Troubleshooting Tanium Cloud

Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users.

Troubleshoot issues authenticating to Cloud Management Portal

Issues signing in as the primary administrator

If you encounter issues signing in to Cloud Management Portal (CMP) as the primary administrator, check the following issues.

Unable to sign in with the primary administrator user name and password

  • The primary administrator account locks after 90 days of inactivity. If you have not signed in to CMP for more than 90 days or a message appears during sign-in that indicates that your account is locked, contact Tanium Support to unlock your account.
  • Make sure you are using the correct domain in your primary administrator user name:

    • If your Tanium Cloud instance was created before June 1, 2023 and you have not had local users enabled by Tanium Support, make sure you are using the email address that was assigned to the primary administrator account as your user name.

      • To change your designated primary administrator email address, contact Tanium Support.

      • If you need to enable local users (see Manage local users for evaluation or demonstration) in a Tanium Cloud instance created before June 1, 2023, contact Tanium Support. Tanium must delete and recreate your primary administrator account, after which you must complete the password and multi-factor authentication (MFA) setup again. No other Tanium Cloud settings are affected. After Tanium enables local users in your account, you must sign in with the @tanium.local domain when signing in as the primary administrator.
    • If your Tanium Cloud instance was created on or after June 1, 2023 or you have had local users enabled in an instance created before that date, make sure you are using the @tanium.local domain in your user name. The primary administrator user name is the local part of the email address assigned to the primary user with the @tanium.local domain added. For example, if your primary administrator email address is [email protected], your user name is [email protected].
  • Reset your password. See Reset your CMP administrator or local user password. If you are unable to complete the password reset process, contact Tanium Support for assistance.

Unable to complete multi-factor authentication with a TOTP for the primary administrator

Make sure you are using the MFA method you configured when you first signed into CMP as the primary administrator. If you are unable to provide the correct time-based one-time password (TOTP), contact Tanium Support for assistance resetting your MFA method.

Issues signing in as a single sign-on (SSO) user

If you encounter issues signing in to Cloud Management Portal (CMP) as a SSO user provided by an identity provider (typical in a production environment), check the following issues.

Unable to sign in as an SSO user with a user name and password

  • Make sure you are using the domain in your user name that is specified in your identity provider. Your CMP user name is your single sign-on (SSO) user name, which is typically your organization email address.

  • Reset the password for your SSO user account. The process to do so is determined by your identity provider. Contact the administrator of your identity provider for assistance.
  • As a CMP administrator, review the identity provider settings:

    1. Sign in to CMP as a CMP administrator.

      If no SSO users are able to sign in, you must sign in as the primary administrator or a local administrator.

    2. Review the Identity Provider Settings section of the Administration page.

      1. Verify that there are no warnings or errors in the Status column of the identity provider.
      2. Click Edit to view and edit the settings as necessary. Make sure that CMP access is enabled in the Enable Authentication section.
      3. Click Test Login to verify that the connection to the identity provider is successful.

      For more information, see Configuring identity providers and user provisioning in CMP and Configuring your identity provider for Tanium Cloud.

Unable to complete multi-factor authentication with a TOTP for an SSO user

Reset the MFA method for your SSO user account. The process to do so is determined by your identity provider. Contact the administrator of your identity provider for assistance.

Issues signing in as a local user other than the primary administrator

If you encounter issues signing in to CMP as a local user other than the primary administrator (typically used only during evaluation), check the following issues.

Unable to sign in as a local user with a user name and password

Unable to complete multi-factor authentication with a TOTP for a local user

Make sure you are using the MFA method you configured when you first signed into CMP with your local user account. If you are unable to provide the correct time-based one-time password (TOTP), the CMP primary administrator can re-create your account. See Manage local users for evaluation or demonstration.

Troubleshoot issues authenticating to Tanium Console

In addition to the following troubleshooting information specific to Tanium Cloud, see Tanium Console User Guide: Troubleshoot Console issues.

Issues signing in as an SSO user

  • Reset the password for your SSO user account. The process to do so is determined by your identity provider. Contact the administrator of your identity provider for assistance.
  • As a CMP administrator, make sure that the identity provider is configured correctly:

    1. Sign in to CMP as a CMP administrator.
    2. Review the Identity Provider Settings section of the Administration page.

