Troubleshooting
This section provides details on commonly faced issues encountered during integration of multiple components involved in Cloud Secure Solution and probable solution to resolve them.
In most of the cases, Single Sign-On for an end user doesn’t work due to simple misconfigurations. As there are multiple devices involved, validate the configurations before doing SSO for cloud services. Below are the step by step procedures to validate all the configurations for all the components involved in the solution.
Follow the below sections to validate the configurations on the end user devices.
This section describes the various troubleshooting tasks:
Mobile Devices (iOS/Android)
•Check if user device is registered successfully with MDM Server.
•iOS devices - Open Settings > General > Device Management. Check if Workspace profile is installed.
•Android devices- Access Pulse Workspace mobile application. Check if the profile got configured. You will be able to see list of all managed applications here.
•Check if VPN certificate is installed.
•iOS devices - Open Settings > General > Device Management > Workspace > More Details. Check if certificates list has user VPN certificate.
•Check if VPN Profile got pushed onto Ivanti Secure Access Client and desired connection is set as default.
Access Ivanti Secure Access Client mobile application. Check if there is a default VPN connection pushed and managed by Pulse Workspace.
•Check if desired cloud applications got installed.
Check if all the desired managed cloud applications got installed on the user device as part of mobile registration with MDM Server.
•Check if ActiveSync profile along with token got pushed onto user device for Native Mail Access.
•iOS devices- Open Settings > Mail, Contacts, Calendars. Check if Accounts section has ActiveSync profile pushed by Pulse Workspace. Verify the account details and check if email, server and username details are auto-populated and token is configured as password in the profile.
•Open Pulse Workspace > Policy > Configuration.
Check if ‘Divide’ section has registered user details.
Desktops
•Check if Ivanti Secure Access Client is installed and desired VPN connection is available.
Ivanti Connect Secure
Follow the below steps to validate the configurations on Ivanti Connect Secure.
•Check all the Realm/Role HC restrictions are configured properly.
•Wildcard or SAN (subject Alternative Name) certificates should be used on Ivanti Connect Secure for signing SAML messages for seamless SSO access to cloud services.
•Alternate Host FQDN for SAML should be resolvable when SSO enabled cloud service is accessed via browser.
•Make sure User Role configurations are configured for either L3 or L4 VPN Tunnel and respective settings should be turned on in Pulse Workspace for Mobile clients. In case of Android mobiles and Macintosh laptops, L3 VPN is the only supported tunnel type.
•Intermediate CAs should also be uploaded to Ivanti Connect Secure if your device certificate is issued by an Intermediate CA.
•Make sure that LDAP Server is reachable from Ivanti Connect Secure.
To troubleshoot issues with Single Sign-On:
•On Ivanti Connect Secure, under Maintenance > Troubleshooting, enable the event codes – “saml, auth” at level “50” and collect debug logs. Enable Policy Tracing and capture the Policy traces for the specific user.
•Check System > Log/Monitoring > User Access > Log for SAML AuthNRequest and Response for the specific user. Verify if Subject Name is proper in the SAML Response.
•You can perform a packet capture on the client machine.
Pulse Workspace
Follow the below steps to validate the configurations on Pulse Workspace:
•Make sure all the applications are configured with Per-App VPN network access except Divide Productivity application under Android App Rules.
•Make sure that all Applications got installed on the user device. Navigate to Workspaces-> Users-> <Username> -> <Device>. This shows list of all installed applications. If installation is successful, Client icon changes to green for the respective app. If installation is not successful, then client icon stays grey.
•Make sure Ivanti Connect Secure Appliance registration is successful. Navigate to Appliances tab. Pulse One Status should show as Connected for the respective Ivanti Connect Secure.
•‘VPN Certificate Auth’ should be set to true.
•‘Use L3 VPN’ should be set to true for Android devices.
Troubleshooting Tips
This section outlines common error messages or problems encountered during the integration of Cloud Secure Solution with multiple Service Providers and provides probable solutions to resolve them.
Scenario: Ivanti Connect Secure failed to send SAML Response to Service Provider.
Symptoms:
•Ivanti Connect Secure received SAML AuthnRequest from Service Provider but did not send SAML Response. Check User Access Logs on Ivanti Connect Secure to verify these SAML messages.
•User either received "Authorization Failed. Please contact your administrator. Details: You are not authorized to access the requested resource." or “Compliance Check Failed. Please contact your administrator. Details: You have limited connectivity because your device does not meet compliance policies.” error message on the application and did not get access to the Cloud Service.
•Possible cause: Role Based Access Control to the Service Provider failed. User is not authorized to access the cloud service due to the role assigned.
•Possible solution: On Ivanti Connect Secure admin console, navigate to Authentication-> Signing In-> Sign-in SAML-> Identity Provider and configure specific Service Provider to allow access to the user role assigned to the end user.
•Possible cause: Compliance check failed for the end user. User receives compliance failure notification.
•Possible solution: Make the end user device compliant to get assigned to user role with full access.
•Possible cause: Access Control Lists are not configured to allow the accessed resource.
•Possible solution: Configure SAM/VPN Tunneling Access Control Lists on Ivanti Connect Secure to allow access to the resource accessed.
Scenario: Ivanti Connect Secure successfully sent SAML Response to Service Provider but user did not get access to the cloud service.
Symptoms:
•Ivanti Connect Secure received SAML AuthnRequest from Service Provider and successfully sent SAML Response. Check User Access Logs on Ivanti Connect Secure to verify these SAML messages.
•User either received "Authorization Failed. Please contact your administrator. Details: You are not authorized to access the requested resource." or “Compliance Check Failed. Please contact your administrator. Details: You have limited connectivity because your device does not meet compliance policies.” error message on the application and did not get access to the Cloud Service.
•Possible cause: Time on Ivanti Connect Secure and Service Provider is out of sync.
•Possible solution: Re-sync Ivanti Connect Secure server clock by configuring reliable NTP Server.
•Possible cause: Private key used by Ivanti Connect Secure to sign the SAML Response does not match the public key certificate that is configured on Service Provider.
•Possible Solution: On Ivanti Connect Secure admin console, navigate to Authentication > Signing In > Sign-in SAML > Identity Provider and check if proper signing certificate is configured. Check the signing certificate configured on Service Provider.
•Possible cause: SAML Response sent by Ivanti Connect Secure does not have a viable user identity.
•Possible Solution: On Ivanti Connect Secure admin console, navigate to Authentication > Signing In > Sign-in SAML > Identity Provider and check if Subject Name Format and Subject Name details configured under User Identity section are valid and should match the user configured in the Service Provider for cloud service access. If Identity Provider default configuration is overridden for the specific Service Provider, check if the details under User Identity section for that specific Service Provider are valid.
•Possible cause: User created in the Service Provider do not have required privileges.
•Possible solution: Make sure that the user created in the Service Provider has the Required SSO privileges. This configuration is on Service Provider and varies accordingly.
Scenario: Per-App VPN tunnel did not get established automatically on accessing managed cloud application.
Symptoms:
•When user accesses any managed cloud application, VPN symbol does not appear on the top of the mobile screen.
•Possible cause: Desired application is not configured with Per-App VPN network access method on Pulse Workspace policy.
•Possible solution: Edit the configured application on Pulse Workspace policy and enable it to use Per-App VPN.
•Possible cause: VPN hostname is not resolvable from user device.
•Possible solution: Make the VPN hostname publicly resolvable or configure host entry in internal DNS Server.
•Possible cause: CA certificate that issued the Ivanti Connect Secure device certificate is not imported in all the required sections on Ivanti Connect Secure. This causes a certificate prompt when connection is being established on end device.
•Possible solution:
•Navigate to System > Configuration > Certificates > Trusted Client CAs. Import CA certificate that issued the device certificate imported in Step 1 of section ‘Enable Ivanti Connect Secure as SAML IdP server’.
•Navigate to System > Configuration > Certificates > Trusted Server CAs. Import CA certificate that issued the device certificate imported in Step 1 of section ‘Enable Ivanti Connect Secure as SAML IdP server’.
•In case if the CA that issued the device certificate imported in Step 1 of section ‘Enable Ivanti Connect Secure as SAML IdP server’ is an Intermediate CA, navigate to System > Configuration > Certificates > Device Certificates. Click the Intermediate CAs and import the Intermediate CA certificate.
•Possible cause: User is not assigned to any user role.
•Possible solution: Ivanti Connect Secure is not successfully registered with Pulse One and unable to query and retrieve device attributes from Pulse Workspace MDM Server.
Service Provider Specific Troubleshooting
Refer to respective Cloud Service Configuration guides to get troubleshooting tips on specific Cloud Service.
If the administrator is unable to resolve any issue for any reason, submit a request with Ivanti support team and provide the following logs from different components:
Ivanti Connect Secure
•Navigate to System > Log/Monitoring. Click ‘Save All Logs’ and save the logs.
•Provide server debug logs with event codes “saml,auth,soap,dsdash,cloudsecure” at level 50.
•Provide Policy tracing for the specific user session with proper realm.
End User Device
•Collect logs from Ivanti Secure Access Client mobile application/desktop application using Send Logs feature.
•Access the cloud service from Firefox browser enabled with SAML Tracer plugin on desktop and provide the SAML Tracer logs.