Skip to main content

Troubleshooting

If you experience any errors, verify that:

  • You can log into each Windows Server from the Bravura Security Fabric server using the administrator ID and password you created.

  • You can mount a share (normally NETLOGON) on each Windows Server from the Bravura Security Fabric server using the administrator ID and password you created.

  • Remote Registry service is running on all workstations/servers.

  • When updating domain account credentials, ensure that the accountid has the domain name prepended to it. For example, domain\\accountid .

  • You can reset user passwords with User Manager for Domains on the Bravura Pass server, while logged in with the administrator ID and password you created.

  • The Windows Firewall rules allow remote access and management of the subscriber objects.

Access is denied

If operations fail with the following error, this may be due to Windows’ UAC prompting for confirmation:

Failed: Access is denied. Failed to perform operation

Password changes performed by Bravura Privilege are logged to idmsuite.log and to the event viewer on the Windows Server.

To resolve this, you can:

  • Use the built-in administrator account as the target system credential, if the Windows Server is set with the default UAC settings.

  • If using psadmin as the target system credential, disable Admin Approval Mode by:

    • Editing the local security policy (secpol.msc) > Local Security Settings > Local Policies > Security Options to disable the User Account Control:Run all administrators in Admin Approval Mode setting.

    • Setting the following registry key to 0:

      SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA

  • Install a proxy server on the Windows Server and run the connector via the proxy.

  • Grant the requested account the execute commands in the WMIObject on the Windows target.

    From Windows Server 2008:

    1. Select Start > All programs > Administrative Tools > Computer Management.

    2. Select Services and Applications.

    3. Right click on the WMI Control folder and select Properties.

    4. Click on Security tab.

    5. Expand Root, click on WMI > Security.

    6. Add the account for which access is being requested.

Locked out accounts

If users report locked out accounts after using the Bravura Security Fabric web interface to change or reset their passwords, they should be instructed to log out of their workstations after any password change. This prevents the following sequence of events:

  1. The user’s workstation is configured to use ghosted connections, or caches login credentials.

  2. The user logs into their workstation with password A.

  3. The workstation stores the user-ID and the old password (A) for future reference.

  4. The user connects to the Bravura Security Fabric server and changes their password from A to B.

  5. Since this change took place on a different workstation in the domain (the Bravura Security Fabric server), the user’s workstation is unaware of the change.

  6. The user then attempts to connect to a new server on the network.

  7. The user’s workstation attempts to establish the connection using its stored (and now invalid) value for the password (A).

  8. The server or domain controller records an invalid login attempt, and may lock out the user’s account.

To avoid locked accounts, disable password caching and ghosted connections on all workstations, or use Password Manager Local Reset Extension to reset cached passwords on user’s workstations.

Windows Firewall rules

If subscribers fail to list during auto discovery after they are configured to do so, this may be due to Windows Firewall not allowing the instance server to remotely access or manage the target system. You can edit the Windows Firewall rules under Start > Control Panel > Windows Firewall > Advanced settings. Verify that the following Firewall inbound rules are enabled and configured for the network profile used on the Windows Server:

For general listing of users, groups, attributes, subscribers, etc:

  • File and Printer Sharing (SMB-In)

For local service subscribers:

  • All Remote Service Management built-in rules (also required by iis subscribers)

  • Alternately, have custom rules with the following configurations:

    1. Port: TCP:135 (aka "RPC Endpoint Mapper")

      Listener: %SystemRoot%\system32\svchost.exe

      Service: rpcss

    2. Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)

      Listener: %SystemRoot%\system32\services.exe

      Service: n/a

    3. Port: TCP:445

      Listener: System

      Service: n/a

For iis subscribers:

  • A custom rule with the following configuration:

    • Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)

      Listener: %SystemRoot%\system32\dllhost.exe

      Service: n/a

For scheduled task subscribers:

  • All Remote Scheduled Tasks Management built-in rules

  • Alternately, have custom rules with the following configurations:

    1. Port: TCP:135 (aka "RPC Endpoint Mapper")

      Listener: %SystemRoot%\system32\svchost.exe

      Service: rpcss

    2. Port: TCP:49152-65535 (aka "RPC Dynamic Ports" range)

      Listener: %SystemRoot%\system32\svchost.exe

      Service: schedule

Test for DNS access

On all Windows targets, possible issues with "Failed to connect" can be traced to the failure of the operating system on which the target agent runs (application server or proxy), to resolve the name of the target, or of a domain controller on which to execute the agent operations.

To verify for failure to resolve domain controllers, run the following command on the target system:

nltest /DCLIST:domain.used.in.target.address

To check what domain controller a domain-joined system is communicating with at the moment, run the following command on the target system:

nltest /DSGETDC:domain.used.in.target.address

The latter can be used on a Bravura Security Fabric application server or proxy or even on a workstation from where a password change request the originates.

If the operating system fails to resolve the address of the target or find a domain controller, check with the relevant Windows or Active Directory administrators to set up correct DNS resolution (add trust between domains or DNS forwarding, or run required services on the affected domain controllers). The server on which Bravura Security Fabric 's connector runs asks its own (joined domain) DNS for information on the other domains, so DNS forwarding or trust between the domains must be configured.

Listing failures due to IPC$ connection

When agtnt.exe attempts to connect to a Windows target system, it connects to the IPC$ share of that system. If this connection fails, managed accounts on the target system are not listed. The following type of error appears in the logging:

connecting to [\\server.domain.com\IPC$] as [DOMAIN\SERVICEACCOUNT]..
failed to connect to server [\\server.domain.com\IPC$] (The network path was not found.)

If this failure persists for an already onboarded managed system, managed account changes will not be identified.

If this error persists for a newly created managed system, it may prevent the population of administrator target credentials.

agtnt.exe uses the Windows net use command to initiate connections to IPC$ shares on target systems. For more information on net use, see Microsoft documentation: net use.

Diagnosis

When there are failures for agtnt.exe to connect to the IPC$ share of a target system, a valid troubleshooting step is to use net use from the command prompt on the Bravura Security Fabric server to perform the same connection and check for errors:

net use \\server.domain.com\IPC$ /user:DOMAIN\SERVICEACCOUNT <password>

If the net use command is slow to respond (taking one to two minutes or more before returning a failure or success), this indicates that required firewall ports may not be open between the Bravura Security Fabric server and the target Windows systems.

Additional indicators of this issue include:

  • Running net use a second time to the same target succeeds after an initial failure or delay.

  • Running net use with the IP address instead of the FQDN returns a successful response immediately.

  • The net use command returns "System error 64 has occurred. The specified network name is no longer available."

These symptoms typically point to Kerberos authentication ports being blocked by a firewall between the Bravura Security Fabric server and the target systems or their domain controller. Packet capture analysis can confirm whether Kerberos traffic is being dropped.

Resolution

Ensure that the following ports are open between the Bravura Security Fabric server and the target Windows systems (and their domain controller) so that Kerberos authentication can complete successfully:

  • 88 (Kerberos)

  • 464 (Kerberos password change)

  • 53 (DNS)

  • 389 (LDAP)

  • 636 (LDAPS)

  • 445 (SMB)

For a complete list of ports used by Windows Server connectors, see Windows server ports. For additional reference, see Service overview and network port requirements - Windows Server.

After the firewall changes have been applied:

  1. Verify that net use from the Bravura Security Fabric server to the target systems responds promptly without errors.

  2. If after auto-discovery the administrator credentials for the affected system's automatically discovered target remain empty, manually re-populate them, the next auto-discovery should manage the accounts.

  3. Verify that discovery completes successfully and accounts on the affected system's accounts are managed.

In this section: