4 Troubleshooting

This section contains troubleshooting information and frequently asked questions related to working with FIDO authenticators.

• I requested a FIDO token, but there are no notifications

  Check your email SMTP server settings in the External Systems workflow; see the Setting up email section in the Advanced Configuration Guide.

  Check that the person has an email address stored in MyID. If you are using SMS to distribute the registration codes, check that the person also has a cell/mobile number set up.

  In Windows Services, check that both the MyID Notifications Service and eCertificate Services Server are running.

• I requested a FIDO token and one notification arrives instantly but the other notification takes longer to arrive

  The two notifications are sent by different processes on the MyID server (one through the MyID Notifications Service and the other through the eCertificate Services Server) so the notifications may arrive on slightly different schedules depending on the polling time of the services.

• The link in the registration email does not work

  If the link does not start with https://<your server name> check that the URL path option is set; see section 2.1, Setting the configuration options.

  Note: This link must be an https address.

• My FIDO registration code is not accepted

  Make sure that the Allow Logon Codes option is set; see section 2.1, Setting the configuration options.

  Make sure that the person has permission to the Register FIDO Security Key option in Edit Roles, and that the role has the Password logon mechanism; see section 2.6, Configuring roles for registering FIDO authenticators.

• My FIDO registration code was accepted, but I get error OA10009

  Check that your browser and authenticator support FIDO2 Web Authentication (WebAuthn) standard.

  For more information about browsers, operating systems, and authenticators that support this, see:

  fidoalliance.org/fido2/fido2-web-authentication-webauthn/

  Check that the FIDO credential profile is compatible with the type of FIDO authenticator you want to use; not all FIDO authenticators support all FIDO features.

• When registering, I get error OA10017 – a problem accessing the FIDO metadata

  Make sure that the web server has access to the Internet, and there is no firewall preventing access to the FIDO metadata service; for example, make sure you can access the mds.fidoalliance.org domain. (This domain is controlled by the FIDO Alliance, and may be subject to change.)

  See section 2.3, Setting up the FIDO metadata.

• I want to supply my own metadata, as the authenticator I used is not on the FIDO metadata service, or I want to restrict issuance to a specific FIDO authenticator

  If you want to use your own file-based FIDO metadata repository, follow the instructions in section 2.3.1, Setting up a local metadata repository.

• When logging on to the MyID Operator Client, I do not get the option to select FIDO as a means of logging on

  Make sure that you have enabled at least one of the FIDO logon mechanisms; see section 2.7, Configuring MyID for FIDO logon.

  Check the appsettings.json file for the web.oauth2 service; by default, this is:

  C:\Program Files\Intercede\MyID\web.oauth2\appsettings.json

  Check that the EnableFido2LoginBasicAssurance and EnableFido2LoginHighAssurance options have not been set to false for the MyID Operator Client (myid.operatorclient).

• I cannot log on to MyID with my FIDO authenticator

  Check the credential profile – the MyID Logon option in the Services section must be enabled to allow MyID logon.

  Check that the person and device are enabled, and that the device has not expired.

  The Audit Reporting and System Events workflows may provide additional information.

  You can also check the AuthenticationAudits table in the authentication database); see the Reporting on the authentication database section in the MyID Authentication Guide for details.

• When trying to log on with FIDO, there is an error complaining about the domain or origin

  FIDO tokens are domain locked to the domain that registered them; that is, if a website at https://myserverdomain registered the FIDO authenticator, that FIDO authenticator can be used only to authenticate at websites that are also at https://myserverdomain. However, the same FIDO authenticator can hold FIDO credentials for other systems that MyID does not know about, enabling a user to use that FIDO authenticator for many systems; MyID will ignore these other FIDO credentials.

  Therefore it is important to not change the server domain of the MyID system, as doing so will render already registered FIDO credentials unusable; if this happens, you must request and register new FIDO credentials.

  Note: It is the URL the client sees that is important; this may be the URL of the load balancer or reverse proxy they access rather than the URL of the actual MyID web server.

  There is special consideration if alternative web servers are used for a standalone MyID authentication service (for externally facing systems such as ADFS to authenticate to) but the FIDO authenticator is registered on a different MyID web server by web.oauth2. In this situation, you must set up a load balancer or proxy so the same domain is accessed in both cases and routed to the appropriate servers.

  Note: MyID now supports multiple origins, where sub-domains of a registrable domain can also be authenticated; see section 2.4.3, Multiple origins.

• When trying to log on with FIDO I get the error HTTP 431 Request Header Fields Too Large

  Your FIDO authenticator has too many credentials on it, which is causing the combined length of the credential IDs to exceed the HTTP header size restriction; you are recommended to cancel any older unwanted FIDO credentials for that user.

• I cannot log on using my older FIDO credentials

  This is related to the HTTP 431 Request Header Fields Too Large error. When the combined length of credential IDs is too large and runs the risk of exceeding the HTTP header size restriction, the older tokens are ignored.

• Why are there two logon mechanisms – FIDO Basic Assurance and FIDO High Assurance?

  This provides flexibility. You may want to issue one-factor authenticators (basic assurance) for logging on to some external systems, but only allow two-factor authenticators (high assurance) for logging on to MyID.

• I registered two FIDO credentials to the same FIDO authenticator, but MyID shows them as two separate devices – why?

  FIDO has privacy built in that prevents a system from identifying the authenticator to which the credential is issued; this means that each registered FIDO credential has its own device record.

• Does this mean each FIDO credential uses a MyID device license, even if they are on the same physical device?

  Yes, MyID tracks device license usage based on issued credentials, not physical devices.

• I get database errors when registering or authenticating a FIDO authenticator

  Make sure that the authentication database is set up correctly. Ensure that the authentication .udl file (by default, MyIDAuth.udl) in the Windows System32 folder of the MyID application server is pointing to the authentication database.

• I get HTTP Error 500.30

  If you see an error similar to:

  HTTP Error 500.30 - ANCM In-Process Start Failure

  Check that your appsettings.Production.json file is valid.

  Note especially that copying code samples from a browser may include hard spaces, which cause the JSON file to be invalid.

  To assist in tracking down the problem, you can use the Windows Event Viewer. Check the Windows Logs > Application section for errors; you may find an error from the .NET Runtime source that contains information similar to:

  Exception Info: System.FormatException: Could not parse the JSON file.

  ---> System.Text.Json.JsonReaderException: '"' is invalid after a value. Expected either ',', '}', or ']'. LineNumber: 13 | BytePositionInLine: 6.

  which could be caused by a missing comma at the end of a line.

  An error similar to:

  Exception Info: System.FormatException: Could not parse the JSON file.

  ---> System.Text.Json.JsonReaderException: '0xC2' is an invalid start of a property name. Expected a '"'. LineNumber: 7 | BytePositionInLine: 0.

  is caused by a hard (non-breaking) space copied from a web browser, which is not supported in JSON.

  Note: Some JSON files used by MyID contain comment lines beginning with double slashes // – these comments are not supported by the JSON format, so the JSON files will fail validation if you attempt to use external JSON validation tools. However, these comments are supported in the JSON implementation provided by asp.net.core, and so are valid in the context of MyID.

• I get errors relating to attestation when registering a GoTrust FIDO authenticator

  There have been issues noticed when registering GoTrust Idem Key FIDO authenticators due to a problem with the GoTrust root certificate. Contact GoTrust technical support for assistance.