Troubleshooting

Start by configuring the logging at debug or trace level output and recreating the issue (see Configure Logging).

If you are getting no output at all in the logs, check to be sure that the account running the gateway service(s) has permissions to write to the directory configured for logging in the NLog.config file (see Configure Logging). This account is typically Network Service. Check the Microsoft Services MMC to confirm the account under which the service is running. Try renaming the existing log to CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA._Gateway_Log_Save.txt (or similar). It's possible that the service can't write to the specific existing log file. A new log file will be created automatically.

If you are using a custom service account instead of Network Service to run the gateway service (as opposed to the sync service) and receive this error on attempting to save in the gateway configuration wizard, this may indicate that you haven’t fully configured the gateway service to run as the custom service account. Review the steps (see Start the Gateway Services) and confirm that each step has been completed. On upgrade, custom service account information is cleared and will need to be reconfigured.

If you are using the clustering option and you are unable to start the cluster role for your gateway, it may be because you have a leftover entry for the http://+:8051/ URL linkage. This can occur if you partially configure the gateway and then start over or similarly follow the configuration steps out of order. To check the linkage, open a PowerShell window using the Run as Administrator option and run the following command:

In the output, look for an entry containing http://+:8051/. If you have not yet configured the gateway, this output should show (among other things):

If the output shows a user other than Network Service or there is some other issue, you may need to clear the entry. In some cases, you may need to recreate it as well:

If you're using clustering and see a message similar to this when you try to open the gateway configuration wizard, it can indicate that the server on which you are running the configuration wizard is not the active cluster node.

If you are using the clustering option and the template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. and account synchronization is failing with this error even though the role you created for sync is running successfully (see Add a Resource for the Keyfactor Managed CA Sync Service), confirm that you granted read permissions on the private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. of the gateway encryption certificate to Network Service (see Acquire and Distribute a Gateway Encryption Certificate).

If you are using the enrollment agent certificate option and enrollment through the gateway is failing with this error, confirm that you granted read permissions on the private key of the enrollment agent certificate to Network Service (see Configure the Enrollment Agent Certificate (Optional)).

If you are using the enroll on behalf of function and enrolling on behalf of another user is failing with this error, confirm that your enrollment agent certificate is in the store from which you are trying to use it (local machine or current user). If you are using a certificate in the local machine store, confirm that you granted read permissions on the private key of the enrollment agent certificate to the user making the enrollment request (see Configure a Certificate for Enroll on Behalf of (Optional)).

If you are using the enroll on behalf of function in the Microsoft certificates snap-in and enrolling on behalf of another user is failing with this error, confirm that your enrollment agent certificate is in the local user store. Confirm that the appropriate chain certificates are installed in the local user store for the certificate. Confirm that you have installed the intermediate CA certificate into the NTAuthCertificates object in Active Directory (see Acquire and Install a Chain Certificate).

If you are using the account synchronization option and synchronization fails with this error, look for a subsequent error along the lines of:

If you see this, confirm that you have installed the remote server administration tools (see Add Remote Server Administration Tools). If you don't see this subsequent message, check to see if you have any domain controllers in the forest An Active Directory forest (AD forest) is the top most logical container in an Active Directory configuration that contains domains, and objects such as users and computers. running versions of Windows older than 2012 R2. This error can occur in a multi-domain environment if the account synchronization process attempts to look up membership on a group where the lookup must check outside the current domain. In this scenario, the error may be intermittent, as it only occurs when the request is sent to a domain controller older than 2012 R2 and not when the request happens to be directed to a newer domain controller. To resolve this issue, modify the Get-KeyfactorSyncGroupMembers.ps1 script file. This file is found in the scripts directory under the installed directory for the gateway. By default, this is:

Add the following just above the section that is commented “Look up the group”:

# Force requests to use DCs of OS version 2012 R2 or higher
$dc = ((Get-ADDomainController -DomainName $groupDomain -Discover -SiteName "Default-First-Site-Name" -MinimumDirectoryServiceVersion Windows2012R2).HostName)

Modify the “Look up the group” section as follows, commenting out the two existing $adGroup lines and adding new lines referencing $dc.Value (changes marked in red):

# Look up the group, using the search base, if provided
if($SearchBase)
{
  Write-Verbose "Searching for group '$groupSAMAccountName' in domain '$groupDomain' using search base '$SearchBase' and DC $dc"
#$adGroup = Get-ADGroup -Filter "sAMAccountName -eq '$groupSAMAccountName'" -SearchBase $SearchBase -Server $groupDomain
  $adGroup = Get-ADGroup -Filter "sAMAccountName -eq '$groupSAMAccountName'" -SearchBase $SearchBase -Server $dc.Value
}
else
{
  Write-Verbose "Searching for group '$groupSAMAccountName' in domain '$groupDomain' using default search base and DC $dc"
#$adGroup = Get-ADGroup -Filter "sAMAccountName -eq '$groupSAMAccountName'" -Server $groupDomain
  $adGroup = Get-ADGroup -Filter "sAMAccountName -eq '$groupSAMAccountName'" -Server $dc.Value
}

In order to configure the Keyfactor Cloud Gateway version 25.1 and higher to use a proxy please review the following steps:

1. Install/Upgrade to the desired version of the Keyfactor Cloud Gateway.

2. Close the configuration wizard of the Keyfactor Cloud Gateway.

3. Navigate to the configuration files for the Keyfactor Cloud Gateway (C:\Program Files\Keyfactor\Managed CA...).

4. Locate the three gateway configuration files and alter as described below:

   • GatewayConfig.exe.config

     Paste the following line inside <configuration> section:

     <system.net>	
      <defaultProxy>
      <proxy proxyaddress="proxy address" bypassonlocal="true" />
      </defaultProxy>
     </system.net>

   • CAProxy.SyncService.exe.config and CAProxyServer.exe.config

     Paste the following line inside the <configuration> section directly after the <configSections> section:

     <system.net>	
      <defaultProxy>
      <proxy proxyaddress="proxy address" bypassonlocal="true" />
      </defaultProxy>
     </system.net>

5. Restart the Keyfactor gateway service.

6. Open the Keyfactor Cloud Gateway configuration wizard and validate the connection.