Chat now with support
Chat with Support

Safeguard Authentication Services 5.1.3 - Installation Guide

Privileged Access Suite for UNIX Introducing One Identity Safeguard Authentication Services Installing and configuring Safeguard Authentication Services Installing and joining from the UNIX command line Getting started with Safeguard Authentication Services Troubleshooting Enterprise package deployment

Disaster recovery

Since Safeguard Authentication Services relies on Active Directory, follow Microsoft’s best practices for keeping the database highly available. The administration tools are not critical to the operation of Safeguard Authentication Services and can quickly be reinstalled from scratch if needed.

Long startup delays on Windows

You may experience long delays (over a minute) when starting the Safeguard Authentication Services Windows installer or certain Windows management tools such as Control Center. All Safeguard Authentication Services Windows binaries are Authenticode-signed so that you can be sure that the binaries are authentic and have not been tampered with.

This problem occurs when the .NET runtime attempts to verify the Authenticode signature by checking against certificate revocation lists (CRLs) at crl.microsoft.com. If this site cannot be reached, the .NET framework check will time out (up to 60 seconds). This timeout occurs every time a signed assembly is loaded which can lead to very long load times. You can fix this problem by allowing access to crl.microsoft.com.

If the computer is not connected to the internet, you can disable CRL checks for the entire system in Internet Explorer. Go to Options, select the Advanced tab, and under Settings clear the Check for publisher's certification revocation option.

It is also possible to specify a generatePublisherEvidence element in an <app>.exe.config that will disable CRL checks for the specific application that you are running. Keep in mind that if you are using Safeguard Authentication Services components in PowerShell or MMC, you will need to add this configuration for the powershell.exe.config and/or mmc.exe.config. Refer to <generatePublisherEvidence> Element for details.

Pointer Record updates are rejected

If Pointer Record (PTR) updates are being rejected, it may be because the DHCP server is doing the update already. Refer to the documentation for the DHCP server used in your environment. The Microsoft DHCP server does updates on behalf of the host and this is controlled by the FQDN option. Refer to the Microsoft Active Directory DNS/DHCP documentation.

Resolving DNS problems

It is imperative that DNS is correctly configured. Safeguard Authentication Services relies on DNS in order to locate domain controllers. Follow these steps to verify that domain controllers can be located using DNS:

  1. Use dig to test whether your DNS configuration can locate a domain controller. Enter the following at the UNIX command prompt, replacing <DNS Domain Name> with your Active Directory DNS domain name:

    dig -t any _ldap._tcp.dc._msdcs.<DNS Domain Name>

    If DNS is configured correctly, you will see a list of domain controllers for your domain. If not, work with your DNS administrator to resolve the issue.

  2. Use dig to test whether you can locate a domain controller in your site. Enter the following at the UNIX command prompt, replacing <Site Name> with the name of your Active Directory site and <DNS Domain Name> with your Active Directory DNS domain name.

    dig -t _ldap._tcp.<Site Name>._sites.dc._msdcs.<DNS Domain Name>

    If DNS is configured correctly, you will see a list of domain controllers for your site. If not, work with your DNS administrator to resolve the issue.

It is possible to work around DNS problems using the vastool join command to specify the domain controller host name on the command line. Safeguard Authentication Services can work without DNS configured as long as the forward lookup in the /etc/hosts file exists. The forward lookup resolves the domain controller host name to an IP address.

You can test this on Linux by firewalling DNS (port 53) with iptables. Make sure that you have an entry for your domain controller in /etc/hosts, then as root, enter the following commands replacing <administrator> with the name of an Active Directory administrator <DNS Domain Name> with your Active Directory DNS domain name and <DC Host Name> with the host name of your domain controller:

iptables -A INPUT -p udp --dport 53 -j DROP 
iptables -A OUTPUT -p udp --dport 53 -j DROP 
/opt/quest/bin/vastool -u <administrator> join <DNS Domain Name> <DC Host Name>
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating