The following information applies to the various gateway deployment scenarios. You can use the gateway details page, gateway logs, or Splunk reports to identify issues. For more information, see Verifying a gateway instance and Monitoring activity with Splunk.

Users receive an error when signing on or changing their password

A user receives the following error message when signing on or trying to change their password. A system error occurred when accessing your account for authentication. Contact your administrator.

This error can indicate that the user’s account needs to be updated in the external LDAP directory server. Check the user’s account in the external directory server. If you have an LDAP gateway configured, ensure that it is properly configured.

I want to view the audit logs

You can view logs to get detailed information about the Gateway service. The method to do so varies depending on your Gateway configuration.

Gateway as a standalone service
By default, log files are saved to the ./logs directory on the computer running the gateway. Log files roll over by date.
  • To view the logs, locate the ./logs directory.

    The logs are named

    GatewayStandalone.yyyymmdd.log

Gateway as a Windows service
By default, log files are saved to the ./logs directory on the computer running the gateway. Log files roll over by date.
  • To view the logs, locate the ./logs directory.

    The logs are named

    GatewayService.yyyymmdd.log

    GatewayWrapper.yyyymmdd.log

    The GatewayWrapper.yyyymmdd.log file mirrors the console output of the standalone version, with additional logs.

Gateway as a Docker container
To view logs for a Docker container, run the following command:

docker logs <container ID or name>

My logs aren't showing enough information

You can enable verbose logging to get more detailed logs for the Gateway service. The method to do so varies depending on your Gateway configuration.

Note:

The following steps were validated with LDAP Gateway version 2.3.3.

Gateway as a standalone service

By default, the log level is set to INFO, which includes errors and general information for the service. For more verbose logs, set the log level to DEBUG, which includes all possible information for the service.

  1. If the PingOne LDAP Gateway service is running, stop it.
  2. Locate the ./config/run.properties file.
  3. Locate the LOG_LEVEL parameter.
  4. Change the parameter to

    LOG_LEVEL=DEBUG

  5. Restart the PingOne LDAP Gateway service.
You can also change the formatting of the console output.
  1. If the PingOne LDAP Gateway service is running, stop it.
  2. Locate the ./config/logback.xml file.
  3. Follow the instructions in the file to enable more detailed logs in the console.
  4. Restart the PingOne LDAP Gateway service.
Gateway as a Windows service
Use the LOG_LEVEL parameter to configure the logging settings. By default, the log level is set to INFO, which includes errors and general information for the service. For more verbose logs, set the log level to DEBUG, which includes all possible information for the service.
  1. Locate the ./config/run.properties file.
  2. Locate the LOG_LEVEL parameter.
  3. Change the parameter to

    LOG_LEVEL=DEBUG

  4. Run ./bin/windows/reinstall-service.bat.
  5. Press the Windows + R keys.
  6. Enter services.msc to open the Windows Services Controller.
  7. Locate the PingOne LDAP Gateway service and start it.

    The Ping Identity Gateway console opens showing detailed logs.

Gateway as a Docker container

Use the Dlogger.console.level and LOG_LEVEL parameters to configure the logging settings.

Use the following Docker run command:

-e JAVA_OPTS="-Dlogger.console.level=DEBUG" -e LOG_LEVEL=DEBUG

Note:

You can also use Splunk to monitor a gateway connection. For more information, see Monitoring activity with Splunk.

My connection is taking too long to resolve

If your connection is taking a long time, check the following:
  • If the connection is configured with a string host name, try using an IP address instead.
  • On the server that you want to connect to, ensure that the desired port is open.
  • Ensure there aren’t any routing issues in your infrastructure that could affect the ability of the gateway server to reach the LDAP server or RADIUS client.
  • Sometimes it can take several seconds for the connection information to be updated in the console user interface. Try refreshing the page to get the most current information.

I want to increase scalability

For high-availability applications or scalability, you can deploy multiple gateways. You can then run the Windows service (LDAP gateways only), Docker container, or Java application on multiple servers.

When multiple gateways are deployed, PingOne maintains a list of the active gateways and uses a round robin algorithm to route the request to the first available gateway instance. If a gateway is not available, it is excluded from the list of active gateways.

Best practice:

Use a different credential for each deployed gateway instance. Using different credentials allows you to easily revoke access to individual gateways.

I'm getting an Active Directory password modify error

For LDAP Gateway connections using Active Directory, you might see a password modify error as a permissions error in Splunk logs. To use Splunk for monitoring, see Monitoring activity with Splunk.

This error can appear as a failure to change a password using a Service Account in AD. The error appears in Splunk as:
password modify result resultCode=50 (insufficient access rights), 
resultDetails=LDAPResult(resultCode=50 (insufficient access rights), 
diagnosticMessage='00000005: SecErr: DSID-031A11CF, problem 4003 (INSUFF_ACCESS_RIGHTS) 

To query in Splunk, search for the string password modify result. You can narrow down your results if you have the environment ID and a timestamp.

This error can occur if the AvME agent cannot change attributes for these test users or add additional proxy addresses. This is caused by a lack of required AD permission set on these accounts. Usually the failed account belongs to AD protected groups. When you delegate permissions using the Permission Granting Wizard, these permissions rely on the user object that inherits the permissions from the parent container. Members of protected groups do not inherit permissions from the parent container. As a result, if you set permissions using the Permission Granting Wizard, these permissions are not applied to members of protected groups. As a result, the AvME agent cannot modify some AD attributes during the switch process.

Membership in a protected group is defined as either direct membership or transitive membership using one or more security or distribution groups:
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Cert Publishers

Microsoft is aware of an issue that can cause this error when upgrading to Microsoft Windows Server 2003. See Delegated permissions are not available and inheritance is automatically disabled on the Microsoft support site.