      1. Verify that there are no warnings or errors in the Status column of the identity provider.
      2. Click Edit to view and edit the settings.
      3. (Optional) If you want to automatically provision users from a domain, verify that the domain is listed and the Auto-Provision Users selection is set to Yes.
      4. Click Test Login to verify that the connection to the identity provider is successful.

      For more information, see Configuring identity providers and user provisioning in CMP and Configuring your identity provider for Tanium Cloud.

Issues signing in as a local user (evaluation only)

Local users access to Tanium Console is typically configured only during evaluation of Tanium Cloud. Allowing local users to access Tanium Console is not a best practice in a production environment. For more information, see Manage local users for evaluation or demonstration.

Error: 401 authorization required

A 401 authorization required error displays when authenticating to Tanium Console or CMP, because Tanium Cloud cannot process the SAML response. The following sections outline messages that can appear in the URL when a 401 authorization required error displays in the browser.

Copy the message from the browser to a text editor to see the full error message.

Issue: Email was changed in the IDP

Cause

Users cannot sign in to Tanium after their email addresses are changed in the integrated IDP environment. When attempting to sign in to the Tanium Console, users encounter a 401 error with the following text in the URL:

PreAuthentication+failed+with+error+User+email+domain+was+not+registered+with+this+identity+provider

If the domains listed in CMP do not match the previous email domain, users continue to see a 401 error.

Solution

Choose an option:

  • Delete the IDP configuration in CMP and create a new one with the same configuration.
  • Add both the old and new domains in CMP for that IDP. Then have the affected users sign in at least once to allow their email attributes to be updated. After you confirm that users can sign in successfully, remove the old domain from CMP.

Issue: Error in SAML response processing because Name ID value was not found in SAML Assertion

Cause

The NameID value is not being sent in the SAML response. While Tanium Cloud does not use this value, the SAML response fails to validate if the value is not present.

Solution

In the IDP environment, add the NameID and the E-mail Address to the response.

Issue: Error in SAML response processing: Invalid user attributes: email: The attribute is required

Cause

The IDP is not sending the email address or the email address is being sent under the wrong attribute name.

Solution

In the IDP environment, send the email address value under the attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. The attribute statement should look similar to the following example:

<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> [email protected]</saml2:AttributeValue> </saml2:Attribute>

Error in SAML response processing: No SAML Assertion found in the SAML response

Cause

There is an unspecified issue with the IDP configuration. The SAML response likely includes an AuthnFailed status:

<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:AuthnFailed">
</samlp:Status>

The most common cause is in SFDC IDP environments when the user is not assigned to the role which grants permission on the Connected Application.

Solution

For the user account, assign the role which grants permission on the Connected Application. If that step does not resolve the issue, investigate the logs in the IDP environment.

Error: Required String parameter RelayState is not present

Cause

This error occurs when a user signs in to a Tanium Cloud instance through IDP-initiated single sign-on (SSO). IDP-initiated SSO is not supported.

Solution

Use Service Provider-initiated (SP-initiated) SSO by signing in from the Tanium Cloud console URL (for example, https://examplecustomer.cloud.tanium.com). As a workaround, you can also configure the sign in URL with the Tanium Console URL. In Okta, for example, this means configuring a Bookmark app.

Error: The Tanium sign-in screen shows /unauthorized in the URL bar

If you see /unauthorized in the URL bar, the SAML integration is configured correctly, but the sign in user account does not exist in Tanium Cloud.

Issue: Incorrect attribute

Cause

The IDP might be sending the wrong attribute: UUID, sAMAccountName, and userPrincipalName.

Solution

Make sure the IDP is sending email address for the applicable attribute.

Issue: Incorrect user account

Cause

A user account might be incorrect for one of the following reasons:

  • Using the IDP account admin instead of the user account with Tanium administrative rights
  • Using an elevated account instead of a standard account
  • Creating an initial Tanium Cloud user account with a typo

Solution

Sign in with the exact email address specified in the welcome email.

Issue: Extra space in user name

Cause

The user name looks correct but contains extra spacing on the end, so the name cannot match the SAML claim. This usually happens when the user was created by a cut and paste action.

Solution

Carefully recreate the user name. The preferred option is to enter the user name manually to avoid extra spacing from a cut and paste error.

Troubleshoot Tanium solutions

If you notice issues with specific Tanium solutions, review the following links.

Contact Tanium Support

To contact Tanium Support for help, sign in to https://support.tanium.com.