Troubleshooting
If you experience any errors, verify that:
You can log into each Windows Server from the Bravura Security Fabric server using the administrator ID and password you created.
You can mount a share (normally NETLOGON) on each Windows Server from the Bravura Security Fabric server using the administrator ID and password you created.
Remote Registry service is running on all workstations/servers.
When updating domain account credentials, ensure that the accountid has the domain name prepended to it. For example, domain\\accountid .
You can reset user passwords with User Manager for Domains on the Bravura Pass server, while logged in with the administrator ID and password you created.
The Windows Firewall rules allow remote access and management of the subscriber objects.
Access is denied
If operations fail with the following error, this may be due to Windows’ UAC prompting for confirmation:
Failed: Access is denied. Failed to perform operation
Password changes performed by Bravura Privilege are logged to idmsuite.log and to the event viewer on the Windows Server.
To resolve this, you can:
Use the built-in administrator account as the target system credential, if the Windows Server is set with the default UAC settings.
If using psadmin as the target system credential, disable Admin Approval Mode by:
Editing the local security policy (secpol.msc) > Local Security Settings > Local Policies > Security Options to disable the User Account Control:Run all administrators in Admin Approval Mode setting.
Setting the following registry key to 0:
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Install a proxy server on the Windows Server and run the connector via the proxy.
Grant the requested account the execute commands in the WMIObject on the Windows target.
From Windows Server 2008:
Select Start > All programs > Administrative Tools > Computer Management.
Select Services and Applications.
Right click on the WMI Control folder and select Properties.
Click on Security tab.
Expand Root, click on WMI > Security.
Add the account for which access is being requested.
Locked out accounts
If users report locked out accounts after using the Bravura Security Fabric web interface to change or reset their passwords, they should be instructed to log out of their workstations after any password change. This prevents the following sequence of events:
The user’s workstation is configured to use ghosted connections, or caches login credentials.
The user logs into their workstation with password A.
The workstation stores the user-ID and the old password (A) for future reference.
The user connects to the Bravura Security Fabric server and changes their password from A to B.
Since this change took place on a different workstation in the domain (the Bravura Security Fabric server), the user’s workstation is unaware of the change.
The user then attempts to connect to a new server on the network.
The user’s workstation attempts to establish the connection using its stored (and now invalid) value for the password (A).
The server or domain controller records an invalid login attempt, and may lock out the user’s account.
To avoid locked accounts, disable password caching and ghosted connections on all workstations, or use Password Manager Local Reset Extension to reset cached passwords on user’s workstations.
Windows Firewall rules
If subscribers fail to list during auto discovery after they are configured to do so, this may be due to Windows Firewall not allowing the instance server to remotely access or manage the target system. You can edit the Windows Firewall rules under Start > Control Panel > Windows Firewall > Advanced settings. Verify that the following Firewall inbound rules are enabled and configured for the network profile used on the Windows Server:
For general listing of users, groups, attributes, subscribers, etc:
File and Printer Sharing (SMB-In)
For local service subscribers:
All Remote Service Management built-in rules (also required by iis subscribers)
Alternately, have custom rules with the following configurations:
Port: TCP:135 (aka "RPC Endpoint Mapper")
Listener: %SystemRoot%\system32\svchost.exe
Service: rpcss
Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)
Listener: %SystemRoot%\system32\services.exe
Service: n/a
Port: TCP:445
Listener: System
Service: n/a
For iis subscribers:
A custom rule with the following configuration:
Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)
Listener: %SystemRoot%\system32\dllhost.exe
Service: n/a
For scheduled task subscribers:
All Remote Scheduled Tasks Management built-in rules
Alternately, have custom rules with the following configurations:
Port: TCP:135 (aka "RPC Endpoint Mapper")
Listener: %SystemRoot%\system32\svchost.exe
Service: rpcss
Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)
Listener: %SystemRoot%\system32\svchost.exe
Service: schedule
Test for DNS access
On all Windows targets, possible issues with "Failed to connect" can be traced to the failure of the operating system on which the target agent runs (application server or proxy), to resolve the name of the target, or of a domain controller on which to execute the agent operations.
To verify for failure to resolve domain controllers, run the following command on the target system:
nltest /DCLIST:domain.used.in.target.address
To check what domain controller a domain-joined system is communicating with at the moment, run the following command on the target system:
nltest /DSGETDC:domain.used.in.target.address
The latter can be used on a Bravura Security Fabric application server or proxy or even on a workstation from where a password change request the originates.
If the operating system fails to resolve the address of the target or find a domain controller, check with the relevant Windows or Active Directory administrators to set up correct DNS resolution (add trust between domains or DNS forwarding, or run required services on the affected domain controllers). The server on which Bravura Security Fabric 's connector runs asks its own (joined domain) DNS for information on the other domains, so DNS forwarding or trust between the domains must be configured.