Troubleshooting Tanium Cloud
Tanium Cloud is a self-monitored service, designed to detect failures before the failures surface to users.
You can view Tanium instance details, entitlement details, and identity provider settings in the Tanium Cloud Management Portal (CMP). You can delete or edit an existing setting, or add a new configuration. Warnings or errors are also displayed in the Administration page.
You can access the Activity Timeline, which shows a historical view of all the modules that were installed or upgraded in your Tanium Cloud instance. If you encounter an issue with a module, you can see if the issue is related to a recent upgrade. You can also see what modules are scheduled for installation.
- From the CMP menu, click Environment Status to view the module installation activity.
- To view documentation for a specific module, click View Details.
You can sign up for email notifications that notify you when your module licenses are about to expire.
- From the CMP menu, click Environment Status.
- Click Subscribe and then follow the prompts to sign up for email notifications.
By default, the primary administrative email account is automatically signed up for email notifications.
You can reset your CMP password if it expires, you forgot it, or you want to change it for any other reason.
By default, passwords expire every 60 days.
- From the CMP access link, click Sign in with a local user and then click Reset Password.
- Enter your email address and click Reset Password.
- Check your email for the verification code, enter it, and click Confirm.
- Check your email again for the one-time temporary password and sign in with it.
- Create a new password and click Next.
If you enter the verification code or temporary password incorrectly five times within the last 24 hours, your account is locked. Reset CMP password again to restart the process. Additionally, you cannot request to reset your password more than five times within the last 24 hours. In this case, you must wait to Reset CMP password again.
To change your designated primary administrator email address, contact Tanium Support.
If you encounter issues connecting and authenticating to the Tanium Console, verify that the identity provider is configured correctly.
- Sign in to the CMP.
- Review the Identity Provider Settings section of the Administration page.
- Verify that there are no warnings or errors in the Status column of the identity provider.
- Click Edit to view and edit the settings.
- (Optional) If you want to automatically provision users from a domain, verify that the domain is listed and the Auto-Provision Users selection is set to Yes.
- Click Test Login to verify that the connection to the identity provider is successful.
For more troubleshooting information, see Tanium Console User Guide: Troubleshooting.
A 401 authorization required error displays when authenticating to Tanium Console or the CMP, because Tanium Cloud cannot process the SAML response. The following sections outline messages that can appear in the URL when a 401 authorization required error displays in the browser.
Copy the message from the browser to a text editor to see the full error message.
Issue: Email was changed in the IDP
Users cannot sign in to Tanium after their email addresses are changed in the integrated IDP environment. When attempting to sign in to the Tanium Console, users encounter a 401 error with the following text in the URL:
If the domains listed in CMP do not match the previous email domain, users continue to see a 401 error.
Choose an option:
- Delete the IDP configuration in the CMP and create a new one with the same configuration.
- Add both the old and new domains in the CMP for that IDP. Then have the affected users sign in at least once to allow their email attributes to be updated. After you confirm that users can sign in successfully, remove the old domain from the CMP.
Issue: Error in SAML response processing because Name ID value was not found in SAML Assertion
NameID value is not being sent in the SAML response. While Tanium Cloud does not use this value, the SAML response fails to validate if the value is not present.
In the IDP environment, add the
NameID and the
E-mail Address to the response.
Issue: Error in SAML response processing: Invalid user attributes: email: The attribute is required
The IDP is not sending the email address or the email address is being sent under the wrong attribute name.
In the IDP environment, send the email address value under the attribute name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress. The attribute statement should look similar to the following example:
<saml2:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> [email protected]</saml2:AttributeValue> </saml2:Attribute>
Error in SAML response processing: No SAML Assertion found in the SAML response
There is an unspecified issue with the IDP configuration. The SAML response likely includes an AuthnFailed status:
The most common cause is in SFDC IDP environments when the user is not assigned to the
role which grants permission on the Connected Application.
For the user account, assign the
role which grants permission on the Connected Application. If that step does not resolve the issue, investigate the logs in the IDP environment.
This error occurs when a user signs in to a Tanium Cloud instance through IDP-initiated single sign-on (SSO). IDP-initiated SSO is not supported.
Use Service Provider-initiated (SP-initiated) SSO by signing in from the Tanium Cloud console URL (for example, https://examplecustomer.cloud.tanium.com). As a workaround, you can also configure the sign in URL with the Tanium Console URL. In Okta, for example, this means configuring a Bookmark app.
If you see /unauthorized in the URL bar, the SAML integration is configured correctly, but the sign in user account does not exist in Tanium Cloud.
Issue: Incorrect attribute
The IDP might be sending the wrong attribute: UUID, sAMAccountName, and userPrincipalName.
Make sure the IDP is sending email address for the applicable attribute.
Issue: Incorrect user account
A user account might be incorrect for one of the following reasons:
- Using the IDP account admin instead of the user account with Tanium administrative rights
- Using an elevated account instead of a standard account
- Creating an initial Tanium Cloud user account with a typo
Sign in with the exact email address specified in the welcome email.
Issue: Extra space in user name
The user name looks correct but contains extra spacing on the end, so the name cannot match the SAML claim. This usually happens when the user was created by a cut and paste action.
Carefully recreate the user name. The preferred option is to enter the user name manually to avoid extra spacing from a cut and paste error.
If you notice issues with specific Tanium solutions, review the following links.
- Tanium API Gateway User Guide: Troubleshooting API Gateway
- Tanium Asset User Guide: Troubleshooting Asset
- Tanium Benchmark User Guide: Troubleshooting Benchmark
- Tanium Client Management User Guide: Troubleshooting
- Tanium Comply User Guide: Troubleshooting Comply
- Tanium Connect User Guide: Troubleshooting Connect
- Tanium Console User Guide: Troubleshooting
- Tanium Deploy User Guide: Troubleshooting Deploy
- Tanium Direct Connect User Guide: Troubleshooting Direct Connect
- Tanium Directory Query User Guide: Troubleshooting Directory Query
- Tanium Discover User Guide: Troubleshooting Discover
- Tanium Endpoint Configuration User Guide: Troubleshooting Endpoint Configuration
- Tanium End-User Notifications User Guide: Troubleshooting End-User Notifications
- Tanium Enforce User Guide: Troubleshooting Enforce
- Tanium Impact User Guide: Troubleshooting Impact
- Tanium Integrity Monitor User Guide: Troubleshooting Integrity Monitor
- Tanium Interact User Guide: Troubleshooting Interact
- Tanium Map User Guide: Troubleshooting Map
- Tanium Patch User Guide: Troubleshooting Patch
- Tanium Performance User Guide: Troubleshooting Performance
- Tanium Reporting User Guide: Troubleshoot Reporting
- Tanium Reputation User Guide: Troubleshooting Reputation
- Tanium Reveal User Guide: Troubleshooting Reveal
- Tanium Threat Response User Guide: Troubleshooting Threat Response
- Tanium Trends User Guide: Troubleshooting Trends
To contact Tanium Support for help, sign in to https://support.tanium.com.
Last updated: 11/30/2022 10:29 AM | Feedback