Troubleshooting the Delinea Connector

Platform Can't Map a Federated User to an AD User

Check that all claims are correct. If all claims are correct, try re-registering the Delinea Connector.

Can't Add Local User with Duplicate Login ID

Given that a domain-joined user is set up in the Delinea Platform, when trying to later add a local user with the same User Principle Name (UPN), it cannot be added, even if the domain-joined user is deleted. An error message like the following occurs:

User name name@domain.com is already in use

When creating a local user in the platform, the platform will try to avoid creating duplicate objects by checking all available directories for the UPN before creating the user.

Remove the Connector to add the local user. To re-enable secure communication between the Delinea Platform and AD directories, reinstall the Connector. Also see Troubleshooting Federated Group Mapping.

Invalid Certificate Error Installing Connector

The remote certificate is invalid according to the validation procedure.

Resolution: This issue is commonly triggered by active deep SSL inspection, which must be disabled. Ensure that the IP addresses specified under Delinea Connector are allowed.

Missing or Unverified Certificate Error Installing Connector

Failed to obtain certificate or certificate verification failed.

Resolution: 

  1. Make sure your Windows updates are up to date.

  2. Verify the accessibility of Certificate Revocation Lists (CRLs) by confirming access to the following:

    • http://cps.letsencrypt.org

    • http://r11.o.lencr.org/

    • http://x1.c.lencr.org/ (the CRL endpoint for the issuing subordinate CA, required to allow successful TLS negotiation and certificate chain check)

 

Unhandled Exception Error Installing Connector

Encountered unhandled exception in registering the proxy: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://<tenant url>/transport_rpc.svc

Resolution: Ensure that you are running the latest version of the Connector and try again.

Certificate Check Error Registering Connector

(500) Internal Server Error

500 Internal Server Error

Ensure that you are running the latest version of the Connector and try again.

Failed to Connect Error Registering Connector

Failed to connect to server using REST RPC

This error may indicate an incorrect platform tenant URL entry. Please revisit the platform tenant URL you provided and ensure its accuracy before attempting to register again.

Delinea Connector Configuration Application Stalls

This lasts for several minutes and the application is not accessible.

Check to see if any endpoint security applications such as SentinelOne are active on the host where the Connector is located, as they might disrupt the Connector during installation or registration.

Connector Fails to Connect to Platform

All connections from the Connector to the platform are outbound. No internet-facing ingress ports are required for the Connector. For more information, refer to Delinea Connector. If you use a proxy with the Connector, ensure that connectivity is established and that name resolution functions correctly. Search within your environment for potential issues originating from firewalls or packet inspection solutions, particularly those that could affect communication between the Connector and the platform.

Delinea Connector Auto-update not Working

AutoUpdate support was added after 4.1.x versions. Manually upgrade to the latest version of the Connector to take advantage of auto-update.

Authentication Fails After Connector Installed and Active

They get this error message: Authentication (login or challenge) has failed. Please try again or contact your system administrator.

  • Verify that the user is entering accurate Active Directory credentials to log in to the platform.

  • Examine the Delinea Connector logs for potential errors.

  • Investigate whether the issue is isolated to a particular user, and assess any unique factors (e.g., expired account).

  • Confirm that the Connector status is active.

  • Check connectivity using a Ping operation from the platform to the Connector.

Where Can I Access the Delinea Connector Logs?

Connector logs (such as log.txt) can be reviewed under C:\Program Files\Delinea\Delinea Connector

What are the Default Rotation Settings for Connector Logs?

The default maximum log file size is 2 MB, and the default maximum number of log backup entries is 450.

What are Best Practices for using Federation and Active Directory Together? 

  1. First set up the Connector so that on-premise AD is visible to your platform tenant.

  2. Then set up federation with mapping of users enabled as optional. This will cause federated users to become (map to) the AD users if possible when they log into the tenant.

Can't Query Active Directory Users or Groups After Connector Installed and Active

Upon inspection, I see a warning on the Connector configuration screen stating, "This Connector may not be discoverable from other computers," and there's an error in the logs saying, "Failed to create or get proxy SCP."

This could indicate a communication problem between the machine running the Connector and the Active Directory Domain Controller. Follow these steps to address this issue:

  1. Remove the machine object (that has the Connector) in Active Directory.

  2. Re-join the machine to the domain.

  3. Re-install the connector.