Documentation

 

 

This article discusses basic troubleshooting techniques to resolve problems with the SecureAuth IdP FileSync Service.

The FileSync Service is an add-on to the SecureAuth IdP product that can be used to keep the configuration information synchronized between members of a cluster.

The FileSync Service synchronizes all content included on the paths.list and on any new realm.

The paths.list is created during the installation of the FileSync Service and is located in the D:\SecureAuth\SecureAuth0 folder.

Version 2.2.0 or greater of the Reset File Permissions and Shares Tool is required for proper operation of the FileSync Service.

For more information about the tool, see the support document Using the Reset File Permissions and Shares Tool

NOTE: Earlier versions of the tool render the FileSync Service inoperable.

Find the SecureAuth FileSync Service version

The following section describes how to view the SecureAuth FileSync Service version. You might verify the version after installing the latest version to ensure that a conflict is not present after the update.

Follow the registry path on SecureAuth IdP or SecureAuth® Identity Platform: \HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SecureAuth FileSync Service

The following image shows an example of the FileSync Service version:

Applies to
SecureAuth IdP VersionOS Version
7.x+
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
Terminology
ClusterTwo or more SecureAuth IdP Appliances all running the FileSync Service
NodeA specific SecureAuth IdP Appliance within the cluster
Primary-ReplicaIn a Primary-Replica configuration, one SecureAuth IdP Appliance is the Primary node and all changes for the cluster are made there
Multi-MasterIn a Multi-master configuration, all SecureAuth IdP Appliances are peers; a change made on any node of the cluster propagates to the rest of the cluster nodes
Known Issues
Realm must be created on all nodes in a cluster

A new realm (e.g. SecureAuth30) must be created on all nodes in the cluster since the FileSync Service will not create new directories – it can only sync what is already present on the appliance.

File Share affected by new realm creation in SecureAuth IdP versions 7.5 - 8.0

In SecureAuth IdP versions 7.5.0 - 8.0.0, an issue exists for the Create new realm functionality, affecting the FileSync Service. When a new realm is created, its companion file share is created with an extraneous character prepended to the realm name. Since this name differs from what the FileSync Service expects, the realm is ignored.

To work around this issue, run the Reset File Permissions and Shares Tool. See the support document Using the Reset File Permissions and Shares Tool.

A permanent fix for this issue is included in SecureAuth IdP 8.0.1. To upgrade the SecureAuth IdP Appliance, contact SecureAuth Support for assistance.

File Share affected by new realm creation in SecureAuth IdP version 8.1.1

In SecureAuth IdP versions through 8.1.1, an issue exists for the Create new realm functionality in which file system privileges of the template realm are not preserved. This issue prevents the new realm from having privileges necessary for modern FileSync Service installations to function – FileSync Service installations which use v3.0.0 or later of the installer are affected.

To resolve this issue, run the Reset File Permissions and Shares Tool. See the support document Using the Reset File Permissions and Shares Tool.

FileSync Service synchronization issue

By default, the FileSync Service is configured to synchronize every 10 minutes (600000 milliseconds). While a 10-minute interval covers most customer use cases, there may be situations in which a higher value is needed; this may occur due to a high latency network connection between nodes or a large amount of realms.

A common sign that a longer synchronization interval might be needed is when the FileSync Service uses an excessive amount of CPU time on an Appliance. If this occurs in the environment, SecureAuth suggests increasing the interval time by updating the value Interval in the FileSyncService.exe.config file. The FileSyncService.exe.config file is located at D:\MFCApp_Bin\Appliance_Sync\FileSyncService

As a general rule, SecureAuth suggests doubling the existing value for testing. Once the changes have been made, restart the SecureAuth IdP FileSync Service so the revised configuration takes effect.

Script delay issue when installer creates a local account

On domain joined SecureAuth IdP Appliances, when the installer is creating a local account, a delay may occur where the script pauses. Support Engineers have noted it can take up to 15 minutes for the account to be created. This may occur because the installer is using the Microsoft NET Use command to create the local account.

If a delay occurs, SecureAuth advises to give the function time to complete.

.NET thread may prevent service from starting

The SecureAuth IdP FileSync Service has a digital signature that allows .NET to validate the authenticity of the binary at run time; this feature is known as Code Access Security (CAS).

If CAS is unable to contact the GoDaddy\Starfield CRL-OCSP URLs to check for revocation, then the .NET thread can hang and prevent the service from starting.

If the customer IT Security policies preclude opening access to those URLs, disable CAS by editing the FileSync Service configuration file located at D:\MFCApp_Bin\Appliance_Sync\FileSyncService\FileSyncService.exe.config. Change the setting <generatePublisherEvidence enabled="true"/> to <generatePublisherEvidence enabled="false"/>.

For more information about these URLs, see the Prerequisite tab or the GoDaddy support document Verifying a Certificate's Validity On Your Computer.

paths.list file not syncing all items in the directory

If the paths.list file (D:\SecureAuth\SecureAuth0) is updated and it is not syncing all items in the directory, ensure all sub-folders are included as well.

For example, to sync the 2013 theme, make the following entries

  • <path name="Themes/2013" />
  • <path name="Themes/2013/Images" />
  • <path name="Themes/2013/Images/NumberPad" />
Enable FileSync Service debugging

The FileSync Service has a debug mode that provides additional information about its operation in the Windows Event Viewer

To enable debug logging:

  1. Locate the file D:\MFCApp_Bin\Appliance_Sync\FileSyncService\FileSyncService.exe.config
  2. Edit the file with a text editor, such as Windows Notepad
  3. In the text editor, locate the setting Debug and change the value to true
  4. Save these edits
  5. If the service is running, restart it to apply the change