How to troubleshoot PSM Session connection issues (4313954)

One or more warning messages are received when connecting to the PSM Session.

- This is expected behavior and can vary from user to user depending on their workstation configuration.

- Messages are normally related to launching the Java applet (JNLP) or related to the web certificate. 

- In most cases you can simply click OK or Continue and proceed with connecting to the PSM Session.

- To address warnings about certificates, you will need to ensure TPAM has a certificate installed and the workstation is able to validate the certificate chain.


Does the Account have the correct permission to connect to the system?

Ensure that the account credentials are correct, the user is not disabled and it has permission to login to the system. 

Test with a second account, to determine if it is an issue with the system, or just a particular account.

Windows

- RDP will need to be enabled and the Account will need to have permission to RDP permission.

- Port 3389 will need to be open between the target system and the TPAM / DPA appliance.

- If a local firewall is in use, ensure this is also configured to allow RDP connections.

Unix / Linux

- Ensure the SSH daemon is running and that remote connections allowed to the target system.

- Port 22 must be open in both directions between the TPAM and the target system, or between the DPA and the target system.

- If password authentication is being used, ensure the password is correct and that “PasswordAuthentication Yes” has been set in the SSHD config file.

- If key based authentication is being used, ensure the key file has been copied to the user’s home directory and that “PubkeyAuthentication Yes” is set in the SSHD config file.

- If a firewall or other security measures such as SELinux are in use on the target system,  ensure they are properly configured to allow the PSM connection.

(Please consult your Unix Administrator for assistance with modifying these settings) 


Can the TPAM appliance connect to the target system?

The Account that the user is requesting for the PSM Session is associated with a specific System in TPAM. A good first step is to ensure that TPAM can connect to the target system properly.

** Password Management will need to be enabled on the Managed System in order to perform the connection test. If this is not enabled, skip ahead for additional troubleshooting suggestions.

- Login to /tpam with an Administrator account.

- Navigate to Systems, Accounts & Collections menu > Systems > Manage Systems.

- Find the system you are looking for on the "Listing" tab and select it (use the Filter if necessary).

- Click the blue "Test System" button to test the connection to the system.

If the system test fails, you will need to determine why TPAM is not able to login successfully.

Examples of some error messages that will appear include:

"A timeout occurred waiting for a response from the system."

"The process to check the system [name] timed out after 30 seconds"

"The RPC server is unavailable."

- Is the system online and available?

- Is there a network connection issue? DNS resolution? Firewall? Blocked ports?

- If the PSM session is being hosted by a DPA appliance, network connectivity will need to be open between the DPA and the target system, as well as between the DPA and the user's workstation. 


Other Managed System Settings

- Please ensure that the "Computer Name" field on the Details tab of the Managed System has the correct hostname and it is written in all uppercase letters (ie. WINSRV12)

- Try changing the settings on the "Affinity" tab. Choose the option for "Selected DPA affinity and priority". Type 1 in the Priority box for LocalServer. Leave the Priority box blank for any DPAs listed. Doing this will ensure the session is hosted by the local appliance and should rule out any DPA issues.


Other Managed Account Settings

- Try adjusting settings on the "PSM Details" tab to see if a different combination will allow the session to load successfully.

- For the Proxy Type, the RDP options should be used for Windows Systems and the SSH options should be used for Unix and Linux systems.

- If you currently have it set to "Automatic Login" for the Proxy Type and "Password Managed by Local TPAM" on the Session Authentication tab, try changing it to "Interactive Login" for the Proxy Type and "Not Stored" on the Session Authentication tab.

This will cause the session to prompt the user for authentication credentials and will rule out the possibility of TPAM trying to use the wrong credentials to login. 


Additional Troubleshooting

- If the issues you are experience are related to web browser configuration, please try upgrading to the latest version of TPAM. Starting with version 2.5.916, the Java applet now launches independently of the browser to reduce compatibilty issues.

- To improve the reliability of your connection, click the Connect Options tab on the Session Request Management screen,  then uncheck the “Use Default Connection Options” box.  Modifying these options can improve slow connection speeds, slow screen refreshing and enable the use of foreign keyboards (for supported languages).

- If your issues are Java related, try upgrading the Java client on your workstation to the latest version. You can also try clearing the Java Cache, by opening the Java console in the Windows Control Panel.