Logging Failed SCIM Requests in IIS

To start logging failed SCIM (System for Cross-domain Identity Management) requests in IIS (Internet Information Services), you can follow these steps:

  1. Open Server Manager and go to Manage -> Add Roles and Features.

  2. Select the Server Roles option to add the server roles to be added on the selected server.

  3. Select Next.

  4. In the Add Roles and Feature Wizard expand the Web Server (IIS) -> Health and Diagnostics roles and select both checkboxes (Request Monitor and Tracing).

  5. Select Next.

  6. Go to the Confirmation tab, and then select Install.

    7. Once the installation is completed, a restart is required on your machine for the roles to be successfully installed on your machine.

  7. Once Request Monitor and Tracing roles are installed, the Failed Request Tracing Rules option will appear in the features view in IIS.

  8. Open the Failed Request Tracing Rules, and select the Add... option.

  9. Select the All content option to trace all content, and then select Next.

  10. Select the Status Code option and add the status code range in the text box (indicating which status code requests we want to log). To only log failed requests, you can enter the status code range from 400-999.

  11. Select all the available trace providers and select Finish.

  12. Select the site where you want to record requests, then select the Failed Request Tracing... link in the Configure section.

  13. A pop-up window is displayed. Select the Enable checkbox, and select OK.

    14. If a request made through SCIM fails, the entire request including its header and body will be logged into the FailedReqLogFiles folder, located at C://inetpub/logs. The LogFiles folder contains logs of all requests with only the status code, and you can't retrieve the entire request object from the log file. The failed request log allows you to analyze the data that was passed through the request.

Troubleshooting for Known Issues and Error Messages

  • Access issues

When a non-admin user tries to log in to the SCIMConnector on a platform after the admin has set up the initial configurations, an access issue can occur. The current procedure requires the admin to approve a request sent when a non-admin user attempts to log in. However, the approval request may not be visible in the admin's inbox for action. As a workaround, the admin needs to manually grant the non-admin user Owner permission on the SCIM folder and secret within the secret server.

To troubleshoot access issues, you can refer to the following instructions on how to locate its access logs:

  1. Install SCIMConnector. For more information, see SCIM Connector Installation.

  2. Go to C:\inetpub\wwwroot\SCIMConnector\Logs and take a screenshot of the displayed logs.

  3. Go to the Settings tab, and got to the Secret Server tab.

  4. In the Base URL field. enter the secret server url.

  5. In the Account Name field enter the name of the secret server account.

  6. In the Password field enter the password of your account.

  7. Go to the Messages tab to display the logs.

When the application account does not have permission to create a folder at theroot level, the following error is displayed: Folder already created at root level, which meand that the SCIM Administrator cannot save the Secret Server configuration options. To fix this, add the application account as an owner to the folder in Secret Server.

Occasionally, when uninstalling and choosing to delete the settings file, the system may lock the settings file and throw an error.

The SCIM Connector should be uninstalled but a few files may still be present on the machine. Locate the SCIM Connector folder that IIS was pointing to and delete it. This may require a restart of IIS.

If the SCIM Connector site or virtual directory is still present in IIS, right-click on the site or virtual directory (IIS manager) and select “Remove”.

While running the SCIMConnector installer for ‘Repair’ make sure the command prompt is running in administrator mode. If not, it will get an error.

  • Username Update

When you update an existing username in Okta, for example, from abc.xyz@gmail.com to Abc.Xyz@gmail.com, and try to push this change back into the SecretServer, Okta will send a POST request to create a new user if the original user is disabled in SecretServer. Since SecretServer is not case-sensitive regarding usernames, it will treat both versions as the same name, causing a duplication error.

  • Unable to Log in Without Errors

If your code encounters unhandled exceptions, the UI may not display an error message. In such cases, check the Logs folder for the exact error message. These exceptions can occur due to encryption or decryption issues with configuration data and keys stored in the appSettings.json file. To resolve this, delete the existing values of the properties (Configuration, KEY, IV, TokenEncryptionKey, TokenSigningKey) from the appSettings.json file. To update this file, stop the application from IIS, remove the existing values, and then restart the application. For applications running in multiple-instance mode, update the appSettings.json file at the shared location. In single-instance mode, update the appSettings.json file in the SCIMConnector installation directory (C:\inetpub\wwwroot\SCIMConnector).

  • Installation or Uninstallation Issues

When the SCIM Connector is uninstalled, some files may remain on your workstation. To remove them, locate the SCIM Connector folder that IIS was pointing to and delete it. This may require restarting IIS. If the SCIM Connector site or virtual directory is still present in IIS, right-click on it in IIS Manager and select Remove. When running the SCIMConnector installer with the Repair option, ensure the command prompt is in administrator mode to avoid errors.

  • Folder is Already Created at the Root Level

When the application account is not permitted to create a folder at the root level, the following error is displayed: The folder has already been created at the root level, which means that the SCIM Administrator cannot save the Secret Server configuration options. To fix this, add the application account as an owner to the folder in the Secret Server.

  • Getting Exception in logs “Unable to establish connection due to invalid SSL certificate”

This exception appears while calling SCIMConnector endpoints. It means the SSL certificate verification check is enabled in SCIMConnector for the on-prem Secret Server.

To bypass SSL certificate verification:

  1. Open your computer's Internet Information Services (IIS) and stop the SCIMConnector application.

  2. Go to C:\inetpub\wwwroot\SCIMConnector and open the appsettings.json file.

  3. Set the SkipSSLCheck value as the following: SkipSSLCheck = true.

  4. Start the SCIMConnector application in Internet Information Services (IIS).

Most Common Error Messages

  • HTTP Error 5000.19 – Internal Server Error

The error message appears when starting the SCIMConnector application. The root cause of the issue is when the IIS server is installed, after installing the ASP.NET Core Windows Hosting Bundle (ASP.NET Core Runtime). The hosting bundle cannot add a new entry to the IIS configuration file during the installation. To troubleshoot the issue, re-run the Windows hosting bundle installer and select Repair. Alternatively, uninstall the existing Windows hosting bundle first and install it again.

