Workstation Troubleshooting
HYPR Passwordless
Windows
This page explains how to troubleshoot the HYPR Workforce Access Client for Windows and shows how underlying errors are captured in the log files. For end user and direct testing support, the application UI also generates error codes that can be used to identify a root cause.
Log File Location
Logs are located under the C:\Program Files\HYPR\Log directory.
Relevant Registry Entries
The Windows Registry keys for the HYPR Workforce Access Client are stored at the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\HYPR Workforce Access
The following HYPR registry values control logging and troubleshooting:
| Value Name | Type | Description | msiexec Parameter |
|---|---|---|---|
Certificate Revocation Timeout | REG_DWORD | Amount of time in milliseconds to wait before a certificate revocation list request fails. The default value is 3000. | N/A |
Certificate Template Timeout | REG_DWORD | Amount of time in milliseconds to wait before a certificate initialization from template request fails. The default value is 30000. | N/A |
HyprCPLogFile | REG_SZ | Sets the logging file name for the credential provider. | N/A |
HyprKspLogFile | REG_SZ | Sets the logging file name for the key storage provider. | N/A |
Log Level | REG_DWORD | Sets the logging level for the NT service to one of the following:0=NONE (no logging)1=FATAL (only Fatal Errors)2=ERROR (only Fatal and Error)3=WARN (only Fatal, Error and Warning)4=INFO (only Fatal, Error, Warning and Info)5=DEBUG (only Fatal, Error, Warning, Info, Debug)6=TRACE (only Fatal, Error, Warning, Info, Debug, Trace)The default value is 4=INFO. | N/A |
Proxy Bypass | REG_SZ | Comma-delimited list of regular expressions used to to bypass the proxy server (e.g. [a-z]+.contoso.com$, 192.168.\d{1,3}.\d{1,3} The first bypasses the proxy for all servers in the contoso.com domain; the second bypasses the proxy for all services whose IP address begin with 192.168.). | HYPRPROXYBYPASS |
Proxy Server | REG_SZ | The host-name and port for the proxy server (e.g, proxy.hypr.com:8080). | HYPRPROXYSERVER |
Web Socket Default Retry Interval | REG_DWORD | Number of seconds to wait when a web socket failure occurs before retrying the connection. The default value is 2. | HYPRWEBSOCKETDEFAULTRETRYINTERVAL |
Web Socket Send Timeout | REG_DWORD | Amount of time in seconds to wait before a server request fails. The default value is 5. | HYPRWEBSOCKETSENDTIMEOUT |
Web Socket SSL Pinning Retry Interval | REG_DWORD | Number of seconds to wait before retrying if an SSL pinning error has occurred. The default value is 180. | HYPRWEBSOCKETSSLPINNINGRETRYINTERVAL |
Error Codes
Most error codes returned by the HYPR Workforce Access Client are visible to the end user via the application UI. Further troubleshooting support is possible in conjunction with the log files produced by the workstation application.
A list of possible errors can be found here.
Common Errors
Certificate Expiration
Error Cause
If RL for the Root CA is expired, users will not be able to authenticate with HYPR. The following error log could diagnose this.
Error Log
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: performing online authentication
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateExpired - checking for expiration
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: [email protected]
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - checking for revocation
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_DumpCRLDistributionPoints: CRL Distribution Point - ldap:///CN=TESTDOMAIN%20DEV%20Issuing%20CA1,CN=ismicadv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdev,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_DumpCRLDistributionPoints: CRL Distribution Point - http://crl.testdev.net/TESTDOMAIN%20DEV%20Issuing%20CA1.crl
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - calling CertVerifyRevocation
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - revocation check took 0 milliseconds
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - revocation check failed (dwIndex=0, dwError=80092014, dwReason=00000000)
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: unable to communicate with domain controller (dwStatus=1355)
Resolution
Update the certificate and restart the environment.
Mac
Application Components
- Launch daemon installed into
/Library/HYPR/HyprOneService.bundle - Registration application installed into
/Applications/HyprUnlock.app - PAM module installed into
/Library/HYPR/HyprPam.soand configured in/etc/pam.d/authorization - Auth plugin installed into
/Library/Security/SecurityAgentPlugins/HyprAuthPlugin.bundle
Logs
Log files are located in the /Library/Logs folder.
HyprOneServicewrites a log files to/Library/Logs/HYPR/HyprOneService.logand/Library/Logs/HYPR/HyprOneAgent.logHyprPam.sowrites a log file to/Library/Logs/HYPR/HyprPam.logHyprAuthPluginwrites a log file to/Library/Logs/HYPR/HyprAuthPlugin.log
Application System Process
The background HyprOneService launch daemon can be controlled
with the following commands.
Note
/Library/LaunchDaemons/is in the/rootdirectory.
Stop
sudo launchctl unload /Library/LaunchDaemons/com.hypr.login.plist
Launch
sudo launchctl load /Library/LaunchDaemons/com.hypr.login.plist
Updated 3 months ago