How to troubleshoot device enrollment issues

Troubleshooting Directory Services integration

Confirming Directory Services Integration is working

In the AirWatch Admin Console, navigate to Settings -> System -> Enterprise Integration -> Directory Services at the organization group where you can configured your integration.  Use the Test Connection button to ensure that AirWatch is connecting and authenticating properly to your directory system.  If needed, you can update the connection settings on this page.

General Troubleshooting Steps

  1. Make sure your service account has not been locked out or expired.
  2. Make sure the actual user account has not been locked out, especially if they have several failed enrollment attempts.
  3. Determine whether the scope of this issue is a single user, multiple users, or all users.  This can help determine next troubleshooting steps.
  4. Determine if any enrollment restrictions blocking user enrollment.
  5. Attempt to enroll with a basic user account (one that is created directly in AirWatch), this can help identify configuration issues.

Common LDAP Error Codes and Resolutions

The table below consists of the list of common errors and suggested solutions to correct them.

Code Error Description Solution
49 LDAP_INVALID_CREDENTIALS Indicates that during a bind operation one of the following occurred:
*The client passed either an incorrect DN. 
*The password is incorrect because it has expired. 
*The intruder detection has locked the account.
 This is equivalent to AD error code 52e.
Check the service account username and password.
81 LDAP_SERVER_DOWN Unable to connect to the LDAP server. Check that the required ports are open or wrong IP is populated.
82 LDAP_LOCAL_ERROR Some local error occurred. This is usually a failed memory allocation. Try populating the Binding attribute under the User tab, typically the LDAP needs to bind to the mapping value of the username.
87 LDAP_FILTER_ERROR Invalid search filter. Under the User and/or Group tab in Directory services check that the search filter is correct.

Note: If the customer is using EIS (Enterprise Integration Service), 'Use Service Account Credentials' must be unchecked and bind username and password should be used instead. 

NA Connection Failed Could not create SSL/TLS secure channel on hostname. More than likely the SSL certificate in EIS is expired or the EIS certificates are expired. Renew the certificates to make the test successful.

AirWatch Cloud Connector Troubleshooting

Confirming If ACC Is Working

You can test the ACC by clicking on the “Test Connection” button on the Cloud Connector (System Settings > General > Enterprise Integration > Cloud Connector) screen. If you get a message that says AirWatch can not talk to AWCM, this is not an ACC issue. This is an AWCM issue, see the AWCM section. If you get a message that says that AirWatch CAN talk to AWCM but ACC is not responding then there is an issue with ACC. 

Alternatively you can use the Diagnostics (System Settings > Administration > Troubleshooting > Diagnostics)  page mentioned in the Connect Session.

Confirm That ACC Is The Correct Version 

The ACC version must match the version of the AirWatch Console it is integrating with.  While auto-update will keep ACC up to date, occasionally the update will fail do to external variables (security policies, virus scans, network changes, etc.).  Double check the current version installed through the Windows Add/Remove Programs page, and upgrade if it is not up to date.

The Cloud Connector Service Won't Start

 This is most commonly caused by either a networking issue (ACC cannot reach AWCM) or an issue with Java installed on the server.  

Networking

Confirm that the server you are installing the ACC on can reach AWCM by browsing to https://{url}:2001/awcm/status. You should see the status of AWCM with no SSL errors. If there is an SSL error you must fix it before continuing or ACC will not work.

Common Java Issues 

While uncommon, it is possible for an installation of Java to become corrupt.  You can uninstall it and re-install ACC to have AirWatch install the correct version OR you can determine what version is currently installed in the Windows Add/Remove Programs panel, and download the version from the Oracle website: https://www.oracle.com/java/

The other common issue can occur during Windows updates where the Java installation path gets removed from the System Variables, preventing Windows from running Java applications properly.  You can validate this by right clicking on My Computer, Selecting Advanced system settings, