Troubleshooting the Connector

Issue: The platform is unable to map a federated user to an AD user.

Resolution:

Check that all claims are correct. If all claims are correct, try re-registering the Connector.

Issue: Can not add local user with duplicate login ID

Symptom:

Given that a domain-joined user is set up in the Delinea Platform, when trying to later add a local user with the same User Principle Name (UPN), it cannot be added, even if the domain-joined user is deleted. An error message like the following occurs:

User name name@domain.com is already in use

Cause:

When creating a local user in the platform, the platform will try to avoid creating duplicate objects by checking all available directories for the UPN before creating the user.

Resolution:

Remove the Connector to add the local user. To re-enable secure communication between the Delinea Platform and AD directories, reinstall the Connector. Also see Troubleshooting Federated User and Group Mapping.

Issue: While installing the Connector, I get this error message:
The remote certificate is invalid according to the validation procedure.

Resolution: 
This issue is commonly triggered by active deep SSL inspection, which must be disabled. Ensure that the IP addresses specified under Delinea Connector are allowed.

Issue: While installing the Connector, I get this error message:
Failed to obtain certificate or certificate verification failed.

Resolution: 

  1. Make sure your Windows updates are up to date.

  2. Verify the accessibility of Certificate Revocation Lists (CRLs) by confirming access to the following:

  • http://cps.letsencrypt.org

  • http://x1.c.lencr.org/

Issue: While registering the Connector, I get this error message:
Encountered unhandled exception in registering the proxy: System.ServiceModel.EndpointNotFoundException: There was no endpoint listening at http://<tenant url>/transport_rpc.svc

Resolution: 
Ensure that you are running the latest version of the Connector and try again.

Issue: While registering the Connector during certificate checks validation, I get this error:
(500) Internal Server Error

500 Internal Server Error

Resolution: 
Ensure that you are running the latest version of the Connector and try again.

Issue: While registering the Connector, I get this error message:
Failed to connect to server using REST RPC

Resolution: 
This error may indicate an incorrect platform tenant URL entry. Please revisit the platform tenant URL you provided and ensure its accuracy before attempting to register again.

Issue: After starting the Connector Configuration application, nothing happens for several minutes and the application is not accessible.

Resolution: 
Check to see if any endpoint security applications such as SentinelOne are active on the host where the Connector is located, as they might disrupt the Connector during installation or registration.

Issue: The Connector fails to connect to the platform.

Resolution: 
All connections from the Connector to the platform are outbound. No internet-facing ingress ports are required for the Connector. For more information, refer to Delinea Connector. If you use a proxy with the Connector, ensure that connectivity is established and that name resolution functions correctly. Search within your environment for potential issues originating from firewalls or packet inspection solutions, particularly those that could affect communication between the Connector and the platform.

Issue: Auto-update isn't working for my Connector

Resolution: 
AutoUpdate support was added after 4.1.x versions. Manually upgrade to the latest version of the Connector to take advantage of auto-update.

Issue: The Connector is correctly installed and active, but AD users can't log in and they get this error message: Authentication (login or challenge) has failed. Please try again or contact your system administrator.

Resolution: 

  • Verify that the user is entering accurate Active Directory credentials to log in to the platform.

  • Examine the Connector logs for potential errors.

  • Investigate whether the issue is isolated to a particular user, and assess any unique factors (e.g., expired account).

  • Confirm that the Connector status is active.

  • Check connectivity using a Ping operation from the platform to the Connector.

Issue: I don't know where to access the Connector logs.

Resolution: Connector logs (such as log.txt) can be reviewed under C:\Program Files\Delinea\Delinea Connector

Issue: I don't know the default log rotation setting for the Connector logs

Resolution: The default maximum log file size is 2 MB, and the default maximum number of log backup entries is 450.

Issue: I want to use both Federation and Active Directory (AD) with the platform, but I don't know the best practices for doing this.

Resolution: 

  1. First set up the Connector so that on-premise AD is visible to your platform tenant.

  2. Then set up federation with mapping of users enabled as optional. This will cause federated users to become (map to) the AD users if possible when they log into the tenant.

 

Issue: I can't query Active Directory users or groups from the platform, despite having an active connector.

Upon inspection, I see a warning on the Connector configuration screen stating, "This Connector may not be discoverable from other computers," and there's an error in the logs saying, "Failed to create or get proxy SCP."

Resolution:

This could indicate a communication problem between the machine running the Connector and the Active Directory Domain Controller. Follow these steps to address this issue:

  1. Remove the machine object (that has the Connector) in Active Directory.

  2. Re-join the machine to the domain.

  3. Re-install the connector.