Skip to main content

Troubleshooting

If you experience any errors, verify that you can:

  • Log into each Active Directory domain from the Bravura Security Fabric server, using the administrator ID and password you created.

  • Mount a share (normally NETLOGON) on each domain controller from the Bravura Security Fabric server, using the administrator ID and password you created.

  • Reset user passwords with the Users and Groups Active Directory MMC plugin, from the Bravura Security Fabric server, while logged in with the administrator ID and password you created.

If users report locked out accounts after using the Bravura Security Fabric web interface to change or reset their passwords, they should be instructed to log out of their workstations after any password change. This prevents the following sequence of events:

  1. The user’s workstation is configured to use ghosted connections, or caches login credentials.

  2. The user logs into their workstation with password A.

  3. The workstation stores the user-ID and the old password (A) for future reference.

  4. The user connects to the Bravura Security Fabric server and changes their password from A to B.

  5. Since this change took place on a different workstation in the domain (the Bravura Security Fabric server), the user’s workstation is unaware of the change.

  6. The user then attempts to connect to a new server on the network.

  7. The user’s workstation attempts to establish the connection using its stored (and now invalid) value for the password (A).

  8. The server or domain controller records an invalid login attempt, and may lock out the user’s account.

To avoid locked accounts, disable password caching and ghosted connections on all workstations, or use Password Manager Local Reset Extension to reset cached passwords on user’s workstations.

Creating accounts for users with the same name

In Active Directory, two users with the same common name cannot exist in the same container. When trying to create a new account for a user with the same name as an existing account, Bravura Security Fabric returns a failure message. To avoid this problem, you can modify the action for the cn attribute, so that new accounts are created with a unique common name.

Test for DNS access

On all Windows targets, possible issues with "Failed to connect" can be traced to the failure of the operating system on which the target agent runs (application server or proxy), to resolve the name of the target, or of a domain controller on which to execute the agent operations.

To verify for failure to resolve domain controllers, run the following command on the target system:

nltest /DCLIST:domain.used.in.target.address

To check what domain controller a domain-joined system is communicating with at the moment, run the following command on the target system:

nltest /DSGETDC:domain.used.in.target.address

The latter can be used on a Bravura Security Fabric application server or proxy or even on a workstation from where a password change request the originates.

If the operating system fails to resolve the address of the target or find a domain controller, check with the relevant Windows or Active Directory administrators to set up correct DNS resolution (add trust between domains or DNS forwarding, or run required services on the affected domain controllers). The server on which Bravura Security Fabric 's connector runs asks its own (joined domain) DNS for information on the other domains, so DNS forwarding or trust between the domains must be configured.

In this section: