Troubleshooting

This table lists some potential problems and resolutions you might encounter with the PingAccess agent for Internet Information Services (IIS).

Issue Resolution

Issue	Resolution
The Installer fails to successfully install the agent.	Use the steps listed in the Manual Installation procedure to validate the installation and to manually complete the installation. Review the MSI installer log file for the installation to identify errors. The log file is stored in the Temp directory `C:\Users\<username>\AppData\Local\Temp` by default. The filename is not fixed, so you must locate the most recent MSI.log file. Direct the installer to log to a specific file by launching the installer using this command. msiexec /lv "<location>/paAgentInstaller.log" /i "pingaccess-agent-iis.msi"
The Uninstall program fails to successfully remove the agent.	Follow the steps in the Manual Removal to remove the configuration for the PingAccess agent for IIS.
The PingAccess-Agent/Admin log contains the error `SSL peer certificate or SSH remote key was not OK(0)`	It is likely that the hostname for the PingAccess engine being accessed does not match the hostname in the certificate used by the agent. Verify the certificate configuration, and if necessary, recreate the certificate for the agent HTTPS Listener and recreate the agent configuration. See PingAccess User Interface Reference Guide in the PingAccess documentation for more information.
500 series errors accessing protected resources	This can indicate that the PingAccess agent failed to load, or that the Default Application Pool is stopped. Correct the issue that’s causing the module load failure, and then restart the Default Application Pool. One potential cause of this is that the `agent.properties` file cannot be found or loaded. Ensure that this file is copied over as described in Step 6 of the installation procedure.
32-bit application pools crashing	This indicates that IIS attempted to load the PingAccess 64-bit agent module in an application container that is running in 32-bit mode. Modify the `applicationHost.config` file’s `PingAccessAgentModule` directive in the `globalModules` section to add the following `preCondition` directive. preCondition="integratedMode, bitness64" For example: <globalModules> <add name="PingAccessAgentModule" image="c:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll" preCondition="integratedMode, bitness64" /> </globalModules>
Agent does not start. Application log contains this error: `The Module name PingAccessAgentModule path (…)\paa-iis-module.dll returned an error from registration. The data is the error.`	This can indicate a corrupted or invalid `agent.properties` file. Export the `agent.properties` file from the administrative console and replace the existing file on the IIS system with the new version, as described in Installing on IIS.
Agent receives an unknown protocol error when attempting to contact the administrative node	This can indicate that the operating system is using SHA-1 for encryption. This protocol is no longer supported by default in PingAccess. We recommend switching to SHA-256. If you cannot switch to SHA-256, you can re-enable SHA-1: Open the `run.properties` file. Add TLSv1 to the protocol list. For example: tls.default.protocols=TLSv1, TLSv1.1, TLSv1.2, TLSv1.3 Add the SHA entries to the cipher suites list. For example: tls.default.cipherSuites = TLS_CHACHA20_POLY1305_SHA256,\ TLS_AES_256_GCM_SHA384,\ TLS_AES_128_GCM_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_EMPTY_RENEGOTIATION_INFO_SCSV, \ TLS_RSA_WITH_AES_128_CBC_SHA, \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, \ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

The Installer fails to successfully install the agent.

Use the steps listed in the Manual Installation procedure to validate the installation and to manually complete the installation.

Review the MSI installer log file for the installation to identify errors. The log file is stored in the Temp directory C:\Users\<username>\AppData\Local\Temp by default. The filename is not fixed, so you must locate the most recent MSI*.log file. Direct the installer to log to a specific file by launching the installer using this command.

msiexec /l*v "<location>/paAgentInstaller.log" /i "pingaccess-agent-iis.msi"

The Uninstall program fails to successfully remove the agent.

Follow the steps in the Manual Removal to remove the configuration for the PingAccess agent for IIS.

The PingAccess-Agent/Admin log contains the error SSL peer certificate or SSH remote key was not OK(0)

It is likely that the hostname for the PingAccess engine being accessed does not match the hostname in the certificate used by the agent. Verify the certificate configuration, and if necessary, recreate the certificate for the agent HTTPS Listener and recreate the agent configuration. See PingAccess User Interface Reference Guide in the PingAccess documentation for more information.

500 series errors accessing protected resources

This can indicate that the PingAccess agent failed to load, or that the Default Application Pool is stopped. Correct the issue that’s causing the module load failure, and then restart the Default Application Pool.

One potential cause of this is that the agent.properties file cannot be found or loaded. Ensure that this file is copied over as described in Step 6 of the installation procedure.

32-bit application pools crashing

This indicates that IIS attempted to load the PingAccess 64-bit agent module in an application container that is running in 32-bit mode. Modify the applicationHost.config file’s PingAccessAgentModule directive in the globalModules section to add the following preCondition directive.

preCondition="integratedMode, bitness64"

For example:

<globalModules>
<add name="PingAccessAgentModule"
     image="c:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll"
     preCondition="integratedMode, bitness64" />
</globalModules>

Agent does not start. Application log contains this error: The Module name PingAccessAgentModule path (…)\paa-iis-module.dll returned an error from registration. The data is the error.

This can indicate a corrupted or invalid agent.properties file. Export the agent.properties file from the administrative console and replace the existing file on the IIS system with the new version, as described in Installing on IIS.

Agent receives an unknown protocol error when attempting to contact the administrative node

This can indicate that the operating system is using SHA-1 for encryption. This protocol is no longer supported by default in PingAccess.

We recommend switching to SHA-256. If you cannot switch to SHA-256, you can re-enable SHA-1:

Open the run.properties file.

Add TLSv1 to the protocol list. For example:

tls.default.protocols=TLSv1, TLSv1.1, TLSv1.2, TLSv1.3

Add the SHA entries to the cipher suites list. For example:

tls.default.cipherSuites = TLS_CHACHA20_POLY1305_SHA256,\
                           TLS_AES_256_GCM_SHA384,\
                           TLS_AES_128_GCM_SHA256,\
                           TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\
                           TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
                           TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\
                           TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\
                           TLS_EMPTY_RENEGOTIATION_INFO_SCSV, \
                           TLS_RSA_WITH_AES_128_CBC_SHA, \
                           TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \
                           TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \
                           TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, \
                           TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA