Troubleshoot Resource Broker Issues

Error: "The client and server cannot communicate, because they do not possess a common algorithm"

Summary

When trying to install the Resource Broker Bundle, after entering the install key, you receive a communication error indicating “The client and server cannot communicate, because they do not possess a common algorithm”. The following exception is indicated in the install log:

Failed to execute SetComboboxZonesCustomAction

System.AggregateException: One or more errors occurred. ---> System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a receive. —> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm


at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)at System.Net.ConnectStream.WriteHeaders(Boolean async)

Cause

If the .NET framework version is less than 4.6, the SchUseStrongCrypto registry key defaults to 0. This key must have a value of 1 to use TLS 1.2. If .NET is greater than 4.6, this registry key defaults to 1 without having to make changes to it.

Resolution

Set the SchUseStrongCrypto (DWORD) registry key found under HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319 to a value of 1 to force the use of TLS 1.2, and then restart the system.

If the SchUseStrongCrypto registry key does not exist, you must create it.

Resource Broker Service Details

A resource broker bundle installs the following services on the Windows server where you run the bootstrapped install file:

  • Resource Broker Gateway
  • Resource Broker Listener
  • Resource Broker Management Agent
  • Password Services
  • Password Services Framework Agent
  • Connector Services Agent
  • Directory Services
  • Discovery Scanner
  • Session Monitoring

We have outlined the details for each of these services below.

Resource Broker Gateway

  • Service properties:
    • Service name: bt_resourcebrokergateway_agent
    • Display name: BeyondTrust Resource Broker Gateway Agent
  • Acts as the local services communication hub for all zone and agent requests.
    • Proxies all requests down to the directory, password, and session monitoring services from the resource broker listening agent (described in next section).
    • Proxies all requests up to the Azure Relay Hybrid Connection in the PS Cloud instance.
  • Executes password tests and password changes for managed systems and managed accounts.
  • Handles the initial resource broker registration and configuration.
  • Contains platform-specific modules.
  • Sends heartbeat to cloud every 5 minutes.
  • Utilizes PS Cloud identity service as the API authority. All requests to this service receive a token from the PS Cloud identity service.
  • Log files for this service are located in C:\Program Files\BeyondTrust\Resource Broker\ResoureBrokerGateway\logs.

For more information on Azure Relay Hybrid Connections, please see Azure Relay Hybrid Connections protocol.

Resource Broker Listener

  • Service properties:
    • Service name: bt_resourcebrokerlistener_agent
    • Display name: BeyondTrust Resource Broker Agent
  • Acts as a reverse proxy for all requests from Password Safe Cloud for a resource zone through the Azure Relay Hybrid Connection in a round-robin process.
  • Forwards requests to the Resource Broker Gateway.
  • Listens on a zone-specific hybrid connection for resource-specific requests, such as password tests and directory queries.
  • Listens on an agent-specific hybrid connection for target-specific requests, such as session monitoring.
  • Sends heartbeat to cloud every 5 minutes.
  • Log files for this service are located in C:\Program Files\BeyondTrust\Resource Broker\ResoureBrokerListener\logs

Resource Broker Management Agent

  • Service properties:
    • Service name: bt_resourcebrokermanagment_agent
    • Display name: BeyondTrust Resource Broker Management Agent
  • Handles resource broker upgrades and log uploads.

Password Services

  • Service properties:
    • Service name: bt_passwordservices_agent
    • Display name: BeyondTrust Password Services Agent
  • Executes password tests and password changes for managed systems and managed accounts.
  • Contains platform specific modules.
  • Sends heartbeat to cloud every 5 minutes.
  • Utilizes PS Cloud identity service as the API authority. All requests to this service receive a token from the PS Cloud identity service.
  • Log files for this service are located in C:\Program Files\BeyondTrust\Resource Broker\PasswordServices\logs.

Password Services Framework Agent

  • Service properties:
    • Service name: bt_passwordservicesframework_agent
    • Display name: BeyondTrust Password Services Framework Agent
  • Performs the same actions as the Password Services agent, but specifically handles vSphere and SAP platforms.

Connector Services Agent

  • Service properties:
    • Service name: bt_connectorservices_agent
    • Display name: BeyondTrust Connector Services Agent
  • Sends events for forwarding connectors.

Directory Services

  • Service properties:
    • Service name: bt_directoryservices_agent
    • Display name: BeyondTrust Directory Services Agent
  • Executes the following Active Directory or LDAP actions:
    • Directory queries
    • Directory credentials tests
    • Group enumeration
    • User and group management
    • Authentication
  • Sends heartbeat to cloud every 5 minutes.
  • Utilizes PS Cloud identity service as the API authority. All requests to this service receive a token from the PS Cloud identity service.
  • Log files for this service are located in C:\Program Files\BeyondTrust\Resource Broker\DirectoryServices\logs.

Discovery Scanner

  • Service properties:
    • Service name: btdiscoverysvc
    • Display name: BeyondTrust Discovery Service
  • Schedules and executes Discovery Scans.
  • Is auto-configured by obtaining the configuration via the Resource Broker Gateway.
  • Communicates directly to PS Cloud via the client certificate that Event Services uses for Central Policy.
  • Requests bearer token from PS Cloud identity service for its initial configuration.

The scanner obtains the configuration upon startup only. Once it begins using Central Policy, it doesn't need to continue requesting the configuration.

  • Log files for this service are located in C:\Program Files\BeyondTrust\Discovery\logs.

Session Monitoring

  • Service properties:
    • Service name: btPBPSSM
    • Display name: BeyondTrust Session Monitoring
  • Session monitoring proxy for SSH and RDP sessions.
  • Sessions are proxied through the local agent.
  • The session is associated with a broker that responds in a zone round robin.
  • Active session monitoring (locking + termination) are proxied from PS Cloud to the resource broker.
  • Session I/O logs are are written locally to the resource broker and when a session is complete, the I/O logs are copied to your customer storage account in Azure.
  • Session replay in PS Cloud is done directly from your customer storage account in Azure.
  • Sends heartbeat to cloud every 5 minutes.
  • Log files for this service are located in C:\Program Files\BeyondTrust\Resource Broker\Session Manager\logs.