Troubleshooting Guide
This guide provides solutions to common issues you might encounter when using the Crayonic Credential Manager.
Table of Contents
- Authentication Issues
- User Search Issues
- Passkey Management Issues
- Security Key Issues
- Application Performance Issues
- Logging and Diagnostics
- Common Error Messages
- Getting Additional Help
Authentication Issues
Issue: Cannot authenticate with Entra ID
Symptoms: - "Authentication failed" message - No access token received - Authentication dialog closes without completing
Possible Causes and Solutions:
- Invalid credentials:
- Ensure you're using the correct username and password
-
Check if your account is locked or requires password reset
-
MFA requirements:
- If your account requires multi-factor authentication, ensure you complete all MFA steps
-
Check if your MFA method (phone, authenticator app) is working correctly
-
Permission issues:
- Ensure your account has the necessary permissions in Entra ID
-
Required roles: Global Administrator, Authentication Administrator, or Privileged Authentication Administrator
-
Network issues:
- Check your internet connection
- Ensure your firewall allows connections to Microsoft authentication endpoints
- Try disabling VPN if you're using one
Issue: "We couldn't sign you in" error
Symptoms: - Microsoft authentication dialog shows "We couldn't sign you in" error - Error occurs after selecting a passkey for authentication
Possible Causes and Solutions:
- Relying Party mismatch:
- The passkey you're using may be bound to a different Relying Party (RP)
- Passkeys created for Windows login may not work for web applications
-
Try using a different passkey or create a new one specifically for this application
-
Passkey not associated with user:
- The passkey may be registered to a different user account
-
Try authenticating with the correct user account for this passkey
-
Passkey revoked or expired:
- The passkey may have been revoked or expired
- Create a new passkey for authentication
Issue: Authentication dialog appears twice
Symptoms: - Authentication dialog appears, then immediately appears again after completing authentication
Possible Causes and Solutions:
- Token caching issue:
- Clear the browser cache and cookies
- Restart the application
-
If using a private/incognito browser window, try a regular window
-
Application configuration issue:
- Launch the application in Admin mode to check configuration settings
- Verify the redirect URI configuration
User Search Issues
Issue: Cannot find user in directory
Symptoms: - "User not found" message when searching - Empty results when searching for a known user
Possible Causes and Solutions:
- Incorrect UPN format:
- Ensure you're using the correct User Principal Name format (user@domain.com)
-
Check for typos in the username or domain
-
User doesn't exist in current tenant:
- Verify the user exists in the current Entra ID tenant
-
Check if you're authenticated to the correct tenant
-
Permission issues:
- Ensure your account has permissions to view user information
-
Required permission: User.ReadBasic.All
-
Search filter issues:
- Try using a partial name instead of the full UPN
- If searching by display name, try the UPN instead
Issue: Multiple users found but can't select the correct one
Symptoms: - Multiple users appear in the dropdown - Cannot find the specific user you're looking for
Possible Causes and Solutions:
- Ambiguous search terms:
- Use more specific search terms
-
Search by exact UPN instead of partial name
-
Display name limitations:
- The dropdown may show truncated display names
- Hover over entries to see full information
- Use the UPN for more precise searching
Passkey Management Issues
Issue: Cannot view existing passkeys
Symptoms: - No passkeys shown for a user who should have passkeys - "Error loading passkeys" message
Possible Causes and Solutions:
- Permission issues:
- Ensure your account has the UserAuthenticationMethod.ReadWrite.All permission
-
Verify admin consent has been granted for this permission
-
No passkeys registered:
- The user may not have any passkeys registered
-
Check if the user has registered passkeys through other means
-
API limitations:
- There may be temporary issues with the Microsoft Graph API
- Try again later or refresh the user information
Issue: Cannot create passkey for user
Symptoms: - "Failed to create passkey" message - Process starts but doesn't complete - Security key interaction fails
Possible Causes and Solutions:
- Permission issues:
- Ensure your account has the UserAuthenticationMethod.ReadWrite.All permission
-
Verify you have the necessary Entra ID role (Global Administrator, Authentication Administrator, or Privileged Authentication Administrator)
-
Security key issues:
- Ensure the security key is properly connected
- Try a different USB port
-
Verify the security key supports FIDO2 and resident keys
-
User account issues:
- The user account may have restrictions preventing passkey creation
-
Check if the user has reached the maximum number of passkeys
-
Relying Party configuration:
- Ensure you're using "login.microsoft.com" as the Relying Party for Entra ID applications
Issue: Cannot remove passkey
Symptoms: - "Failed to remove passkey" message - Passkey remains in the list after removal attempt
Possible Causes and Solutions:
- Permission issues:
- Ensure your account has the UserAuthenticationMethod.ReadWrite.All permission
-
Verify you have the necessary Entra ID role
-
API limitations:
- There may be temporary issues with the Microsoft Graph API
-
Try again later or refresh the user information
-
Passkey in use:
- The passkey may be currently in use for an active session
- Try again after ensuring the passkey is not being used
