Troubleshoot the Secure Remote Access and Password Safe Integration
In the rare case, if you experience any issues during the integration process, a list of potential issues and steps for resolving these issues are indicated below to assist you with troubleshooting. These are applicable only for Password Safe on-premises installations, and are not applicable for Password Safe Cloud.
For any issues that involve the ECM service, we recommend enabling DEBUG level logging.
- Open the BeyondTrust-ECMService.exe config file in a text editor.
- Edit the file by changing the line <level value="INFO"/> to <level value="DEBUG"/>.
- Save the file, and then restart the ECM service.
Possible Issues and Resolution Steps
|Issue||Cause||Debugging Steps/ Possible Solutions|
|TLS Error trying to connect to the Password Safe API||No trusted certificate available.||Add the Password Safe certificate to the ECM Servers trusted store.|
|ECM Configurator cannot find or load the plugin||DLL files were not deployed to ECM install directory.||
Copy ALL files included with the plugin into the ECM install directory, typically C:\Program Files\BeyondTrust\ECM.
Close and re-open the ECM Configurator.
|ECM Configurator cannot find or load the plugin||DLL files are blocked by Windows.||
While the build server signs assemblies to help prevent this error, some systems still block the DLLs. To unblock them:
Repeat these steps with any other DLLs paged with the plugin DLL.
|No credentials are returned when using the Test Settings feature||ECM has been configured without the proper settings.||
A failure to retrieve credentials using the Test Settings feature in the ECM Configurator is usually a result of a configuration setting entered incorrectly.
First, double-check the endpoint URL and API registration key entered.
Next, check the logs in Configurator.log to see if the integration is providing any information as to why the test failed. Possible causes include: entering incorrect URL or port information, authentication failures, or network connectivity issues. The logs may also reveal a perceived failure was not a failure after all. Instead, no matches may have been found, and an empty list was provided. An empty list is still considered a valid result.
The Test Settings feature does NOT communicate with BeyondTrust Secure Remote Access Appliance at any point. It simply tests the settings related to the password vault system. Also, remember that the test uses the currently entered values and settings whether the settings have been saved or not. This allows you to test different configurations without overwriting existing settings.
|No credentials are returned when using the Test Settings feature||There is a lack of network connectivity.||There is a lack of network connectivity between the ECM server and the password vault system. The resolution could be as simple as adding a rule to the Windows Firewall, or it might require a network administrator to open ports to allow communication.|
|Credentials are returned via the Test Settings feature but are not available in the access console||ECM has been configured without the proper settings.||The settings on the initial screen of the ECM Configurator tell the ECM service which BeyondTrust PRA instance to connect to and the account to use for authentication. Double-check these and review the logs in ECM.log, if necessary.|
|Credentials are returned via the Test Settings feature but are not available in the access console||BeyondTrust Secure Remote Access Appliance has been configured without the proper settings.||
It is possible ECM connections have not been enabled or the API account being used does not have permission to access the Endpoint Credential Manager API.
|Credentials are returned via the Test Settings feature but are not available in the access console||The ECM service has stopped functioning.||Restart the BeyondTrust ECM Service.|
|Credentials are returned via the Test Settings feature but are not available in the access console||There is a lack of network connectivity.||
A lack of connectivity could prevent the integration from working. In this case, the missing connection occurs between BeyondTrust Secure Remote Access Appliance and the ECM server. If the ECM is unable to establish a connection to the BeyondTrust Secure Remote Access Appliance, it is unable to receive requests for credentials.
Load the /login page in a browser running on the ECM server. If the browser cannot connect, the ECM will also be unable to connect. If the browser test passes, check the ECM.log to see if a connection was successfully established when starting the service.
|Credentials are returned via the Test Settings feature but are not available in the access console||The user mapping has failed.||
This issue commonly occurs (particularly with domain accounts) when a test is run with a user entered as domain\user or a similar format. However, when connecting through the access console, it is possible for the domain portion to be different or missing altogether. If the Secure Remote Access Appliance user is a local user, no domain information is present. The same is true for users authenticating to the Secure Remote Access Appliance via certain security providers like RADIUS.
Check the ECM.log file to make sure the values passed to the password vault match what is expected. If the test is successful, note the information used.