Launch

sudo launchctl load /Library/LaunchDaemons/com.hypr.login.plist