Long startup delays on Windows
You may experience long delays (over a minute) when starting the Safeguard Authentication Services Windows installer or certain Windows management tools such as Control Center. All Safeguard Authentication Services Windows binaries are Authenticode-signed so that you can be sure that the binaries are authentic and have not been tampered with.
This problem occurs when the .NET runtime attempts to verify the Authenticode signature by checking against certificate revocation lists (CRLs) at crl.microsoft.com. If this site cannot be reached, the .NET framework check will time out (up to 60 seconds). This timeout occurs every time a signed assembly is loaded which can lead to very long load times. You can fix this problem by allowing access to crl.microsoft.com.
If the computer is not connected to the internet, you can disable CRL checks for the entire system in Internet Explorer. Go to Options, select the Advanced tab, and under Settings clear the Check for publisher's certification revocation option.
It is also possible to specify a generatePublisherEvidence element in an <app>.exe.config that will disable CRL checks for the specific application that you are running. Keep in mind that if you are using Safeguard Authentication Services components in PowerShell or MMC, you will need to add this configuration for the powershell.exe.config and/or mmc.exe.config. Refer to <generatePublisherEvidence> Element for details.
Pointer Record updates are rejected
If Pointer Record (PTR) updates are being rejected, it may be because the DHCP server is doing the update already. Refer to the documentation for the DHCP server used in your environment. The Microsoft DHCP server does updates on behalf of the host and this is controlled by the FQDN option. Please refer to the Microsoft Active Directory DNS/DHCP documentation.
Resolving DNS problems
It is imperative that DNS is correctly configured. Safeguard Authentication Services relies on DNS in order to locate domain controllers. Follow these steps to verify that domain controllers can be located using DNS:
-
Use dig to test whether your DNS configuration can locate a domain controller. Enter the following at the Unix command prompt, replacing <DNS Domain Name> with your Active Directory DNS domain name:
dig -t any _ldap._tcp.dc._msdcs.<DNS Domain Name>
If DNS is configured correctly, you will see a list of domain controllers for your domain. If not, work with your DNS administrator to resolve the issue.
-
Use dig to test whether you can locate a domain controller in your site. Enter the following at the Unix command prompt, replacing <Site Name> with the name of your Active Directory site and <DNS Domain Name> with your Active Directory DNS domain name.
dig -t _ldap._tcp.<Site Name>._sites.dc._msdcs.<DNS Domain Name>
If DNS is configured correctly, you will see a list of domain controllers for your site. If not, work with your DNS administrator to resolve the issue.
It is possible to work around DNS problems using the vastool join command to specify the domain controller host name on the command line. Safeguard Authentication Services can work without DNS configured as long as the forward lookup in the /etc/hosts file exists. The forward lookup resolves the domain controller host name to an IP address.
You can test this on Linux by firewalling DNS (port 53) with iptables. Make sure that you have an entry for your domain controller in /etc/hosts, then as root, enter the following commands replacing <administrator> with the name of an Active Directory administrator <DNS Domain Name> with your Active Directory DNS domain name and <DC Host Name> with the host name of your domain controller:
iptables -A INPUT -p udp --dport 53 -j DROP
iptables -A OUTPUT -p udp --dport 53 -j DROP
/opt/quest/bin/vastool -u <administrator> join <DNS Domain Name> <DC Host Name>
Resolving preflight failures
If one of the preflight checks fail, preflight prints a suggested resolution. The following table provides additional problem resolution information. The checks are listed by the associated command-line flags.
Table 27: Install checks
--os-patch |
Checks for supported operating system and correct operating system patches. |
Install the Safeguard Authentication Services agent on a supported operating system that has the required operating system patches. Click www.oneidentity.com/products/authentication-services/ to view a list of supported Unix and Linux platforms that run Safeguard Authentication Services. |
--disk-space |
Checks for sufficient disk space to install Safeguard Authentication Services. |
Free up more disk space. Safeguard Authentication Services requires disk space in /opt, /etc, and /var to install. |
Table 28: Join checks
--tld |
Checks that the DNS Top Level Domain (TLD) is not '.local'. |
Ensure that mDNS is disabled in /etc/nsswitch.conf or use a domain other than .local. |
--hostname |
Checks that the hostname of the system is not 'localhost'. |
One Identity recommends that you have a unique hostname in order to maintain uniqueness of computer names in Active Directory. Another option is to ignore this check and use -n computer_name when joining. See the vastool man page for more information. |
--name-service |
Checks if the name service is configured to use DNS. |
Ensure your host is configured to use DNS properly. Consult your platform documentation to determine the proper method to enable DNS for hostname resolution. See Resolving DNS problems for solutions. |
--host-resolve |
Ensures that the host can resolve names using DNS. |
Check your /etc/resolv.conf file to ensure that name server entries are correct and reachable. Make sure that UDP port 53 (DNS) is open. This check attempts to resolve the domain name and can fail if your DNS configuration is invalid. This check expects to find properly formatted IPv4 addresses. Invalid or unreachable name server entries will cause delays even though the check will pass if at least one valid name server is found. If you notice delays when running this check, make sure that your name server configuration does not reference invalid name servers. See Resolving DNS problems for solutions. |
--srv-records |
Checks for a nameserver that has the appropriate DNS SRV records for Active Directory. |
SRV records advertise various Active Directory services. Your configured name server must provide SRV records in order for Safeguard Authentication Services to take advantage of automatic detection and fail over. Ensure that UDP port 53 (DNS) is open. |
--dc |
Detects a writable domain controller with UDP port 389 open. |
If a domain controller is passed on the preflight command line, preflight checks that UDP port 389 is open and that the domain controller is writable. In this case, you may be able to specify a different domain controller.
If you do not pass in the name of a domain controller, this check attempts to locate a writable domain controller using DNS SRV records. Ensure that your DNS SRV records are up to date in the configured DNS server. Safeguard Authentication Services can work with read-only domain controllers, but the computer object must have already been created with the proper settings in Active Directory. |
--site |
Detects Active Directory site, if available. |
This check warns you if Safeguard Authentication Services was unable to locate an Active Directory site based on your computer's network address. A site configuration is not necessary, but Safeguard Authentication Services performs better if site information is configured in Active Directory. To resolve this problem, configure a site in Active Directory. |
--kerberos-password |
Checks if TCP port 464 is open for Kerberos kpasswd. |
Ensure that TCP port 464 (kpasswd) is open. This port must be open in order for Safeguard Authentication Services to set the computer object's password. |
--kerberos-traffic |
Checks if UDP port 88 and TCP port 88 are open for Kerberos traffic. |
These ports are the main Kerberos communication channels; they must be open for Safeguard Authentication Services to authenticate to Active Directory. By default Safeguard Authentication Services uses TCP, but may be configured to prefer UDP. |
--ldap |
Checks if TCP port 389 is open for LDAP. |
This port must be open for Safeguard Authentication Services to communicate with domain controllers using LDAP. This communication is GSS SASL encrypted and signed. |
--global-catalog |
Checks whether the Global Catalog is accessible on TCP port 3268. |
Safeguard Authentication Services can function in a limited way without a global catalog server; however, Safeguard Authentication Services will be unable to resolve Active Directory users and groups from domains in the forest other than the one to which the host is joined. In addition, some searches may be slower. Make sure that TCP port 3268 (global catalog) is open and that you have configured at least one domain controller as a global catalog and that the global catalog server is up and reachable. |
--timesync |
Checks the machine's time is not skewed too far from Active Directory. |
If the time difference between the Unix host and the domain controller is too large, Kerberos traffic will not succeed. You can usually resolve this failure by running vastool timesync to synchronize time with the Active Directory domain. Port 123 UDP must be open in order to synchronize time with the domain controller. This check automatically synchronizes the time if you specify the -S option and run the application with root permissions. |
--app-configuration |
Checks for the Safeguard Authentication Services application configuration in Active Directory. |
This checks fails if you have not configured the Active Directory forest for Safeguard Authentication Services. Use Control Center (Windows) to create the necessary application configuration. This check can also fail due to an invalid username/password or if there is a time synchronization problem between the Unix host and the domain controller. |
--rodc |
Checks against the given domain controller even if it is read-only, instead of selecting another domain controller. |
The --rodc option runs preflight against the given domain controller instead of picking a writable DC. The --rodc check affects the --kerberos-* and --ldap checks. If the --rodc check fails, resolve preflight port check failures. |
Note: If you get a message that says Unable to locate Safeguard Authentication Services Application Configuration, you can ignore that error and proceed with the Safeguard Authentication Services installation. The Safeguard Authentication Services Active Directory Configuration Wizard starts automatically to help you configure Active Directory for Safeguard Authentication Services the first time you start the Control Center.
Table 29: Post-join checks
--ms-cifs |
Checks if TCP port 445 is open for Microsoft Directory Services CIFS traffic. |
In order to use Group Policy on Unix, this port must be open to allow Safeguard Authentication Services to use the CIFS protocol to download Group Policy objects from domain controllers. |