Loading...
Most common troubleshooting issues across all Keeper applications
Monitor the Keeper infrastructure system health here:
We have published a helpful AI chatbot which is trained on Keeper documentation. Give it a try here:
Keeper has implemented a "Snapshot Tool" which helps customers solve Autofill issues quickly. This process allows us to deploy autofill fixes within the same day.
SCIM enforces reserved domains on any provisioning request. If you receive an error like "This domain cannot be used for SCIM provisioning" or "Use a different email domain" from SCIM provisioning, This means that you need to request domain reservation for the email domain that is being provisioned.
Typically, this means you need to update your SAML signing certificate. Follow the guide below for step by step instructions:
Keeper's signing key for the Ubuntu Linux version of Keeper Desktop has expired, so we extended the expiration and pushed up a new GPG public key. This key is hosted at the below location:
We've also submitted this latest GPG public key to the keyserver.ubuntu.com keyserver.
Customers can pull down the latest key by running the below command and then retrying:
Some customers are unable to select Keeper from the Samsung provider list when activating KeeperFill.
If Keeper does not show up, please open your device settings and search for "Passwords" then select Keeper under "Passwords, passkeys and autofill".
If you are seeing syncing stuck on the screen, please check the following:
Update to the latest version of Keeper on the App Store
Instead of logging in with biometrics, try to login with your Master Password (clicking "Next")
After a successful login, visit the settings screen of Keeper and turn OFF/ON the Face ID or Touch ID setting.
We're constantly improving Keeper's security to keep our users safe. Starting with Backend API Version 16.10.0, if you're using a FIDO2 Yubikey device for two-factor authentication (2FA), you might need to enter a PIN associated with your device when you log into Keeper. This is a FIDO2 feature called "user verification" that our system uses to check if the PIN is set up on your device.
If you'd rather not use a PIN with your FIDO2 Yubikey device, you can remove it using the Yubico Manager app. However, keep in mind that if you reset your Yubikey device, you'll have to re-register your key with Keeper and any other application that you use with your key.
We will add a feature soon to allow consumers to decide whether or not user verification is required. This will be added to Vault version 16.10.4.
For our business customers, we're planning a role enforcement feature that requires user verification (by setting userVerification response to "required"). Until then, the system will respond based on your device setup.
If you are unable to access Keeper's website or Vault from your device with a "403 error", your IP address is being blocked. Keeper automatically blocks IP Addresses that have a "low reputation score". This list of IPs is maintained by a dedicated threat research team at Amazon AWS, and as such we do not have visibility into exact reasons why an IP is placed on this list. To resolve the issue:
Open the below URL on a computer which is generating this error: https://checkip.amazonaws.com
Your external IP address will be provided on the screen.
Please send the IP to the Keeper support team support team via our support page at keeper.io/freesupport and we'll check into unblocking it from our WAF.
Business customers who need a range of IPs to be unblocked can provide a CIDR.
Many issues can be resolved by updating your Keeper app. Install the latest Keeper version from your App Store or the Keeper Website.
From the mobile apps, go to the Account screen > Sync > Sync Now. This performs a "full sync" of all the data and ensures that anything missed in the normal sync process is caught. The latest Web Vault and Desktop App also have a "Sync" feature along the bottom of the screen.
Browser extensions generally stop working properly if an update is pending or the browser is out of date, even by one version. Make sure to update your web browser to the latest version and then fully restart your web browser.
Clear cache on your web browser or open Incognito Mode to try and login. If this works, you should just reset your Keeper app by visiting the Web Vault on your respective data center:
By appending #reset on the end will force Keeper to clear local data. Refresh the page a few times and this should clear things out.
Ensure only ONE Keeper browser extension is installed. Having two installed causes many issues. Visit Window > Extensions and check your extensions. Don't use multiple password managers at the same time.
Ensure that "clear site data when you quit Chrome" is disabled. This can cause errors and vault decryption issues.
This is a very common issue with our users. Keeper's advanced security protection and encryption prevents inspection of traffic, otherwise known as "man-in-the-middle". This can sometimes conflict with antivirus, popup blockers and web filtering apps. Make sure to try turning OFF these 3rd party plugins or applications to see if they are causing any conflict with Keeper.
Many websites (including Keeper's browser tools) won't function correctly if you block cookies, block Javascript, block local storage or have any extreme browser privacy settings that prevent our product from running. Please try to set your browser to default settings and see if that resolves the issue you're experiencing.
If you are experiencing an issue where the Two-Factor (TOTP) codes are different between your mobile and desktop devices, this is usually caused by the time difference between your devices. Ensure that your device time and date is set to "Automatic". If the times are different by even a few seconds, this will cause different codes to appear on different devices.
If biometrics such as Face ID / Touch ID stops working, simply login to Keeper with your Master Password (or SSO), then visit the Settings screen and turn biometric login OFF and ON. This should resolve any biometric login issues.
Consumers: Keeper employees do not have access to your Master Password or Recovery Phrase, and we cannot reset it for you. If you have forgotten your Master Password, please try using our Account Recovery feature by visiting the "Need Help" > "Forgot Master Password" option on the Keeper login screen.
Without your Master Password or recovery phrase, your records cannot be decrypted. If you don't have recovery setup for the Keeper account at all, unfortunately account recovery will not be possible.
If you have tried all possible Master Password and Account Recovery options and are still unable to login to Keeper, we can delete your account so that you can start over. Please contact the support team for assistance.
A very common issue when a user is unable to login, is that people could have multiple Keeper accounts (perhaps from different email addresses), or maybe a typo in your email address. If you think that's a possibility, please contact our support team and we will assist you.
Business Customers: If you have tried all possible Master Password options and are still unable to login to Keeper, you will need to contact one of your Keeper Administrators within your company to have them either transfer your account to a new vault so that you do not lose any data. Or, request your Admin to delete your profile and re-invite you which will allow you to start over with a new master password. If you are using SSO for login, they can assist you in recovering your account with the SSO provider.
If you would like to change your existing Master Password from the Web Vault & Desktop App, from the account dropdown menu (your email ) select Settings and next to "Master Password" click Reset Now. You will then be prompted to enter your current Master Password Password and create and confirm a new Master Password.
To change your Master Password on iOS and Android devices, within your vault, navigate to the Settings menu, scroll down and tap Reset Master Password (on iOS) or RESET NOW (on Android). You will then be prompted to enter your Current Master Password Password and create and confirm a new Master Password.
Consumers: If you changed phones or do not have access to your two-factor authentication device, please contact Keeper support and we will assist you in resetting your Two-Factor Authentication settings. For individual and family users, please open a consumer support ticket and we will assist you.
Business Customers: Please contact the Keeper Administrator at your company. Your Keeper Admin can disable your 2FA. For Keeper Administrators, please open a business support ticket and we will assist you.
Keeper Web Vault, Desktop App and Browser Extensions have been updated with the "Stay Logged In" feature for all customers. To activate this feature open your browser extension > settings > Stay Logged In and turn the setting "ON". If it's already on, you may want to turn the setting OFF and ON. Then, logout and login to the browser extension. Learn more about "Stay Logged In" here: https://docs.keeper.io/user-guides/tips-and-tricks/stay-logged-in
Upon initial vault login, new users will be prompted to set up Account Recovery. Click Generate Recovery Phrase to begin.
Once your recovery phrase has been generated, be sure to store it in a safe place. For added convenience, you will be given the option to copy or download it. Check the box to acknowledge you have stored it in a safe place and click Set Recovery Phrase to complete the setup.
Please note that if you forget your master password and lose your recovery phrase, you will not be able to login to your vault and Keeper Support will be unable to help you regain access.
After their initial login, users are asked if they would like to set up Account Recovery using an account recovery phrase. This is especially important if you forget your Master Password during the account recovery process which is based upon an account recovery phrase, backup verification code (sent via email) and Two-Factor Authentication code (if enabled).
In addition to enabling an account recovery phrase, we recommend turning on Keeper's Two-Factor Authentication feature from your account's "Settings" menu.
Users who have signed into Keeper after August 2015, will automatically have Account Recovery enabled. To initiate Account Recovery, simply open Keeper through the Web Vault, iOS, Android or Desktop app and from the login screen, click/tap Forgot Password. Keeper will then walk you through a few steps to change your Master Password and recover your account. These steps will include a series of prompts requesting the following actions:
Enter your email address to initiate the account recovery process
Enter a backup verification code
Enter your account recovery phrase
Enter your Two-Factor Verification code (if enabled)
Enter a new Master Password
Loading...
Loading...
Loading...
Loading...
Troubleshooting and support for Keeper Enterprise
The full Enterprise guide is located here. Part of the guide contains information on deploying to end-users.
Visit our checkout page: https://keepersecurity.com/checkout
The Admin Console user report currently contains empty login dates for accounts larger than 1,000 end-users. We recommend using Keeper Commander to generate a user status report using the user-report command. For example:
Typically, this means you need to update your SAML signing certificate. Follow the guide below for step by step instructions:
https://docs.keeper.io/en/v/sso-connect-cloud/certificate-renewal
Ensure that you have assigned users or groups to the correct SAML application in your IdP
When you invite a user from the identity provider or assign a user into a group that has been provisioned, the IdP will send the request to Keeper to either invite a user to join, or to add a user to a team, or to create a team.
If the user does not exist yet in Keeper, they will receive an invite to sign up (or they can use just-in-time provisioning)
After the user has created their Keeper account, the user will not yet be assigned into a Keeper team until one of a few things happen: (a) Admin logs into the Admin Console > Click on "Full Sync" from the Admin screen (b) A user from the relevant team logs into the Web Vault or Desktop App (c) Admin runs team-approve from Keeper Commander The reason that teams and users can't be created instantly via SCIM, is due to the encryption model and the need to share a private key between users. Sharing an encryption key (e.g. Team Key) can only be performed by a user who is logged in, and has access to the necessary private keys.
Note: The next version of the Keeper Automator service (v3.0) will support the dynamic approvals of teams and team-user assignments. Read more about the Keeper Automator service.
In Keeper, a team that is provisioned must generate the necessary public/private encryption key pair for that team. Similarly, when a user is assigned to a team, the team private key is encrypted with the public key of the user. This way, a user who is assigned team folders in the Keeper vault is able to decrypt the necessary folder keys and record keys. Since Keeper is a zero knowledge platform, this transaction must occur from one of the authenticated client device applications, such as the Admin Console, Vault, Commander CLI or Automator tools.
When a team or a team-user assignment is provisioned through SCIM, the team creation and the user team assignment goes into a "pending queue". This queue is then processed by the authenticated client side application that either creates the necessary team keys and shares the private keys with the intended users.
Currently, team creation and team-user assignment occurs when:
The Admin logs in to the Keeper Admin Console UI
The Commander CLI "team-approve" command is run
The Keeper Automator service is deployed (version 3.2+)
If you need to quickly clear out your pending Team and Team-User assignments, please run the following steps on a periodic basis:
Install the Keeper Commander CLI
Login to Keeper Commander using keeper shell
Run the following commands:
For security reasons, Keeper will prevent Enterprise users outside of an SSO node from logging in with a federated identity provider. If you have users unable to login with SSO, please ensure that the user is provisioned to the node within the Keeper Admin Console to the SSO-enabled node. To move a user into an SSO node, edit the user and select the node from the drop-down.
Keeper's email system will automatically suppress delivery to an email that has bounced. This typically occurs if you set up someone's Keeper account before their email inbox exists. If you are in this situation with a particular user, please contact the Keeper B2B support team and we'll remove the email from our suppression list.
