Issue
After deploying two Secure Access Virtual Appliances (VAs), Active Directory (AD) integration stopped functioning within the Secure Access dashboard. Previously, AD integration was operational, but after the VA deployment, the AD connector now displays as offline in the Secure Access dashboard. Assistance is required to restore AD connectivity.
Environment
- Technology: Solution Support (SSPT - contract required)
- Subtechnology: Secure Access
- Software Version: ALL
- Secure Access (DNS-Advantage/Umbrella)
- Deployment of two Secure Access Virtual Appliances (VAs) at headquarters
- Change event: Installation of VAs immediately preceded AD connector failure
- AD Connector previously operational and now displays as offline in the Secure Access portal
Resolution
To address the issue of AD integration showing as offline in the Secure Access portal after VA deployment, perform these detailed troubleshooting steps:
Capture Network Traffic During Connector Restart
Run a Wireshark capture on all interfaces of the AD connector/domain controller while restarting the connector services. This helps identify any network communication failures or unauthorized access attempts during the initialization of the connector.
Step 1: Start Wireshark Capture on All Relevant Interfaces
Start Wireshark and begin capturing on all AD connector/domain controller interfaces.
Step 2: Restart Connector Services via Windows Services Manager
Open services.msc, locate OpenDNS Connector service, and click Restart.
Step 3: Save Capture File for Further Analysis
Stop the capture and export the .pcap file.
Collect Connector Logs
Gather logs from the AD connector for deeper insight into errors or authentication issues:
- Navigate to the log directory.
C:\Program Files (x86)\OpenDNS\OpenDNS Connector\vX.X.X
- Collect relevant log files and prepare them for review. Copy all log files from the aforementioned directory to a secure location.
Verify AD Connector Account Permissions
After introducing Virtual Appliances, the AD Connector account requires specific permissions to function correctly. If the account lacks the Event Log Reader role, it can encounter unauthorized access exceptions.
- Assign Event Log Reader permission to the AD Connector account. Use Active Directory Users and Computers (ADUC) or Group Policy to add the AD Connector account to the Event Log Readers group.
- Confirm the account has the new permission. Check group membership for the AD Connector account to verify Event Log Readers inclusion.
Common Exception Found
During troubleshooting, this exception can be observed in logs or connector status output:
* Exception type: system.unauthorizedaccessexception
message: Attempted to perform an unauthorized operation.
This indicates the AD Connector account does not have sufficient permissions, specifically the Event Log Reader role, which is mandatory after VAs are introduced.
No CLI command found which shows the change from AD connector status offline to online.
Cause
The underlying cause is insufficient permissions for the AD Connector account after the deployment of Secure Access Virtual Appliances. The account lacks the Event Log Reader permission, which is required for proper AD connector functionality. This results in a "system.unauthorizedaccessexception" error and prevents the connector from operating online within the Secure Access portal.
Related Content
Feedback