Identity connector

Before you begin:

📘

If an identity connector is unreachable or Remote Debugging is not enabled, the troubleshooting tools are not visible for an identity connector.

The identity connectors tab includes common networking tools that allow an administrator to troubleshoot connectivity issues between an identity connector and the directory it’s associated to. Each tool includes a field where administrators can enter information. A terminal window is also embedded in the ETP user interface to show query results.

Each tool in this table includes a field where administrators can enter information:

Troubleshooting tool utility

Description

dig

Queries the DNS server and retrieves information about a hostname such as its resolvable IP address.

Ping

Determines if the application host or IP address is reachable from the identity connector and available to accept requests.

Traceroute

Tracks the route that IP packets take from the identity connector to the application host or IP address.

Traceroute

Traces the route from the identity connector to the application host or IP address and retrieves additional routing and network information such as the AS number and detected firewalls.

cURL

Checks if the application URL is reachable from the identity connector. To troubleshoot application reachability issues, you can use cURL to execute GET and POST requests and inject or add headers to the request.

While Fiddler is not included as a utility in ETP, you can also download this third-party tool to trace HTTP and HTTPS traffic issues. For more information, see Gather a Fiddler trace.

Run an identity connector troubleshooting utility

If there is a connectivity issue with an identity connector, you can run one of the diagnostic or troubleshooting tools to determine the issue. You can test connectors from the Identity Connectors page or from the list of identity connectors that’s associated to a directory. For more information about these troubleshooting tools, see Troubleshoot identity connector connectivity.

To run an identity connector troubleshooting utility:

  1. To troubleshoot connectors that are associated with a specific directory:

    1. In the Threat Protection menu of Enterprise Center, select Identity & Users > Directories.

    2. Click the edit icon for the directory that has the connector connectivity issue.

    3. Click the Connectors tab.

  2. To troubleshoot connectors from the Identity Connectors page, in the Threat Protection menu, select Clients & Connector > Access and Identity Connectors.

  3. Go to the connector that you want to troubleshoot.

  4. Click the stethoscope icon to open the diagnostic options. If the troubleshooting utilities do not appear, you may need to enable Remote Debugging. For more information, see Enable or disable remote debugging for a connector.

  5. Select the utility you want to use: dig, Ping, TraceRoute, LFT, or cURL.

  6. Enter the application hostname or IP address that you want to test in the provided field.

  7. Click Run.

📘

When running these utilities, the terminal window may temporarily show a Pending status until the query or test is complete. When the query is complete, a SUCCESS message and information regarding the hostname appears in the terminal window.

Enable or disable remote debugging for a connector

To troubleshoot identity connector connectivity in ETP, you need to enable remote debugging. Enabling remote debugging lets you run a troubleshoot utility.

To enable or disable remote debugging for a connector:

  1. In the Threat Protection menu of Enterprise Center, select Client & Connectors > Access and Identity Connectors.

  2. Hover over a connector and click the edit icon for an identity connector.

  3. Enable the toggle for remote debugging.

  4. Click the Save check mark icon.

You can perform a bulk action to enable or disable remote debugging for multiple identity connectors. These operations are available in the Enterprise Center user interface only:

Enable remote debugging for multiple identity connectors

To enable remote debugging for multiple identity connectors:

  1. In the Threat Protection menu of Enterprise Center, select Client & Connectors > Access and Identity Connectors.

  2. In the top menu, click the bulk action icon.

  3. Click the bulk action icon and select Enable Remote Debugging from the menu.

  4. Select the identity connectors that you want to enable with remote debugging.

  5. Click Enable Remote Debugging.

Disable remote debugging for multiple identity connectors

To disable remote debugging for multiple identity connectors:

  1. In the Threat Protection menu of Enterprise Center, select Client & Connectors > Access and Identity Connectors.

  2. In the top menu, click the bulk action icon.

  3. Click the bulk action icon and select Disable Remote Debugging from the menu.

  4. Select the identity connectors that no longer require remote debugging.

  5. Click Disable Remote Debugging.

Troubleshoot an unreachable identity connector

Identity connectors are reachable or connected, when a Connector is running message displays as a status. If a Connector is unreachable error message displays, the identity connector is unreachable or down.

The Connector is unreachable error message means that there are network problems that do not let the identity connector establish a connection to ETP. Use these steps to resolve the problem:

To troubleshoot an unreachable identity connector:

  1. Verify that the identity connector is on and that it has Internet access.

  2. Make sure the VM is up and running.

  3. Make sure the VM instance has network connectivity on port 443 to the Internet.

  4. Check to see if the VM is reporting the correct IP address associated with the connector.

Gather a Fiddler trace

You can download and use Fiddler to capture HTTP/HTTPS traffic. Save the data as a log file. This data is useful for troubleshooting traffic issues.

To gather a Fiddler trace:

  1. Download Fiddler and install it on your system.

  2. Run Fiddler and go to Tools > Fiddler Options.

  3. On the HTTPS page, verify that Capture HTTPS Connects is enabled.

  4. Verify that Decrypt HTTPS traffic is enabled with the ...from all processes option.

  5. Minimize Fiddler to your tray.

  6. Replicate the reported issue.

  7. In Fiddler, go to File > Save > All Sessions and save the archive to disk. This produces a file that you can archive and share with technical support.


Did this page help you?