PingOne: How to troubleshoot an AD Connect Instance

PingOne: How to troubleshoot an AD Connect Instance

Published: 12/01/2015
There are a variety of resources available for Administrators to troubleshoot their AD Connect instances that can save one time and effort.  This document talks about two of those resources: logs and the config.aspx page.  Of course this document may not solve all problems - in that case the PingOne Support team is here to help.

Installing AD Connect

AD Connect has several installation options: AD Connect, ADC with IIS, and Provisioner.  With the first two options an admin can optionally enable user provisioning by clicking on the checkbox provided. However, once the install is complete in order to make further changes to the options selected - for example to add the provisioning service if it was not enabled upon initial install - one will need to uninstall and reinstall AD Connect. 

AD Connect Installer

The logs available and the accessibility of the config.aspx page change based on the options selected.  The logs come from the services installed.  If provisioning is not selected there will be no provisioning logs.  If the third installation option is selected and only the Provisioner is installed then there will be no logs originating from ConfigurationService.exe or from Watchdog.exe depending on the version of AD Connect installed.  The config.aspx page is only available if ADC with IIS is installed.  Otherwise one will be limited to making changes to AD Connect through the admin portal.
AD Connect Logs
AD Connect logs to Event Viewer.  Viewing these logs will help one troubleshoot outbound communication with the PingOne server.  To examine them open up Event Viewer in Administrative Tools.  Expand ‘Windows Logs’ and examine ‘Application’
Event Viewer
Version 2.x or 3.x

Version 1.x
If AD Connect 3.x or 2.x is installed there may be three relevant sources depending on the installed options: ConfigurationService.exe, SoftwareUpdate.exe, and Provisioner.exe. If AD Connect 1.x is installed there may be two relevant sources: Watchdog.exe and Provisioner.exe.  These are the services that AD Connect installs and utilizes in order to function properly.  The ConfigurationService and Watchdog services are the “heartbeat” that tells PingOne AD Connect is functional. An outbound connection is made by AD Connect to PingOne through port 443 every 60 seconds. Once the connection is made, PingOne receives the heartbeat and sends configuration settings back to AD Connect where the AD Connect’s web.config is automatically updated. PingOne does not make direct inbound connections to AD Connect. All communication is done through the outbound connection that AD Connect makes to PingOne. The Provisioner.exe performs the provisioning functions for applications that support user account management. The provisioning service also pushes out Active directory group information to PingOne which is used for the PingOne dock and SSO access control. AD Connect use a unique combination of Organization ID and Product Key for secure communication. 
Common log events for the ConfigurationService or Watchdog include:
INFO  - Registering configuration with PingOne cloud
INFO  - Obtaining configuration from PingOne cloud
INFO  - ADConnect is configured and running
INFO  - Obtained new configuration data. Saving to C:\Program Files (x86)\Ping Identity\ADconnect\SSO\Web.config.
Common log events for the Provisioner include:
INFO  - Provisioning is not enabled. Going to passive mode
INFO  - Switched to active mode.
INFO  - Obtaining configuration from PingOne cloud
INFO  - Obtained new configuration data

Common log events for the SoftwareUpdate include:
INFO  - ADConnect Software Updates v<version number> is started. (Microsoft Windows <version>, .NET Runtime v.<version>)
Sometimes an Event Log error will indicate Communications problems.  If this is a recurring problem then it is an issue.  If it is a random occurrence and a second later communication with PingOne appears normal it may not be an issue.
AD Connect config.aspx
The second approach that's available for troubleshooting common AD Connect issues is the config.aspx page.  This is only available when AD Connect is installed into IIS.
Go to https://{insert host name or IP address of AD Connect Server}/ADConnect/config.aspx and login using Windows credentials of a user that belongs to either the Administrators group or the Domain Administrators group.
On this page one can run tests to verify configuration information and change those settings if needed.  One can also verify Organization ID and Product Key, provide and test proxy settings, change the signing certificate, verify various System Information values, or run connectivity tests. This will also allow you to update the certificate from ADConnect w IIS to PingOne. In order for this certificate to upload properly to PingOne, any older or expired certificates with the same name must be removed via MMC.

Within the connectivity tests one can click on each of the results to obtain additional information.  These tests verify the AD host name, that DNS and NetBIOS resolution is functioning, and obtains information on the Principal Context for both the Domain and the Host as well as the SSO API.
The information that can be obtained here on test failures can be provided to a Solutions Support Engineer on the PingOne team to assist in any problems.
ADConnect , 
KB or other URL: