If your problem is not addressed below, contact SoftwareIDM.

Self Healing

Version 2.2.15 and higher of Identity Panel include a simple console utility called PanelCheck. This application may be scheduled to run periodically with Task Scheduler. PanelCheck will attempt to make sure that the database and search services are operating, that the web application is available, and that the scheduler is healthy.

Error Logs

To troubleshoot Identity Panel tools there are three places to look for error details.

  1. The SoftwareIDM Panel Service reports errors to the event log and Panel Tools dashboard console
  2. PanelTool interactive console writes errors to the command window
  3. Identity Panel web application writes error data to the database. To view the most recent errors: Open a command prompt and run

C:\Program Files\SoftwareIDM\IdentityPanelWeb\MongoDB\bin\mongo.exe IdentityPanel_vNext

var cursor = db.LogMessage.find().sort({ ts: -1 }).limit(3)

Unable to connect to localhost:27017

If an error message says unable to connect to localhost:27017, this is an indication that the MongoDB service failed to start.

  • Open Services manager and start the "SoftwareIDM Identity Panel Database" service.
  • If the database service fails to start follow the "Recover from Hard Crash" instructions in Operations
  • If the service still fails to start, open SoftwareIDM\IdentityPanelWeb\MongoDB\log\mongo.log in a text editor. This gives additional details on why the service is not starting.
  • If you are installing or upgrading to Identity 2.5 or later you may need to install the Visual Studio Redistributable tools

Error after "Initializing Scan Data"

In PanelTool or Panel Service, if you are scanning a very large Identity provider, or if you have under-provisioned your web-application hardware you may see an error message on the "Initializing Scan Data" step. When performing a full scan, PanelTool requests a list of object hashes from the web-server. If the list of hashes is large enough the request can time out before returning.

To resolve this, edit Rest:TimeoutSeconds in PanelTools config.json and increase the number of seconds before timeout.

Unable to connect to the remote server Error

If you see an error message in PanelTool or in the Panel Service event log saying "Unable to connect to the remote server", this indicates there is a connection failure to the Identity Panel REST API.

  • Verify that you have network connectivity on the correct ports to the web application.
  • Open PanelTool.exe.config and SoftwareIDM.PanelService.exe.config, and verify that the correct URLs have been entered for the PanelHost connectionString.
  • Verify that you have the correct binding settings in IIS.
  • If running on the same server as the host web-application, verify that loopback protection is not the problem. If you entered an FQDN as the web-host during installation, it may be necessary to edit PanelTool.exe.config and SoftwareIDM.PanelService.exe.config and change the PanelHost value to localhost.

Child service failed

If you see an error message in the Panel Service event log saying "Child service failed The remote server returned an error: (401) Unauthorized", this indicates there is a connection failure to the Identity Panel REST API. See the section above for details.

Access is denied or WMI Error while running a scan

You may receive an access denied error, or WMI error while scanning FIM. The most likely causes are insufficient WMI permissions, or problems with FIM WMI corruption. The best way to troubleshoot this issue is to use PowerShell to validate and resolve WMI connectivity using the same account running Panel Service. This can be done from the command line with the following:

Runas /u:domain\serviceaccount powershell

Get-WmiObject -ComputerName localhost -Namespace "root\MicrosoftIdentityIntegrationServer" -Class "MIIS_ManagementAgent"

Cannot open FIMSynchronizationService service Error

If you receive a ServiceController error in PanelTool or Panel Service, the account running PanelTool or Panel Service may have insufficient permissions to monitor service status on the computer. You can resolve this by making the Panel Service account a local administrator, or by assigning service permissions.

The easiest way to grant service permissions is to download the subinacl tool from Microsoft and use this to grant the desired access.

Copyright © SoftwareIDM

Table of Contents