Identity Troubleshooting Guide

Community Admin

• Strategy

Common Errors with the Identity Directory Agent
Common Issues with MicroStrategy Badge
Common Issues with Identity Network Manager
Identity Server Requirements
Directory Agent Requirements
Identity Network Requirements
Common Issues with IDM
Identity Server Certifications
Identity Server and Gateway Logs
Identity Components Logs
Identity on AWS Logs

Common Errors with the Identity Directory Agent

SSL handshake errors
If you are encountering this error, make sure you have followed the procedure below:

Run the site agent installer as an administrator
Append the Identity Signing CA certificate into a PEM (privacy enhanced mail) file
Add the pem file into a CA Trust list during the Active Directory Site agent installation

Expired registration codes
Navigate to your Identity Network Manager page and request a new registration code to complete a silent agent installation.
Active Directory groups display zero users
If you don't see any users in your network, ensure that you have done the following:

The domain and rootDN must be correct in Identity Network Manager, and users must have specific attributes fulfilled in the Active Directory (i.e. title, mail, name, etc.).
Users must be members of the Active Directory group that was selected for import. Each user must also have the following attributes completed: first name, last name, email address, and title.

Unable to import users
Navigate to Identity Network Manager and request a new registration code. For more specific steps, see the Identity online help .
Active Directory site agent is not connected
To establish a connection, check the following:

The gateway.properties file has been generated under the Identity Server Gateway/conf folder. If the gateway.properties file is missing, re-run networkmanager/managesystem
https://IDMServer:Gwport/gateway/testclick should return a result

"Cannot update java keystorefile" error message when running the Agent Provisioning Tool
Make sure that the Windows PATH variable does not have another JRE listed before JDK 1.7. The agent is not compatible with older versions of JRE.
The gateway test page is blank
If your test page is blank, make sure that the gateway.properties file has been generated under the Identity Server Gateway/conf folder. If the gateway.properties file is missing, re-run networkmanager/managesystem
The Active Directory Agent in Network Manager disconnects randomly
If you're running the directory against a secure cloud environment, a common cause is that the elastic load balancer in your AWS environment is load balancing the Active Directory agent. Turning off one of the two gateway nodes should lead to a more stable connection.
"Error 2, cannot find file" error message
This error message typically occurs when the Active Directory Agent doesn't start after installation. To troubleshoot, reboot the Windows Server that the Directory Agent was installed. The service will start automatically after being rebooted.
The Directory Agent is not connected

Make sure that the AD Site Agent machine has access to an LDAP server with a defined port (typically port 389)
The AD username and password should have the ability to generate LDAP queries against a configured LDAP server (LDAP and OpenLDAP should be set accordingly)

Common Issues with Strategy Badge

Network connectivity errors
Typically connectivity issues mean that the app cannot connect to the Identity server. Check your cellular or wifi, or try to reach the server URL in a mobile browser: https://HOSTNAME:1443
Slow response times
Slow response times may be caused by poor network connectivity. Check your device's wifi network, or enter https://HOSTNAME1443 in a mobile browser to check the connection between your device and the Identity server.
The 4-digit online Badge Code is unavailable
To troubleshoot, enter https://HOSTNAME1443 into a mobile browser from your device. This will allow you to check that the Identity
The "Get My Badge" button redirects to the Google Play or Apple Store
This error occurs when the Identity Server API can't determine whether or not your mobile device has Strategy Badge installed. See KB268427 for a more specific solution.
Unable to claim badges
The token in the badge invitation email is only available for one-time use, and automatically expires after 24 hours. To request a new invitation, consult your Identity administrator.

Common Issues with Identity Network Manager

The QR code does not appear on the Network Manager home screen
Check the following:

Test the Identity Server by entering https://HOSTNAME:1443 in a browser.
If SELinux is enabled on Linux, then the connection between Network Manager and the Identity Server may be blocked. The quickest solution is to disable SELinux to see if the QR code will appear.
The IDM server should be running and display the correct server-db version correctly
If your SSL certificates are self-signed, Strategy recommends that you use third-party signed certificates instead.
If https://IDMServer:portis is not responding, check whether or not your Tomcat instance is running. If not, start the tomcat-idm instance. If the instance is running, check the catalina.outand info.log

Receiving an "error code7" message
This error message refers to a certificate signature failure when trying to validate a websites's SSL certificate. This error typically occurs before your Identity configuration is saved properly. When this happens, the Identity Server URL that Network Manager calls on to request the QR code doesn't match the Tomcat container's SSL certification.
Unable to import users through the LDAP/Active Directory
If you have previously imported users via manual entry, CSV files, etc. then Network Manager will not show the IDM sync option. If you delete all users except the primary administrator, then the option should reappear.

