Troubleshooting
The following are Hyper-scalable Privileged Access Service frequently asked questions and information about specific features and functionality as follows:
- Scripts won't run.
- Unknown or non-existent node listed in NodeList.
- Web node is installed but site does not appear.
- What is the Logging Relay?
- How to retrieve Node Logs
- How to retrieve Connector Logs without a Logging Relay
- How to provide a Support Report
Scripts Won't Run
If you receive an error such as:
Message: File <file name> cannot be loaded. The file <file> is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : NotSpecified: ( [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Centrify-Pas-Deploy.ps1
Review PowerShell Execution Policy for more information.
Unknown or Non-existent Node Listed in NodeList
If you see nodes that no longer exist listed when you run Centrify-PAS-NodeList.
Common Cause
The Node was destroyed, lost, or it was unable to connect to the database when
it was deprovisioned using Centrify-PAS-Deploy -RemoveNode on the node itself.
Solution
Centrify-PAS-RemoveNode from the Management node will remove the node from the
database.
Web Node is Installed But Site Doesn’t Appear
After you have deployed a web node using Centrify-PAS-Deploy -WebNode, set it
active, browsing to the host name doesn’t work.
Common Causes
There are several possibilities:
The name is not registered
To browse to the Web node, the host name must be registered with the appropriate name server. To verify this, from your client system, enter:
nslookup <hostname>
Example:
nslookup pas.corpnet.com
The return IP address should match the public IP address of the node or the node’s load balancer.
For example:
PS C: \> nslookup pas.corpnet.com
Server: dns.google
Address: 8.8.4.4
Non-authoritative answer:
Name: corpnet.com
Address: 108.167.88.99
Aliases: pas.corpnet.com
This tells us that:
- Name Servers (in Windows Control Panel) are set to Google’s DNS (8.8.4.4).
-
Pas.corpnet.com is listed and has a public IP address (meaning: not
192.168.*.* or 10.0.*.*).
If, instead, we got:
PS C:\ > nslookup pas.corpnet.com
Server: dns.google
Address: 8.8.4.4
*** dns.google can't find pas.keybounce.com: Non-existent domain
This indicates that the name could not be resolved. Ensure it is plugged into the correct authoritative name server, such as AWS’ Route53, or GoDaddy, and so on.
Inaccessible IP Address
If the listed address from the above step comes back as a Private IP address or in any of the following ranges...
- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
...the IP Address is not accessible from the outside world. It needs an external public (generally static) IP Address. The IP address is not for the Web node, unless there is only one Web node (not recommended), but rather for the Load Balancer.
Load Balancer Health Check Fails
Once you have verified that the name resolves to the Load Balancer, ensure the Load Balancer can see healthy web nodes.
-
The Health Check point is /health/check. You should see all web nodes listed and at least those on the current deployment (
Centrify-PAS-SetActiveDeployment) displaying “healthy”. -
If you do not see any Web nodes, check your load balancer configuration.
-
If you see the correct Web nodes, but they display as “unhealthy,” verify that they are on the correct deployment. Navigate to the Web node by namefrom the node (this will generally work as the deployment process adds thename to the local hosts file at
c:\Windows\System32\Drivers\Etc\hosts) or IP Address, adding the “/health/check” path.
In this case, we see that the Role is active, with the Instance Name of “WR_Second.” If the Web nodes list as offline, ensure they are powered up and booted.
-
From the Management node, ensure the Web node is listed as online and active from
Centrify-PAS-NodeList.- If it is offline, it is not accessing the database and may not be running.
- If it is online but inactive, it has the wrong deployment ID. You need to either change the active deployment with
Centrify-PAS-SetActiveDeploymentor you will need to deploy a node of the correct deployment.
-
RDP into the Web node and verify that IIS is running and that there is a
c:\CentrifyNodedirectory.If the above are not the case, it may be necessary to re-image and re-deploy this Web node.
What is the Logging Relay?
The Logging Relay provides several features including the following:
-
Aggregates logs from all deployed Web and Background nodes, providing a
single place to retrieve them.
-
Enables the Management Node to watch the logs, using LogWatcher
(Centrify-PAS-WatchLogs).
In addition to being essential for trouble-shooting, the output provided by a Logging Relay plus LogWatcher can be fed into a custom or Splunk-like parser to generate real-time analytics and alerts.
How to Retrieve Node Logs
On the Logging Node, you can find the logs at c:\Centrify\Logs. Their names
contain the date ranges and log type.
For example, for an installation with a hostname (URL) of pas.corpnet.com, generated from the hours of 9:00pm - 11:59pm on May 14, 2020, the log names will look similar to the following:
- 2020-05-14-21-pas.corpnet.com-navel.log
- 2020-05-14-21-pas.corpnet.com.log
- 2020-05-14-22-pas.corpnet.com-navel.log
- 2020-05-14-22-pas.corpnet.com.log
- 2020-05-14-23-pas.corpnet.com-navel.log
- 2020-05-14-23-pas.corpnet.com.log
The plain .log files have standard log data in them, while the -navel.log files are not human-readable, and contain timing data about internal operations that help Delinea determine where a task might be taking longer than expected.
For convenience, you can use Centrify-PAS-GetDiags.ps1 on the Logging Node to
specify a start date, start hour, and duration (hours) for the run. This will
package the logs from all nodes and the connector logs.
How to Retrieve Connector Logs without a Logging Relay
The documented process is to install a Logging Relay prior to installing any other nodes.
If your Logging Relay is not available for some reason, Centrify-PAS-GetDiags
can also be run from the Management Node. You can only retrieve connector logs
using this method since the Management node can't reach the Web or Background
Node logs.
How to Provide a Support Report
In addition to logs, basic information about the installation and environment can help Delinea quickly find the cause of most reported issues.
The Support Report includes information about all deployed nodes, the versions of the database and binaries installed, and various run-time data including:
-
Delinea connectors, including current status and latency.
-
CurrentDeploymentId -
DatabaseConnections.This is for debugging database issues. There is no PII in this. -
DeploymentHistoryandSchemaHistory,including binary (cloud) versions. -
Running and Queued Jobs. In a healthy system, this is usually empty or nearly empty.
-
Nodes including type, name, and the basic environment.
-
StatSnap.These are scale statistics. For example, the count of (but not enumeration of) devices, entitlements, systems, etc.None of this information expose any confidential data, but you may still want to scan over the information prior to submitting.
Delinea cannot retrieve this information directly, unless you provide explicit remote access and permission. The information can only be generated using one of the following methods:
-
In the Admin Portal, using the Support menu located in the upper right
area of the screen.
- By calling the /health/SupportInfo endpoint. For example, with CCLI.
- By running
Centrify-PAS-NodeList.ps1 -Supporton the Management Node.
