A Quick Summary of the Layout
The first thing to understand are the roles of the Windows Logon Agent and the Windows Logon Client.
For each machine you wish to have 2fa setup on, you need to install the Windows Logon Client. However, the communication between the Windows Logon Client and DualShield Authentication Server is done via the Windows Logon Agent. Typically you only need 1 agent per subnet. For example, if you only have a single class C subnet, one agent should work for 254 machines with the client software installed, as long as all the machines can contact the agent.
You should also familiarise yourself with the Windows Logon Components Diagram that pops up after installation of the Windows Logon Client
Make note of the three different offline types
| Offline Type: | Definition: |
|---|---|
| A | Local MFA Logon Service is not Connectable |
| B | Remote MFA Logon Agent is Not Connectable |
| C | DualShield MFA Server is Not Connectable |
Primary Troubleshooting for Each Offline Type:
Offline Type A
If you see the message Offline Type (A) this usually means that the client service has stopped running.
By design, in the event of a software crash the service should restart by itself after a few seconds so it would be very rare that you would see this issue, however, if you do experience this problem, please try restarting the computer. If that fails to resolve the issue then either remote into services.msc for that machine or logon with the local admin account (if not MFA protected) and check if the service is running. If it is not running and the service cannot be started manually, then please check Windows Event Viewer for any DualShield application crash reports.
Offline Type B
If you see the message Offline Type (B) this usually means that the Windows Logon agent is not reachable.
Two things that would cause this:
1) The client machine has lost connection to the network
2) The machine hosting the Windows Logon Agent is down or has lost connection to the network
If neither of those things are true then check on the hosting machine, that the Windows Logon Agent Service is running.
If it is then check you have added a host record in your DNS manager. Please refer to Discover Windows Logon Agent.
Offline Type C
If you see the message Offline Type (C) this usually means that the Windows Logon Agent is reachable, however, the DualShield Authentication Server has gone offline.
Please check that the machine Hosting the MFA server is up, and the Dualshield Server Service is running.
Also check that you can log on to the DualShield Administration Console.
Once you have been through the basic steps above you can move on to Further Troubleshooting.