Troubleshoot the CyberArk Identity Connector

This topic describes troubleshooting procedures related to the CyberArk Identity Connector.

Send automatic email notifications for connector failure

You can send automatic, customizable notifications to specified users so you can quickly start the troubleshooting process, mitigating the impact on your organization.

Configure automatic notifications for connector failure

Email notifications for connector failure can be sent to Users, Groups, or Roles.

To configure automatic notifications for connector failure

  1. Go to Settings > Network > Notifications, and then click Add.

  2. Select who you want to receive notifications by selecting a User, Group, or Role, and then click OK.

    Selected users, Group members, or Role members will receive an email if CyberArk Identity can't reach any of the connectors.

    We recommend including at least one CyberArk Cloud Directory user. If select only users that depend on the connector for authentication, you won't be able to access the notification.

Customize the connector failure message

You can customize the contents of the connector failure notification email. Refer to Modify an email template for more information.

Allow support to access connector logs

On the Connector tab of the CyberArk Identity Connector Configuration Program, select Allow support to access local connector logs to give the identity provider the ability to open the connector log files. These files can help resolve a problem and are the only files the service provider can open. The default is selected.

Change connector log settings

You can change the CyberArk Identity Connector log settings, such as the file size of logs collected on a connector host machine, the maximum number of backup files kept, etc.

To change the connector log settings

  1. In the CyberArk Identity Admin Portal, go to Settings > Network > CyberArk Identity Connectors.

  2. Select the checkbox for the relevant connector.

  3. Click Actions drop down list > Change Log Setting.

  4. Make the necessary updates.

Do not change the log file name unless instructed to do so by CyberArk Support.

Log file size defaults at 2MB and max number of log backups defaults to 450 entries. Changing the file size will result in smaller log.txt files and modifying the log backup counter will limit the number of log.txt entries. (log.txt, log.txt.1, log.txt.2, etc).

Re-register the CyberArk Identity Connector

The Re-register button found on the Connector tab starts the CyberArk Identity Connector configuration wizard and allows you to re-register this connector.

Re-registering a connector

Generally, you re-register the connector under the same customer ID as a troubleshooting step, typically recommended by CyberArk customer support.

Re-registering under a different ID can destabilize your environment and should be done only after consulting with customer support. Changing the ID moves the connector from one installation to another. If the connector is the only server in an installation, removing the server from the installation will cause any device enrollment to the installation to fail, and enrolled devices will no longer receive policy changes.

Respond to disk space alerts

This procedure describes the possible cause of disk space alerts, and how to respond to the alerts. You get disk space alerts on an Active Directory member server where the CyberArk Identity Connector is installed.

Possible Cause

The disk space alerts may be caused by the creation of local user profiles on the host machines running the CyberArk Identity Connector. The local user profile can be created for users who have never logged on to the CyberArk Identity Connector host. The profiles get created by the Directory Services API when the call for “ChangePassword” is triggered. The call is triggered when both of these conditions are met:

  • User uses the self service password reset option from User Portal > Account tab.
  • User has rights to “Logon Locally” to the connector host.

Resolution

You can prevent the creation of local user profiles by following these procedures. These procedures will not delete the profiles already created; they only prevent the creation of more profiles.

To prevent the creation of local user profiles

  1. Log in as an Administrator and open the Local Group Policy Editor by typing gpedit.msc in the Run box.

  2. Navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment.

  3. Click Allow log on locally and remove "Users" and "Backup Operators".

  4. Click Apply.