Troubleshooting

This page displays all the error codes generated in the Employee Access Solution.

Overview

This document explains the processes used to troubleshoot the HYPR Workforce Access Client for Windows workstations. It shows how errors are returned with the HYPR Workstation. Underlying errors are captured in the log files for troubleshooting purposes. For end user and direct testing support, the application UI also generates error codes that can be used to identify a root cause.

Additional Registry Editor Values

The following table includes registry entries that can be used to control logging and troubleshooting. If running version 2.7 or earlier, a restart of the HYPR NT service is required for these to take effect.

Registry Key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{C822931E-86C5-4482-85C1-049523A13A09}]

Value Name

Type

Description

msiexec Parameter

Certificate Revocation Timeout

REG_DWORD

Amount of time in milliseconds to wait before a certificate revocation list request fails.
The default value is 3000.

N/A

Certificate Template Timeout

REG_DWORD

Amount of time in milliseconds to wait before a certificate initialization from template request fails.
The default value is 30000.

N/A

HyprCPLogFile

REG_SZ

Sets the logging file name for the credential provider. Absolute file specification is required.

N/A

HyprKspLogFile

REG_SZ

Sets the logging file name for the key storage provider. Absolute file specification is required.

N/A

HyprLogLevel

REG_DWORD

Sets the logging level for the credential provider to one of the following:
0=NONE (no logging)
1=FATAL (only Fatal Errors)
2=ERROR (only Fatal and Error)
3=WARN (only Fatal, Error and Warning)
4=INFO (only Fatal, Error, Warning and Info)
5=DEBUG (only Fatal, Error, Warning, Info, Debug)
6=TRACE (only Fatal, Error, Warning, Info, Debug, Trace)

The default value is 4=INFO.

N/A

Log Level

REG_DWORD

Sets the logging level for the NT service to one of the following:
0=NONE (no logging)
1=FATAL (only Fatal Errors)
2=ERROR (only Fatal and Error)
3=WARN (only Fatal, Error and Warning)
4=INFO (only Fatal, Error, Warning and Info)
5=DEBUG (only Fatal, Error, Warning, Info, Debug)
6=TRACE (only Fatal, Error, Warning, Info, Debug, Trace)
The default value is 4=INFO.

N/A

Proxy Bypass

REG_SZ

Comma-delimited list of regular expressions used to to bypass the proxy server (e.g. [a-z]+.contoso.com$, 192.168.\d{1,3}.\d{1,3} The first bypasses the proxy for all servers in the contoso.com domain; the second bypasses the proxy for all services whose IP address begin with 192.168.).

HYPRPROXYBYPASS

Proxy Server

REG_SZ

The host-name and port for the proxy server (e.g, proxy.hypr.com:8080).

HYPRPROXYSERVER

Qr Code Url

REG_SZ

If the public facing relying party URL used by mobile devices is different than the URL used by workstations, this field is used to configure the public facing URL that is present in the QR code scanned by the mobile device during pairing.

HYPRQRCODEURL

Web Socket Default Retry Interval

REG_DWORD

Number of seconds to wait when a web socket failure occurs before retrying the connection.
The default value is 2.

HYPRWEBSOCKETDEFAULTRETRYINTERVAL

Web Socket Send Timeout

REG_DWORD

Amount of time in seconds to wait before a server request fails.
The default value is 5.

HYPRWEBSOCKETSENDTIMEOUT

Web Socket SSL Pinning Retry Interval

REG_DWORD

Number of seconds to wait before retrying, If an SSL pinning error has occurred.
The default value is 180.

HYPRWEBSOCKETSSLPINNINGRETRYINTERVAL

Log Files

Log is located under C:\Program Files\HYPR directory called HyprOneService

Error Codes

Errors codes are returned by the workstation application, and are visible to the end user. Further troubleshooting support is possible in conjunction with the log files produced by the workstation application.

All possible errors that HYPR Workstation returns can be found here.

Common Errors

Certificate Expiration

Error Cause

If RL for the Root CA is expired, users will not be able to authenticate with HYPR. The following error log could diagnose this.

Error Log

07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: performing online authentication
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateExpired - checking for expiration
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: [email protected]
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - checking for revocation
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_DumpCRLDistributionPoints: CRL Distribution Point - ldap:///CN=TESTDOMAIN%20DEV%20Issuing%20CA1,CN=ismicadv01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=testdev,DC=net?certificateRevocationList?base?objectClass=cRLDistributionPoint
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_DumpCRLDistributionPoints: CRL Distribution Point - http://crl.testdev.net/TESTDOMAIN%20DEV%20Issuing%20CA1.crl
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - calling CertVerifyRevocation
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - revocation check took 0 milliseconds
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_IsCertificateRevoked - revocation check failed (dwIndex=0, dwError=80092014, dwReason=00000000)
07-May-2020 10:06:23 - 804:3212 - KSPCertUtils_CheckUserAccount: unable to communicate with domain controller (dwStatus=1355)

Steps to resolve

Update the certificate and restart the environment.