Troubleshoot the Privileged Remote Access and Privileged Identity Integration
To assist you, a list of common issues experienced during the integration process has been provided, and steps for resolving these issues are noted.
For any issues that involve the ECM service, it is recommended to enable DEBUG level logging. To enable this setting, follow these steps.
- Open the Bomgar-ECMService.exe config file in a text editor.
- Edit the file by changing the line <level value="INFO"/> to <level value="DEBUG"/>.
- Save the file and restart the ECM service.
Common Issues and Resolution Steps
| Issue | Cause | Debugging Steps/ Possible Solutions |
|---|---|---|
| ECM Configurator cannot find or load the plugin | DLL files were not deployed to ECM install directory. |
Copy ALL files included with the plugin into the ECM install directory, typically C:\Program Files\Bomgar \ECM. Close and re-open the ECM Configurator. |
| ECM Configurator cannot find or load the plugin | DLL files are being blocked by Windows. |
While the build server signs the assemblies to help prevent this error, some systems still block the DLLs. To unblock them, right-click on the DLL. Select Properties. In the General > Security section, check the Unblock box. Click OK to save the changes. Repeat these steps with any other DLLs being paged with the plugin DLL. |
| No credentials are returned when using the Test Settings feature | ECM has been configured without the proper settings. |
A failure to retrieve credentials using the Test Settings feature in the ECM Configurator is usually a result of some configuration setting being entered incorrectly. First, double-check any usernames and passwords entered. Next, check the logs in Configurator.log to see if the integration is providing any information as to why the test failed. It could be anything from incorrect URLs / ports, authentication failure, or network connectivity issues. The logs may also reveal a perceived failure was not a failure after all. Instead, no matches may have been found, and even if this is unexpected, an empty list is still a valid result. The Test Settings feature does NOT communicate with BeyondTrust PRA at any point. It tests the settings related to the password vault system. Also, remember that the test uses the currently entered values and settings whether the settings have been saved or not. This allows you to test different configurations without overwriting existing settings. |
| No credentials are returned when using the Test Settings feature | There is a lack of network connectivity. | There is a lack of necessary network connectivity between the ECM server and the password vault system. The resolution could be as simple as adding a rule to the Windows Firewall, or it may require a network administrator to open ports to allow communication. |
| Credentials are returned via the Test Settings feature but are not available in the access console | ECM has been configured without the proper settings. | The settings on the initial screen of the ECM Configurator tell the ECM service which BeyondTrust PRA instance to connect to and the account to use for authentication. Double-check these and review the logs in ECM.log, if necessary. |
| Credentials are returned via the Test Settings feature but are not available in the access console | BeyondTrust PRA has been configured without the proper settings. |
It is possible ECM connections have not been enabled or the API account being used is not configured to be an administrator. Review the steps in Configure Privileged Remote Access for Integration with Privileged Identity |
| Credentials are returned via the Test Settings feature but are not available in the access console | The ECM service has stopped functioning. | Restart the BeyondTrust ECM Service. |
| Credentials are returned via the Test Settings feature but are not available in the access console | There is a lack of network connectivity. |
A lack of connectivity could be preventing the integration from working. In this case, the missing connection would occur between BeyondTrust PRA and the ECM server. If the ECM is unable to establish a connection to the B Series Appliance, it is unable to receive requests for credentials. Try loading the /login page in a browser running on the ECM server. If the browser cannot connect, the ECM will also be unable to connect. If the browser test passes, check the ECM.log to see if a connection was successfully established when starting the service. |
| Credentials are returned via the Test Settings feature but are not available in the access console | The user mapping has failed. |
This issue commonly occurs (particularly with domain accounts) when a test is run with a user entered as domain\user or a similar format. However, when connecting through the access console, it is possible for the domain portion to be different or missing altogether. If the PRA user is a local user, no domain information is present. The same is true for users authenticating to PRA via certain security providers like RADIUS. If the plugin allows for domain mapping or default domains for local users, verify these are configured correctly. Also, check the ECM.log to make sure the values passed to the password vault match what is expected. If the test is successful, note the information used. |