  • Conflict (409)

This message appears when attempting to create a new user in Secret Server with a username that already exists,but the user is disabled.

When you update an existing username in Okta, for example, from abc.xyz@gmail.com to Abc.Xyz@gmail.com, and try to push this change back into the SecretServer, Okta will send a POST request to create a new user if the original user is disabled in Secret Server. Since Secret Server is not case-sensitive regarding usernames, it will treat both versions as the same name, causing a duplication error.

  • Secret Server Service is Unavailable

This error may appear when the wrong base URL of the Secret Server is not reachable or the SSL certificate check is enabled in SCIMConnector. To bypass the SSL check, refer to the Getting exception in logs “Unable to establish connection due to invalid SSL certificate” issue above.

  • Secret Requires a Permission

This means the application or an admin user doesn’t have permission to access the SCIMConnector secret. You must add owner permission to the secret for a particular user in the Secret Server.

  • SCIM folder was deleted. Contact your Secret Server admin to move the SCIM Secrets into the SCIM connector folder

This means that, for some reason, the SCIMConnector secret has been deleted or moved. Admin can recover this secret. If not, reconfigure the secret server in SCIMConnector after removing existing configuration data from the appSettings.json file.

  • Log in as administrator

This message appears when a non-admin user tries to log into the SCIMConnector before an admin user does the configuration.

  • Invalid application account

This means that the user is trying to configure the Secret Server in SCIMConnector using a non-application user account.

  • HTTPS connection is required for SCIM Connector

This error appears when SCIMConnector was configured only on HTTP in IIS. To access the the SCIMConnector from Bowser, the SCIMConnector must also be configured on HTTPS.

  • Endpoint name already exists and must be unique

This error appears when the user tries to create an endpoint in SCIMConnector, but an endpoint with the same name already exists in the Secret Server. It stores the endpoint as a secret in the Secret Server.

  • Secret Server is not configured for HTTPS. Configure HTTPS on Secret Server before continuing

This error appears if the Secret Server is not currently configured on HTTPS. Configure the Secret Server on HTTPS before further use.

  • Change installed SCIMConnector from multiple instance mode to single instance mode

Uninstall SCIMConnector, remove Environment variables (SCIM_PassPhrase, SCIM_SharedFolderPath, SCIM_HostName), and then install again in a single instance mode.

IIS Serer Errors

  • HTTP Error 500.19 - Internal Server Error

This issue arises when the IIS server is installed after the installation of the ASP.NET Core Windows Hosting Bundle (ASP.NET Core Runtime). The hosting bundle is unable to add a new entry to the IIS configuration file during the installation.

To troubleshoot the issue, re-run Windows hosting bundle installer and click Repair. Alternatively, uninstall the existing Windows hosting bundle first and install it again.

SCIM Errors

  • The specified filter syntax was invalid or the specified attribute and filter comparison combination is not supported

It means the provided filter is not in a valid format. You must check the valid syntax and send it again with the request.

The attempted modification is not compatible with the target attribute’s mutability or current state

This means that the user is trying to update an immutable attribute value. As per SCIM standard schema, we can update attributes that are mentioned mutable.

  • A required value was missing, or the value specified was not compatible with the operation or attribute type, or resource schema

This means that the provided data in the SCIMConnector endpoint request body is not compatible with the resource schema or operation, or some required filed values are missing.

  • Attribute ‘{0}’ is required

It means the SCIM request body does not contain the required attribute as per schema. Please check the schema for an entity (Users, Group, Containers, Privileged Data) and provide all the necessary attributes.

  • Attribute ‘{0}’ is readOnly

It means the user is trying to update a read-only attribute as per the schema. Please check the schema for an entity (Users, Group, Containers, PrivilegedData) and provide valid attributes.

  • Attribute ‘{0}’ MUST be unique

It means the record is already present with the provided attribute value in the Secret Server. Try with different values.

  • ‘{0}’ not found or disabled

It means the record is trying to fetch from the Secret Server with the disabled ID.

  • Resource ‘{0}’ not found

It means the record is trying to fetch from the Secret Server with no existing ID.

  • Filter string ‘{0}’ is not in proper format

The filter string provided when fetching all data from the Secret Server is not in the proper format. Provide a filter in a valid format.

  • Failed to insert data into SQLite tables

Internally, the SQL Lite database is being used to filter out data. Due to invalid data, this error might be occurred. Check logs to see the detailed information.

  • The size of the bulk operation exceeds the maxPayloadSize (1048576)

This error occurs when the bulk operation payload size exceeds the configured size. Increase the configured maxPayloadSize and try again.

  • The size of the bulk operation exceeds the maxOperation (1000)

This error occurs when no bulk operations exceed the configured count. Increase the configured max operation count and try again.

  • Invalid Secret Server SCIM report

This error might occur when SCIMConnector fails to create a new report in the secret server. Check the logs for detailed information.

  • Unknown error occurred while retrieving report data from Secret Server

This error might occur when SCIMConnector fails to fetch report data from the secret server. Check the logs for the detailed information.

  • The ‘{0}’ value was invalid. The specified {0} did not yield an attribute or attribute value that could be operated on

This error occurs when an invalid attribute or attribute value is sent in the PATCH request.

  • SCIM Connector could not find mapping for {0} right value with any of the Secret Server rights values

This means no mapping was found in SCIMConnector for permission from the Secret Server and Identity Providers. Add a mapping on the endpoint page.