User login fails
Contents
Overview
A user login can fail for a number of reasons, this document outlines the steps that can be taken to diagnose and resolve such issues
Prerequisites
Swivel 3.x
Symptoms
User cannot login using Swivel credentials
The following error message may be seen:
An error occured, please check your credentials. If the error persists contact your Swivel Administrator.
Solution
Check the Swivel and Tomcat logs
Has a Single Channel Session Request message been seen in the Swivel log? (This would indicate that the request for an image has reached the Swivel server).
Check the access device logs, is a login attempt seen?
Is the account locked?
Does the user exist? Has the user been added to Swivel?
Is the SAM account name or the FQDN name been used?, has the system tried to add that username when it already exists? Duplicate Names
Is the user entering a PIN instead of OTC?, does the user have the wrong PIN
Is the username case sensitive? (logs may indicate user with differing capitalisation does not exist)
Is another authentication element such as AD password failing, either on the access device or the Swivel password if used?
Does the user have a valid security string (sinlge, dual, Mobile Phone Client or swivlet)?
Has a password (accidentaly?) been set for the user? Try manually setting a blank password.
Has check password with repository been set for the user
Has the RADIUS shared secret been incorrectly set, reenter shared secret AGENT ERROR BAD OTC
Has the single channel image or on demand SMS timed out (default 120 seconds) see Session Cleanup
If using Swivel 3.5.2989 check Auto_Reset_manually_disabling
Is ChangePIN on first login set? (It will allow the first login, but not subsequent logins)
Does the user receive a new security string by email or SMS (indicating a dual channel login was made and no single channel session request was made)
Was a single channel Image session started? A single channel session takes precedence over dual channel, and once started will expect a single channel login until it times out (default 120 seconds) see Session Cleanup
Is Swivel and Tomcat running? see Tomcat problems
Are there outstanding security strings in an SMS or email? Where multiple security strings are used, it is expecting the next one in the sequence. To verify the correct one is used, then enter the security string index OTC-Security String Index. Example: 4387-02
The user attempted to re-enter a used OTC?
When using the TURing Single Channel images, Mozilla Firefox may request an authentication image and then another image as an icon, the later icon image being the valid image for authentication. Icon image requests can be turned off in the browser by typing about:config in the URL bar and then search for icon and setting the browser.chrome.site.icons to disabled.