Identity Server Requirements
There are a minimum of five certificates required:

.CRT, .KEY, .PEM files for the Tomcat Instance. These are typically real CA signed certificates from a well-known CA such as GeoTrust, Thawte, Verisign, etc.
.CRT, .KEY Identity Signing CA certificate typically self-signed
.CRT, .KEY SAML Certificates are needed if the SAML gateway (Logical Access) is used. They are typically real certificates issued by a well-known CA

Additional requirements for the Identity Server include:

The Tomcat certificate and key must match. To run these commands to verify:

openssl x509 -noout -modulus -in server.crt|
openssl md5 openssl rsa -noout -modulus -in server.key| openssl md5

The Identity Signing CA certification must be appended into a Tomcat PEM file
The Tomcat PEm and certification should match with Tomcat .pem. Run the following command to verify: openssl verify -CAfile [path_to_your_pem] [path_to_your_cert]

Directory Agent Requirements
If you're having trouble with the Directory Agent, use the list below to ensure that you're in compliance with the Directory Agent requirements.

2-4GB RAM and a modern CPU
10GB disk space
MicroSoft Windows Server 2008 R2 (64-bit) operating system.
Java SE Development Kit (JDK) version 1.7 or later, 64-bit.
The latest version of Windows 64 OpenSSL.
The ability to communicate with the Active Directory server via LDAP.

Identity Network Requirements

The Identity Server must be accessible through an SSL-enabled port. All traffic involved in calling the Identity APIs are conducted through HTTPS. It can go through any port designated (1443, 2443, 9501)
The Identity Server Network Administrator web interface also requires a separate port on the Identity server such as 443.
Network connectivity between the identity Server and mobile devices must be established either through internal WiFi or cellular networks.
SMTP servers must be available to send Badge invitations and activation emails.

Common Issues with IDM
If your IDM server is not responding, check the following:

The /conf/server.xm 1-way and 2-way SSL ports must not be used by other applications
The /bin/tomcat.shconfigure memory size is available
Tomcat native libraries must be installed
IDM ports must not be blocked by local/network firewalls

For more detailed instructions, see our product documentation on managing users from an IDM system .
Identity Server Certifications
The Identity Server is currently certified on:

RHEL (but also runs on CENTOS)
v10.3+Windows Server (2008, 2012, and R2 editions)
8GB RAM minimum, 16GB+ is preferred
40-500GB HD
Two Tomcat instances, one for Identity IDM and one for Gateway
Java 7, Apache Web HTTPD, PHP are needed for Network Manager
Access to SMTP for Emails
My SQL Community Edition 5.6.x
SSL Certificate from well-known CA
FQDN registered with DNS
Time zones for everything GMT

Identity Server and Gateway Logs

Identity Components Logs

Identity on AWS Logs

KB483053

Comment

0 comments

Details

Knowledge Article

Published:

March 28, 2019

Last Updated:

March 28, 2019

Table of Contents

Common Errors with the Identity Directory Agent

SSL handshake errors
If you are encountering this error, make sure you have followed the procedure below:

Run the site agent installer as an administrator
Append the Identity Signing CA certificate into a PEM (privacy enhanced mail) file
Add the pem file into a CA Trust list during the Active Directory Site agent installation

Expired registration codes
Navigate to your Identity Network Manager page and request a new registration code to complete a silent agent installation.
Active Directory groups display zero users
If you don't see any users in your network, ensure that you have done the following:

The domain and rootDN must be correct in Identity Network Manager, and users must have specific attributes fulfilled in the Active Directory (i.e. title, mail, name, etc.).
Users must be members of the Active Directory group that was selected for import. Each user must also have the following attributes completed: first name, last name, email address, and title.

Unable to import users
Navigate to Identity Network Manager and request a new registration code. For more specific steps, see the Identity online help .
Active Directory site agent is not connected
To establish a connection, check the following:

The gateway.properties file has been generated under the Identity Server Gateway/conf folder. If the gateway.properties file is missing, re-run networkmanager/managesystem
https://IDMServer:Gwport/gateway/testclick should return a result

"Cannot update java keystorefile" error message when running the Agent Provisioning Tool
Make sure that the Windows PATH variable does not have another JRE listed before JDK 1.7. The agent is not compatible with older versions of JRE.
The gateway test page is blank
If your test page is blank, make sure that the gateway.properties file has been generated under the Identity Server Gateway/conf folder. If the gateway.properties file is missing, re-run networkmanager/managesystem
The Active Directory Agent in Network Manager disconnects randomly
If you're running the directory against a secure cloud environment, a common cause is that the elastic load balancer in your AWS environment is load balancing the Active Directory agent. Turning off one of the two gateway nodes should lead to a more stable connection.
"Error 2, cannot find file" error message
This error message typically occurs when the Active Directory Agent doesn't start after installation. To troubleshoot, reboot the Windows Server that the Directory Agent was installed. The service will start automatically after being rebooted.
The Directory Agent is not connected

Make sure that the AD Site Agent machine has access to an LDAP server with a defined port (typically port 389)
The AD username and password should have the ability to generate LDAP queries against a configured LDAP server (LDAP and OpenLDAP should be set accordingly)

Common Issues with Strategy Badge

Network connectivity errors
Typically connectivity issues mean that the app cannot connect to the Identity server. Check your cellular or wifi, or try to reach the server URL in a mobile browser: https://HOSTNAME:1443
Slow response times
Slow response times may be caused by poor network connectivity. Check your device's wifi network, or enter https://HOSTNAME1443 in a mobile browser to check the connection between your device and the Identity server.
The 4-digit online Badge Code is unavailable
To troubleshoot, enter https://HOSTNAME1443 into a mobile browser from your device. This will allow you to check that the Identity
The "Get My Badge" button redirects to the Google Play or Apple Store
This error occurs when the Identity Server API can't determine whether or not your mobile device has Strategy Badge installed. See KB268427 for a more specific solution.
Unable to claim badges
The token in the badge invitation email is only available for one-time use, and automatically expires after 24 hours. To request a new invitation, consult your Identity administrator.

Common Issues with Identity Network Manager

The QR code does not appear on the Network Manager home screen
Check the following:

Test the Identity Server by entering https://HOSTNAME:1443 in a browser.
If SELinux is enabled on Linux, then the connection between Network Manager and the Identity Server may be blocked. The quickest solution is to disable SELinux to see if the QR code will appear.
The IDM server should be running and display the correct server-db version correctly
If your SSL certificates are self-signed, Strategy recommends that you use third-party signed certificates instead.
If https://IDMServer:portis is not responding, check whether or not your Tomcat instance is running. If not, start the tomcat-idm instance. If the instance is running, check the catalina.outand info.log

Receiving an "error code7" message
This error message refers to a certificate signature failure when trying to validate a websites's SSL certificate. This error typically occurs before your Identity configuration is saved properly. When this happens, the Identity Server URL that Network Manager calls on to request the QR code doesn't match the Tomcat container's SSL certification.
Unable to import users through the LDAP/Active Directory
If you have previously imported users via manual entry, CSV files, etc. then Network Manager will not show the IDM sync option. If you delete all users except the primary administrator, then the option should reappear.

Identity Server Requirements
There are a minimum of five certificates required:

.CRT, .KEY, .PEM files for the Tomcat Instance. These are typically real CA signed certificates from a well-known CA such as GeoTrust, Thawte, Verisign, etc.
.CRT, .KEY Identity Signing CA certificate typically self-signed
.CRT, .KEY SAML Certificates are needed if the SAML gateway (Logical Access) is used. They are typically real certificates issued by a well-known CA

Additional requirements for the Identity Server include:

The Tomcat certificate and key must match. To run these commands to verify:

openssl x509 -noout -modulus -in server.crt|
openssl md5 openssl rsa -noout -modulus -in server.key| openssl md5

The Identity Signing CA certification must be appended into a Tomcat PEM file
The Tomcat PEm and certification should match with Tomcat .pem. Run the following command to verify: openssl verify -CAfile [path_to_your_pem] [path_to_your_cert]

Directory Agent Requirements
If you're having trouble with the Directory Agent, use the list below to ensure that you're in compliance with the Directory Agent requirements.

2-4GB RAM and a modern CPU
10GB disk space
MicroSoft Windows Server 2008 R2 (64-bit) operating system.
Java SE Development Kit (JDK) version 1.7 or later, 64-bit.
The latest version of Windows 64 OpenSSL.
The ability to communicate with the Active Directory server via LDAP.

Identity Network Requirements

The Identity Server must be accessible through an SSL-enabled port. All traffic involved in calling the Identity APIs are conducted through HTTPS. It can go through any port designated (1443, 2443, 9501)
The Identity Server Network Administrator web interface also requires a separate port on the Identity server such as 443.
Network connectivity between the identity Server and mobile devices must be established either through internal WiFi or cellular networks.
SMTP servers must be available to send Badge invitations and activation emails.

Common Issues with IDM
If your IDM server is not responding, check the following:

The /conf/server.xm 1-way and 2-way SSL ports must not be used by other applications
The /bin/tomcat.shconfigure memory size is available
Tomcat native libraries must be installed
IDM ports must not be blocked by local/network firewalls

For more detailed instructions, see our product documentation on managing users from an IDM system .

Identity Server Certifications
The Identity Server is currently certified on:

RHEL (but also runs on CENTOS)
v10.3+Windows Server (2008, 2012, and R2 editions)
8GB RAM minimum, 16GB+ is preferred
40-500GB HD
Two Tomcat instances, one for Identity IDM and one for Gateway
Java 7, Apache Web HTTPD, PHP are needed for Network Manager
Access to SMTP for Emails
My SQL Community Edition 5.6.x
SSL Certificate from well-known CA
FQDN registered with DNS
Time zones for everything GMT

Identity Server and Gateway Logs