If the gateway instance is not healthy, you can use the information in this section to troubleshoot any issues.
The following information applies to the various gateway deployment scenarios. You can use the gateway details page, gateway logs, or Splunk reports to identify issues. For more information, see Verifying a gateway instance and Monitoring activity with Splunk.
Users receive an error when signing on or changing their password
A user receives the following error message when signing on or trying to change their
password. A system error occurred when accessing your account for
authentication. Contact your administrator.
This error can indicate that the user’s account needs to be updated in the external LDAP directory server. Check the user’s account in the external directory server. If you have an LDAP gateway configured, ensure that it is properly configured.
I want to view the audit logs
You can view logs to get detailed information about the Gateway service. The method to do so varies depending on your Gateway configuration.
- Gateway as a standalone service
- By default, log files are saved to the ./logs directory on the computer running the
gateway. Log files roll over by date.
- To view the logs, locate the ./logs directory.
The logs are named
GatewayStandalone.yyyymmdd.log
- To view the logs, locate the ./logs directory.
- Gateway as a Windows service
- By default, log files are saved to the ./logs directory on the computer
running the gateway. Log files roll over by date.
- To view the logs, locate the ./logs directory.
The logs are named
GatewayService.yyyymmdd.log
GatewayWrapper.yyyymmdd.log
The
GatewayWrapper.yyyymmdd.log
file mirrors the console output of the standalone version, with additional logs.
- To view the logs, locate the ./logs directory.
- Gateway as a Docker container
- To view logs for a Docker container, run the following
command:
docker logs <container ID or name>
My logs aren't showing enough information
You can enable verbose logging to get more detailed logs for the Gateway service. The method to do so varies depending on your Gateway configuration.
The following steps were validated with LDAP Gateway version 2.3.3.
- Gateway as a standalone service
-
By default, the log level is set to INFO, which includes errors and general information for the service. For more verbose logs, set the log level to DEBUG, which includes all possible information for the service.
- If the PingOne LDAP Gateway service is running, stop it.
- Locate the ./config/run.properties file.
- Locate the LOG_LEVEL parameter.
- Change the parameter
to
LOG_LEVEL=DEBUG
- Restart the PingOne LDAP Gateway service.
You can also change the formatting of the console output.- If the PingOne LDAP Gateway service is running, stop it.
- Locate the ./config/logback.xml file.
- Follow the instructions in the file to enable more detailed logs in the console.
- Restart the PingOne LDAP Gateway service.
- Gateway as a Windows service
-
Use the LOG_LEVEL parameter to configure the logging settings. By default, the log level is set to INFO, which includes errors and general information for the service. For more verbose logs, set the log level to DEBUG, which includes all possible information for the service.
- Locate the ./config/run.properties file.
- Locate the LOG_LEVEL parameter.
- Change the parameter to
LOG_LEVEL=DEBUG
- Run ./bin/windows/reinstall-service.bat.
- Press the Windows + R keys.
- Enter services.msc to open the Windows Services Controller.
- Locate the PingOne LDAP Gateway service and start
it.
The Ping Identity Gateway console opens showing detailed logs.
- Gateway as a Docker container
-
Use the
Dlogger.console.level
andLOG_LEVEL
parameters to configure the logging settings.Use the following Docker run command:
-e JAVA_OPTS="-Dlogger.console.level=DEBUG" -e LOG_LEVEL=DEBUG
You can also use Splunk to monitor a gateway connection. For more information, see Monitoring activity with Splunk.
My connection is taking too long to resolve
- If the connection is configured with a string host name, try using an IP address instead.
- On the server that you want to connect to, ensure that the desired port is open.
- Ensure there aren’t any routing issues in your infrastructure that could affect the ability of the gateway server to reach the LDAP server or RADIUS client.
- Sometimes it can take several seconds for the connection information to be updated in the console user interface. Try refreshing the page to get the most current information.
I want to increase scalability
For high-availability applications or scalability, you can deploy multiple gateways. You can then run the Windows service (LDAP gateways only), Docker container, or Java application on multiple servers.
When multiple gateways are deployed, PingOne maintains a list of the active gateways and uses a round robin algorithm to route the request to the first available gateway instance. If a gateway is not available, it is excluded from the list of active gateways.
Use a different credential for each deployed gateway instance. Using different credentials allows you to easily revoke access to individual gateways.
I'm getting an Active Directory password modify error
For LDAP Gateway connections using Active Directory, you might see a password modify error as a permissions error in Splunk logs. To use Splunk for monitoring, see Monitoring activity with Splunk.
password modify result resultCode=50 (insufficient access rights),
resultDetails=LDAPResult(resultCode=50 (insufficient access rights),
diagnosticMessage='00000005: SecErr: DSID-031A11CF, problem 4003 (INSUFF_ACCESS_RIGHTS)
To query in Splunk, search for the string password modify result
.
You can narrow down your results if you have the environment ID and a timestamp.
This error can occur if the AvME agent cannot change attributes for these test users or add additional proxy addresses. This is caused by a lack of required AD permission set on these accounts. Usually the failed account belongs to AD protected groups. When you delegate permissions using the Permission Granting Wizard, these permissions rely on the user object that inherits the permissions from the parent container. Members of protected groups do not inherit permissions from the parent container. As a result, if you set permissions using the Permission Granting Wizard, these permissions are not applied to members of protected groups. As a result, the AvME agent cannot modify some AD attributes during the switch process.
- Administrators
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Domain Admins
- Schema Admins
- Enterprise Admins
- Cert Publishers
Microsoft is aware of an issue that can cause this error when upgrading to Microsoft Windows Server 2003. See Delegated permissions are not available and inheritance is automatically disabled on the Microsoft support site.