Imprivata: OneSign Could Not Authenticate You

“OneSign could not authenticate you” is a rather generic error that can be the result of any number of different discrepancies. There are specific workflows that can cause it to appear even when everything is configured appropriately on the back-end, and there are several reasons that a user might encounter it aside from these. Unfortunately, Imprivata does not offer more specific error codes that you might identify the root of the problem with any ease. Sifting through logs has a tendency to be as confusing as clarifying, so I thought I’d put together a more concrete guide to troubleshooting this problem.

Is it only happening for one particular user?

By far the most common problem is that a user simply does not exist in the OneSign database. That you bothered to Google this problem leads me to believe you have already checked this, but none of the more advanced troubleshooting matters if this condition is not met. Ensure both that the user exists in OneSign by doing a search on the Users, Computers, and Domains tab and that he or she has an Enabled status. If you have instructed Imprivata to use directory status, you will need to confirm that the account is enabled in AD. Otherwise, ensure the user has not been manually disabled by another administrator.

If the user exists in OneSign and has an Enabled status, the next thing to ask is…

Are you out of licenses?

Open up the OneSign Administrator and look at the Properties tab. Scroll down until you see how many licenses you have available. If you’ve hit your limit, OneSign will begin locking people out of their desktops and you will need to free up licenses or purchase more as soon as possible (probably both).

Is it only happening on a particular device or group of devices?

This is one of those things where OneSign could probably give you more information, but doesn’t. Ensure first that the device is on the domain and has connectivity to the appliance. If the device has, for one reason or another, entered into offline mode and stored cached credentials for a user who has changed his password since they were stored: “OneSign could not authenticate you.”

If you are using devices that are not on the domain, check the Authentication tab of the computer policy for these devices in the OneSign Administrator. Scroll down until you see a radio button for “Authenticate with OneSign” and ensure it is selected. This will allow machines not on the domain (and which can reach the appliance despite that) to authenticate users without ever having to hit a domain controller.

Are you using a zero client?

The first thing to keep in mind when using the Imprivata bootstrapping on a zero client is that you don’t have some of the luxuries you might have on a thin- or fat client. That is, with a Windows back-end, you would be able to have a user authenticate through AD even if they didn’t exist in the OneSign database. They will be granted access to a desktop and simply have a disabled agent (the tray icon will be gray with a red X over it). They could then get any VDI desktop to which they were entitled.

This is not the case with a zero client. It will not bypass to Active Directory if Imprivata cannot authenticate them, so having a virtual desktop entitlement is insufficient to grant them access from these devices. There is not a way around it–you either have to disable the Imprivata bootstrapping for all users on that device, or spend the licenses on any user that will be touching it.

Ensure that the Imprivata is configured to accept the device’s authentication type. Go to the OneSign Administrator and look at the ProveID subtab of the Properties section. You will see a series of checkboxes–if you see any unchecked boxes, check them off and confirm whether this fixes your problem. If not, return them to their unchecked state afterward.

Does this only happen during a password change?

That is, are you only seeing it when users attempt to change passwords? I have another post about Password Reset Troubleshooting that might address more specifically what you came here for.

Does this only happen during proximity card enrollment?

I had this problem specifically on the Wyse Xenith 2, but it could conceivably exist elsewhere. If you only see this message when you are enrolling a card, see this post instead.

I hope one of these was able to answer your question directly, and if not, I hope it added to some brainstorming. In all honesty, there are a ton of different ways to get Imprivata to throw this error, and I do not doubt I have missed some. Feel free to leave a comment if I’ve been unhelpful here so far.

4 thoughts on “Imprivata: OneSign Could Not Authenticate You

  1. LO

    If the user has certain special characters in their password (like an ampersand), this will also produce the error. This has only applied to Xenith devices in my experience. This has been an issue on firmware 2.0_104 and 2.0_105 (possibly even before then) but is scheduled to be fixed in the next firmware that will be released by Dell Wyse later this month. Incorrect VDA settings could also cause the error as well. Great blog, thanks for sharing your knowledge!

    Reply
  2. Andreas

    When I use card reader on a Wyse Xenith 2 with the embedded agent, Imprivata returns the FQDN domain name instead of the NETBIOS name, which seems to fail.

    Same policy on a standard Kiosk desktop works fine

    Have you encountered that behaviour ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *