Troubleshooting
This list indicates potential problems and resolutions you might encounter with the PingAccess agent for Internet Information Services (IIS).
- The Installer fails to successfully install the agent
-
Use the steps listed in the Manual Installation procedure to validate the installation and to manually complete the installation.
Review the MSI installer log file for the installation to identify errors. The log file is stored in the Temp directory
C:\Users[.var]_username_\AppData\Local\Temp
by default. The filename is not fixed, so you must locate the most recent MSI*.log file. Direct the installer to log to a specific file by launching the installer using this command.msiexec /l*v "[.var]__location__/paAgentInstaller.log" /i "pingaccess-agent-iis.msi"
- The Uninstall program fails to successfully remove the agent
-
Follow the steps in the Manual Removal to remove the configuration for the PingAccess agent for IIS.
- The PingAccess-Agent/Admin log contains the error
SSL peercertificate or SSH remote key was not OK(0)
-
It is likely that the hostname for the PingAccess engine being accessed does not match the hostname in the certificate used by the agent. Verify the certificate configuration, and if necessary, recreate the certificate for the agent HTTPS Listener and recreate the agent configuration. See PingAccess User Interface Reference Guide in the PingAccess documentation for more information.
- 500 series errors accessing protected resources
-
This can indicate that the PingAccess agent failed to load, or that the Default Application Pool is stopped. Correct the issue that’s causing the module load failure, and then restart the Default Application Pool.
One potential cause of this is that the
agent.properties
file cannot be found or loaded. Ensure that this file is copied over as described in Step 6 of the installation procedure. - 32-bit application pools crashing
-
This indicates that IIS attempted to load the PingAccess 64-bit agent module in an application container that is running in 32-bit mode. Modify the
applicationHost.config
file’sPingAccessAgentModule
directive in theglobalModules
section to add the followingpreCondition
directive.preCondition="integratedMode, bitness64"
For example:
<globalModules> <add name="PingAccessAgentModule" image="c:\Program Files\Ping Identity\PingAccess Agent for IIS\paa-iis-module.dll" preCondition="integratedMode, bitness64" /> </globalModules>
- Agent does not start
-
Application log contains this error:
The Module name PingAccessAgentModule path (…)\paa-iis-module.dll returned an error from registration. The data is the error.
This can indicate a corrupted or invalid
agent.properties
file. Export theagent.properties
file from the administrative console and replace the existing file on the IIS system with the new version, as described in Installing on IIS. - Agent receives an unknown protocol error when attempting to contact the administrative node
-
This can indicate that the operating system is using SHA-1 for encryption. This protocol is no longer supported by default in PingAccess.
We recommend switching to sha256. If you cannot switch to sha256, you can re-enable SHA-1:
-
Open the
run.properties
file. -
Add TLSv1 to the protocol list. For example:
tls.default.protocols=TLSv1, TLSv1.1, TLSv1.2, TLSv1.3
-
Add the SHA entries to the cipher suites list. For example:
tls.default.cipherSuites = TLS_CHACHA20_POLY1305_SHA256,\ TLS_AES_256_GCM_SHA384,\ TLS_AES_128_GCM_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,\ TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,\ TLS_EMPTY_RENEGOTIATION_INFO_SCSV, \ TLS_RSA_WITH_AES_128_CBC_SHA, \ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, \ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, \ TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, \ TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
-