The following are Centrify Hyper-scalable Privileged Access Service frequently asked questions and information about specific features and functionality as follows:
- Scripts won't run.
- Unknown or non-existant node listed in NodeList.
- Web node is installed but site does not appear.
If you receive an error such as:
Message: File <file name> cannot be loaded. The file <file> is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170.
+ CategoryInfo : NotSpecified: ( [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Centrify-Pas-Deploy.ps1
Review enabling PowerShell scripts for more information.
If you see nodes that no longer exist listed when you run Centrify-PAS-NodeList.
The Node was destroyed, lost, or it was unable to connect to the database when it was deprovisioned using Centrify-PAS-Deploy -RemoveNode on the node itself.
Centrify-PAS-RemoveNode from the Management node will remove the node from the database.
After you have deployed a web node using Centrify-PAS-Deploy -WebNode, set it active, browsing to the host name doesn’t work.
There are several possibilities:
The name is not registered
To browse to the Web node, the host name must be registered with the appropriate name server. To verify this, from your client system, enter:
The return IP address should match the public IP address of the node or the node’s load balancer.
PS C:\ > nslookup pas.corpnet.comServer: dns.googleAddress: 188.8.131.52
Non-authoritative answer:Name: corpnet.comAddress: 184.108.40.206Aliases: pas.corpnet.com
This tells us that:
- Name Servers (in Windows Control Panel) are set to Google’s DNS (220.127.116.11).
- Pas.corpnet.com is listed and has a public IP address (meaning: not 192.168.*.* or 10.0.*.*).
If, instead, we got:
PS C:\ > nslookup pas.corpnet.comServer: dns.googleAddress: 18.104.22.168*** dns.google can't find pas.keybounce.com: Non-existent domain
This indicates that the name could not be resolved. Ensure it is plugged into the correct authoritative name server, such as AWS’ Route53, or GoDaddy, and so on.
Note: This address is not the internal address of the Web node(s), but rather the public internet-facing port for the Load Balancer or Firewall.
Inaccessible IP address
If the listed address from the above step comes back as a Private IP address or in any of the following ranges:
- 10.0.0.0 – 10.255.255.255
- 172.16.0.0 – 172.31.255.255
- 192.168.0.0 – 192.168.255.255
the IP Address is not accessible from the outside world. It needs an external public (generally static) IP Address. The IP address is not for the Web node, unless there is only one Web node (not recommended), but rather for the Load Balancer.
Load Balancer health check fails
Once you have verified that the name resolves to the Load Balancer, ensure the Load Balancer can see healthy web nodes.
- The Health Check point is /health/check. You should see all web nodes listed and at least those on the current deployment (Centrify-PAS-SetActiveDeployment) displaying “healthy”.
- If you do not see any Web nodes, check your load balancer configuration.
- If you see the correct Web nodes, but they display as “unhealthy,” verify that they are on the correct deployment. Navigate to the Web node by name from the node (this will generally work as the deployment process adds the name to the local hosts file at c:\Windows\System32\Drivers\Etc\hosts) or IP Address, adding the “/health/check” path.
In this case, we see that the Role is active, with the Instance Name of “WR_Second.” If the Web nodes list as offline, ensure they are powered up and booted.
- From the Management node, ensure the Web node is listed as online and active from Centrify-PAS-NodeList.
- If it is offline, it is not accessing the database and may not be running.
- If it is online but inactive, it has the wrong deployment ID. You need to either change the active deployment with Centrify-PAS-SetActiveDeployment or you will need to deploy a node of the correct deployment.
- RDP into the Web node and verify that IIS is running and that there is a c:\CentrifyNode directory.
Note: If the above are not the case, it may be necessary to re-image and re-deploy this Web node.