Skip to content

Troubleshooting Guide

This guide provides solutions to common issues you might encounter when using the Crayonic Credential Manager.

Table of Contents

  1. Authentication Issues
  2. User Search Issues
  3. Passkey Management Issues
  4. Security Key Issues
  5. Application Performance Issues
  6. Logging and Diagnostics
  7. Common Error Messages
  8. Getting Additional Help

Authentication Issues

Issue: Cannot authenticate with Entra ID

Symptoms: - "Authentication failed" message - No access token received - Authentication dialog closes without completing

Possible Causes and Solutions:

  1. Invalid credentials:
  2. Ensure you're using the correct username and password
  3. Check if your account is locked or requires password reset

  4. MFA requirements:

  5. If your account requires multi-factor authentication, ensure you complete all MFA steps
  6. Check if your MFA method (phone, authenticator app) is working correctly

  7. Permission issues:

  8. Ensure your account has the necessary permissions in Entra ID
  9. Required roles: Global Administrator, Authentication Administrator, or Privileged Authentication Administrator

  10. Network issues:

  11. Check your internet connection
  12. Ensure your firewall allows connections to Microsoft authentication endpoints
  13. Try disabling VPN if you're using one

Issue: "We couldn't sign you in" error

Symptoms: - Microsoft authentication dialog shows "We couldn't sign you in" error - Error occurs after selecting a passkey for authentication

Possible Causes and Solutions:

  1. Relying Party mismatch:
  2. The passkey you're using may be bound to a different Relying Party (RP)
  3. Passkeys created for Windows login may not work for web applications
  4. Try using a different passkey or create a new one specifically for this application

  5. Passkey not associated with user:

  6. The passkey may be registered to a different user account
  7. Try authenticating with the correct user account for this passkey

  8. Passkey revoked or expired:

  9. The passkey may have been revoked or expired
  10. Create a new passkey for authentication

Issue: Authentication dialog appears twice

Symptoms: - Authentication dialog appears, then immediately appears again after completing authentication

Possible Causes and Solutions:

  1. Token caching issue:
  2. Clear the browser cache and cookies
  3. Restart the application
  4. If using a private/incognito browser window, try a regular window

  5. Application configuration issue:

  6. Launch the application in Admin mode to check configuration settings
  7. Verify the redirect URI configuration

User Search Issues

Issue: Cannot find user in directory

Symptoms: - "User not found" message when searching - Empty results when searching for a known user

Possible Causes and Solutions:

  1. Incorrect UPN format:
  2. Ensure you're using the correct User Principal Name format (user@domain.com)
  3. Check for typos in the username or domain

  4. User doesn't exist in current tenant:

  5. Verify the user exists in the current Entra ID tenant
  6. Check if you're authenticated to the correct tenant

  7. Permission issues:

  8. Ensure your account has permissions to view user information
  9. Required permission: User.ReadBasic.All

  10. Search filter issues:

  11. Try using a partial name instead of the full UPN
  12. If searching by display name, try the UPN instead

Issue: Multiple users found but can't select the correct one

Symptoms: - Multiple users appear in the dropdown - Cannot find the specific user you're looking for

Possible Causes and Solutions:

  1. Ambiguous search terms:
  2. Use more specific search terms
  3. Search by exact UPN instead of partial name

  4. Display name limitations:

  5. The dropdown may show truncated display names
  6. Hover over entries to see full information
  7. Use the UPN for more precise searching

Passkey Management Issues

Issue: Cannot view existing passkeys

Symptoms: - No passkeys shown for a user who should have passkeys - "Error loading passkeys" message

Possible Causes and Solutions:

  1. Permission issues:
  2. Ensure your account has the UserAuthenticationMethod.ReadWrite.All permission
  3. Verify admin consent has been granted for this permission

  4. No passkeys registered:

  5. The user may not have any passkeys registered
  6. Check if the user has registered passkeys through other means

  7. API limitations:

  8. There may be temporary issues with the Microsoft Graph API
  9. Try again later or refresh the user information

Issue: Cannot create passkey for user

Symptoms: - "Failed to create passkey" message - Process starts but doesn't complete - Security key interaction fails

Possible Causes and Solutions:

  1. Permission issues:
  2. Ensure your account has the UserAuthenticationMethod.ReadWrite.All permission
  3. Verify you have the necessary Entra ID role (Global Administrator, Authentication Administrator, or Privileged Authentication Administrator)

  4. Security key issues:

  5. Ensure the security key is properly connected
  6. Try a different USB port
  7. Verify the security key supports FIDO2 and resident keys

  8. User account issues:

  9. The user account may have restrictions preventing passkey creation
  10. Check if the user has reached the maximum number of passkeys

  11. Relying Party configuration:

  12. Ensure you're using "login.microsoft.com" as the Relying Party for Entra ID applications

Issue: Cannot remove passkey

Symptoms: - "Failed to remove passkey" message - Passkey remains in the list after removal attempt

Possible Causes and Solutions:

  1. Permission issues:
  2. Ensure your account has the UserAuthenticationMethod.ReadWrite.All permission
  3. Verify you have the necessary Entra ID role

  4. API limitations:

  5. There may be temporary issues with the Microsoft Graph API
  6. Try again later or refresh the user information

  7. Passkey in use:

  8. The passkey may be currently in use for an active session
  9. Try again after ensuring the passkey is not being used

Security Key Issues

Issue: Security key not detected

Symptoms: - "No security key detected" message - Cannot proceed with passkey creation

Possible Causes and Solutions:

  1. Connection issues:
  2. Ensure the security key is properly connected to a USB port
  3. Try a different USB port
  4. Try disconnecting and reconnecting the security key

  5. Driver issues:

  6. Ensure you have the latest drivers for your security key
  7. Check the manufacturer's website for driver updates

  8. Security key compatibility:

  9. Verify the security key is FIDO2-compatible
  10. Some older U2F-only keys may not work for passkey creation

  11. Windows WebAuthn API issues:

  12. Ensure you're running a supported version of Windows (10 1903+ or Windows 11)
  13. Check for Windows updates that might affect the WebAuthn API

Issue: Security key interaction fails

Symptoms: - "Touch your security key" prompt appears but nothing happens when touching - Process times out during security key interaction

Possible Causes and Solutions:

  1. Security key not responding:
  2. Ensure the security key's contact/sensor is clean
  3. Try a different security key if available

  4. PIN issues:

  5. If the security key requires a PIN, ensure you're entering it correctly
  6. If you've forgotten the PIN, you may need to reset the security key (consult manufacturer instructions)

  7. Security key capacity:

  8. Some security keys have limited storage for resident keys
  9. Check if the security key has reached its capacity

Application Performance Issues

Issue: Application runs slowly or becomes unresponsive

Symptoms: - Long delays when performing operations - UI freezes or becomes unresponsive - High CPU or memory usage

Possible Causes and Solutions:

  1. Resource constraints:
  2. Check if your system meets the minimum requirements
  3. Close other resource-intensive applications
  4. Restart the application or your computer

  5. Network latency:

  6. Operations that require API calls may be slow due to network issues
  7. Check your internet connection
  8. Try using the application during off-peak hours

  9. Large data sets:

  10. If working with tenants that have many users or passkeys, operations may be slower
  11. Use more specific search terms to reduce the amount of data being processed

  12. Logging overhead:

  13. Verbose logging can impact performance
  14. In Admin mode, reduce the logging level if not needed for troubleshooting

Logging and Diagnostics

Accessing Log Files

The application creates several log files that can help diagnose issues:

  1. Location: Log files are stored in the application directory (typically C:\Program Files\Crayonic Credential Manager\bin)

  2. Log Files:

  3. Fido2UI_log.txt: General application logs
  4. EntraIdAuth_log.txt: Authentication-related logs
  5. PasskeyAuth_log.txt: Passkey operation logs

  6. Viewing Logs:

  7. Open the log files with any text editor (e.g., Notepad)
  8. Look for entries around the time when the issue occurred
  9. Error messages are typically prefixed with "ERROR" or "Exception"

Enabling Verbose Logging

For more detailed logging:

  1. Launch the application in Admin mode:
  2. Use the "Crayonic Credential Manager (Admin)" shortcut or
  3. Run with the -Admin parameter

  4. In Admin mode, you can configure logging levels:

  5. Navigate to the logging configuration section
  6. Set the logging level to "Debug" or "Verbose"
  7. Apply the changes

  8. Reproduce the issue to capture detailed logs

  9. Remember to reset the logging level to "Info" or "Warning" after troubleshooting to avoid performance impact

Common Error Messages

"We couldn't sign you in"

Context: Appears in the Microsoft authentication dialog

Cause: This typically occurs due to a Relying Party (RP) mismatch. Passkeys are bound to specific RPs - a passkey created for Windows login may not work for web applications.

Solution: Use a passkey that was created specifically for the authentication context you're using. For Entra ID web applications, use a passkey created with "login.microsoft.com" as the RP.

"Authentication canceled by user"

Context: Appears after closing the authentication dialog

Cause: The authentication process was manually canceled or timed out.

Solution: Try the authentication process again and complete all steps. Ensure you don't close the authentication dialog before it completes.

"Insufficient permissions"

Context: Appears when trying to perform operations on users or passkeys

Cause: Your account doesn't have the necessary permissions in Entra ID.

Solution: Ensure your account has the required roles (Global Administrator, Authentication Administrator, or Privileged Authentication Administrator) and API permissions (User.ReadBasic.All, UserAuthenticationMethod.ReadWrite.All).

"Operation timed out"

Context: Appears during passkey creation or removal

Cause: The operation took too long to complete, possibly due to network issues or security key interaction problems.

Solution: Check your internet connection, ensure the security key is properly connected, and try the operation again.

Getting Additional Help

If you've tried the solutions in this guide and are still experiencing issues:

  1. Check for Updates:
  2. Ensure you're using the latest version of the application
  3. Check for Windows updates that might affect WebAuthn functionality

  4. Community Support:

  5. Check for community discussions and reported issues
  6. Search for solutions in available support channels

  7. Contact Support:

  8. Email: support@crayonic.com
  9. Include detailed information about your issue:

    • Application version
    • Windows version
    • Error messages (screenshots if possible)
    • Steps to reproduce the issue
    • Log files (if available)
  10. Microsoft Support:

  11. For issues related to Entra ID or Microsoft Graph API, you may also need to contact Microsoft Support
  12. Visit the Microsoft Support portal for assistance

© 2025 Crayonic. All rights reserved.