Security Key Issues
Issue: Security key not detected
Symptoms: - "No security key detected" message - Cannot proceed with passkey creation
Possible Causes and Solutions:
- Connection issues:
- Ensure the security key is properly connected to a USB port
- Try a different USB port
-
Try disconnecting and reconnecting the security key
-
Driver issues:
- Ensure you have the latest drivers for your security key
-
Check the manufacturer's website for driver updates
-
Security key compatibility:
- Verify the security key is FIDO2-compatible
-
Some older U2F-only keys may not work for passkey creation
-
Windows WebAuthn API issues:
- Ensure you're running a supported version of Windows (10 1903+ or Windows 11)
- Check for Windows updates that might affect the WebAuthn API
Issue: Security key interaction fails
Symptoms: - "Touch your security key" prompt appears but nothing happens when touching - Process times out during security key interaction
Possible Causes and Solutions:
- Security key not responding:
- Ensure the security key's contact/sensor is clean
-
Try a different security key if available
-
PIN issues:
- If the security key requires a PIN, ensure you're entering it correctly
-
If you've forgotten the PIN, you may need to reset the security key (consult manufacturer instructions)
-
Security key capacity:
- Some security keys have limited storage for resident keys
- Check if the security key has reached its capacity
Application Performance Issues
Issue: Application runs slowly or becomes unresponsive
Symptoms: - Long delays when performing operations - UI freezes or becomes unresponsive - High CPU or memory usage
Possible Causes and Solutions:
- Resource constraints:
- Check if your system meets the minimum requirements
- Close other resource-intensive applications
-
Restart the application or your computer
-
Network latency:
- Operations that require API calls may be slow due to network issues
- Check your internet connection
-
Try using the application during off-peak hours
-
Large data sets:
- If working with tenants that have many users or passkeys, operations may be slower
-
Use more specific search terms to reduce the amount of data being processed
-
Logging overhead:
- Verbose logging can impact performance
- In Admin mode, reduce the logging level if not needed for troubleshooting
Logging and Diagnostics
Accessing Log Files
The application creates several log files that can help diagnose issues:
-
Location: Log files are stored in the application directory (typically
C:\Program Files\Crayonic Credential Manager\bin
) -
Log Files:
Fido2UI_log.txt
: General application logsEntraIdAuth_log.txt
: Authentication-related logs-
PasskeyAuth_log.txt
: Passkey operation logs -
Viewing Logs:
- Open the log files with any text editor (e.g., Notepad)
- Look for entries around the time when the issue occurred
- Error messages are typically prefixed with "ERROR" or "Exception"
Enabling Verbose Logging
For more detailed logging:
- Launch the application in Admin mode:
- Use the "Crayonic Credential Manager (Admin)" shortcut or
-
Run with the
-Admin
parameter -
In Admin mode, you can configure logging levels:
- Navigate to the logging configuration section
- Set the logging level to "Debug" or "Verbose"
-
Apply the changes
-
Reproduce the issue to capture detailed logs
-
Remember to reset the logging level to "Info" or "Warning" after troubleshooting to avoid performance impact
Common Error Messages
"We couldn't sign you in"
Context: Appears in the Microsoft authentication dialog
Cause: This typically occurs due to a Relying Party (RP) mismatch. Passkeys are bound to specific RPs - a passkey created for Windows login may not work for web applications.
Solution: Use a passkey that was created specifically for the authentication context you're using. For Entra ID web applications, use a passkey created with "login.microsoft.com" as the RP.
"Authentication canceled by user"
Context: Appears after closing the authentication dialog
Cause: The authentication process was manually canceled or timed out.
Solution: Try the authentication process again and complete all steps. Ensure you don't close the authentication dialog before it completes.
"Insufficient permissions"
Context: Appears when trying to perform operations on users or passkeys
Cause: Your account doesn't have the necessary permissions in Entra ID.
Solution: Ensure your account has the required roles (Global Administrator, Authentication Administrator, or Privileged Authentication Administrator) and API permissions (User.ReadBasic.All, UserAuthenticationMethod.ReadWrite.All).
"Operation timed out"
Context: Appears during passkey creation or removal
Cause: The operation took too long to complete, possibly due to network issues or security key interaction problems.
Solution: Check your internet connection, ensure the security key is properly connected, and try the operation again.
Getting Additional Help
If you've tried the solutions in this guide and are still experiencing issues:
- Check for Updates:
- Ensure you're using the latest version of the application
-
Check for Windows updates that might affect WebAuthn functionality
-
Community Support:
- Check for community discussions and reported issues
-
Search for solutions in available support channels
-
Contact Support:
- Email: support@crayonic.com
-
Include detailed information about your issue:
- Application version
- Windows version
- Error messages (screenshots if possible)
- Steps to reproduce the issue
- Log files (if available)
-
Microsoft Support:
- For issues related to Entra ID or Microsoft Graph API, you may also need to contact Microsoft Support
- Visit the Microsoft Support portal for assistance
© 2025 Crayonic. All rights reserved.