If your user's email has changed in your identity provider, you can simply add an alias to the user's identity in Keeper. This can be accomplished using the enterprise-user command. For example:
This command will only allow aliases to be created with reserved domains. To learn more about Keeper Commander, visit the documentation.
If your company is migrating users to a new email domain, Keeper supports enterprise-wide domain aliases to make the transition seamless. Open a support ticket to request a domain alias.
If you have an SSO user being asked to enter a Master Password:
Ensure that the user has been provisioned to an SSO-enabled node
Ensure that the user is logging in from the correct data center (US, EU, AU, JP, CA, GOV)
Device Approvals are a required component of the SSO Connect Cloud platform. Approvals can be performed by users, admins, or automatically using the Keeper Automator service.
Users can approve their additional devices by using a previously approved device. For example, if you are logged into your web vault on your computer already, and logging into your phone app for the first time, you will get a device approval prompt on your web vault with the mobile device's information which you can approve or deny.
Keeper SSO Connect Cloud™ provides Zero-Knowledge encryption while retaining a seamless login experience with any SAML 2.0 identity provider.
When a user attempts to login on a device that has never been used prior, an Elliptic Curve private/public key pair is generated on the new device. After the user authenticates successfully from their identity provider, a key exchange must take place in order for the user to decrypt the vault on their new device. We call this "Device Approval".
Using Guest, Private or Incognito mode browser modes or clearing the browsers cache will identify itself to keeper as a new device each time it is launched, and therefore will require a new device approval.
To preserve Zero Knowledge and ensure that Keeper's servers do not have access to any encryption keys, we developed a Push-based approval system that can be performed by the user or the designated Administrator. Keeper also allows customers to host a service which performs the device approvals and key exchange automatically, without any user interaction.
When logging into a new or unrecognized device, the user has two options:
Keeper Push (using their own devices)
Admin Approval (request administrator approval)
Or, you can skip this step completely by deploying the Keeper Automator service.
Keeper Automator can be deployed many ways, depending on your requirements. The least expensive method of using Automator would be using a micro instance of a Linux VM using the Docker Compose method. If you would like to use only cloud services, we recommend the AWS Container Service or Azure App Gateway method.
If logging into a new device takes 20-30 seconds to complete, this could be caused by your Keeper Automator service being misconfigured or inaccessible by the Keeper servers. Please disable the Keeper Automator in your environment using the "automator disable" command.
After an unexpected reboot of the container instance in Azure the container can sometimes come back up with a new IP address (e.g. x.x.0.5 even when the App Gateway had originally been provisioned with an IP of x.x.0.4 in the backend pool). Updating the IP of the container in the backend pool resolves this issue.
In the Azure cloud shell, retrieve the current IP:
az container show --name keeperautomatorcontainer --resource-group keeper_automator_rg --query ipAddress.ip --output tsv
In Azure portal select Resource groups > $your_resource_group > your Application Gateway > Backend pools > change Target IP to the new one from above.
Keeper's SSO Certificate expires annually in August timeframe. The new cert is available by logging into the Admin Console. If you need to update the Keeper SP Certificate, see the step by step instructions here.
Customers running SSO Connect On-Prem must renew SSL certificates on an annual basis. The date depends on when your SSL certificate is expiring. If you are receiving an SSL certificate error, please renew your cert by following the instructions here.
Please see the Keeper Commander troubleshooting page.
Please see the Secrets Manager troubleshooting page.
Please see the KCM troubleshooting page.
If you need help, please open a support ticket in our ServiceNow system.
If you need a phone call or Zoom call, just request this from the team and we will schedule it during business hours. Please be patient as we coordinate the call.
If you're a business customer having an emergency and need urgent support, make sure to use our ServiceNow support portal. On the support form, select the option "This is an emergency, outage, or other time-sensitive issue which requires immediate assistance".
We love hearing from Enterprise customers. Send your feature requests to: feedback@keepersecurity.com.
Join our Beta Slack Channel to post questions, feedback or receive new beta versions.