Troubleshoot the Privileged Remote Access and Password Safe Integration

To assist you, a list of common issues experienced during the integration process has been provided and steps for resolving these issues are noted.

For any issues that involve the ECM service, it is recommended to enable DEBUG level logging.

  1. Open the BeyondTrust-ECMService.exe config file in a text editor.
  2. Edit the file by changing the line <level value="INFO"/> to <level value="DEBUG"/>.
  3. Save the file and restart the ECM service.

Common Issues and Resolution Steps

Issue Cause Debugging Steps/ Possible Solutions
ECM Configurator cannot find or load the plugin DLL files were not deployed to ECM install directory.

Copy ALL files included with the plugin into the ECM install directory, typically C:\Program Files\BeyondTrust\ECM.

Close and re-open the ECM Configurator.

ECM Configurator cannot find or load the plugin DLL files are being blocked by Windows.

While the build server signs assemblies to help prevent this error, some systems still block the DLLs. To unblock them, right-click on the DLL.

Select Properties.

In the General > Security section, check the Unblock box.

Click OK to save the changes.

Repeat these steps with any other DLLs being paged with the plugin DLL.

No credentials are returned when using the Test Settings feature ECM has been configured without the proper settings.

A failure to retrieve credentials using the Test Settings feature in the ECM Configurator is usually a result of some configuration setting being entered incorrectly.

First, double-check the endpoint URL and API registration key entered.

Next, check the logs in Configurator.log to see if the integration is providing any information as to why the test failed. Possible causes include: entering incorrect URL or port information, authentication failures, or network connectivity issues. The logs may also reveal a perceived failure was not a failure after all. Instead, no matches may have been found, and an empty list was provided. An empty list is still considered a valid result.

The Test Settings feature does NOT communicate with BeyondTrust PRA at any point. It simply tests the settings related to the password vault system. Also, remember that the test uses the currently entered values and settings whether the settings have been saved or not. This allows you to test different configurations without overwriting existing settings.

No credentials are returned when using the Test Settings feature There is a lack of network connectivity. There is a lack of network connectivity between the ECM server and the password vault system. The resolution could be as simple as adding a rule to the Windows Firewall, or it may require a network administrator to open ports to allow communication.
Credentials are returned via the Test Settings feature but are not available in the access console ECM has been configured without the proper settings. The settings on the initial screen of the ECM Configurator tell the ECM service which BeyondTrust PRA instance to connect to and the account to use for authentication. Double-check these and review the logs in ECM.log, if necessary.
Credentials are returned via the Test Settings feature but are not available in the access console BeyondTrust PRA has been configured without the proper settings.

It is possible ECM connections have not been enabled or the API account being used does not have permission to access the Endpoint Credential Manager API.

Credentials are returned via the Test Settings feature but are not available in the access console The ECM service has stopped functioning. Restart the BeyondTrust ECM Service.
Credentials are returned via the Test Settings feature but are not available in the access console There is a lack of network connectivity.

A lack of connectivity could be preventing the integration from working. In this case, the missing connection would occur between BeyondTrust PRA and the ECM server. If the ECM is unable to establish a connection to the BeyondTrust PRA Appliance, it is unable to receive requests for credentials.

Try loading the /login page in a browser running on the ECM server. If the browser cannot connect, the ECM will also be unable to connect. If the browser test passes, check the ECM.log to see if a connection was successfully established when starting the service.

Credentials are returned via the Test Settings feature but are not available in the access console The user mapping has failed.

This issue commonly occurs (particularly with domain accounts) when a test is run with a user entered as domain\user or a similar format. However, when connecting through the access console, it is possible for the domain portion to be different or missing altogether. If the PRA user is a local user, no domain information is present. The same is true for users authenticating to PRA via certain security providers like RADIUS.

Check the ECM.log to make sure the values passed to the password vault match what is expected. If the test is successful, note the information used.

TLS Error trying to connect to the Password Safe API No trusted Certificate available Add the Password Safe certificate to the ECM Servers trusted store.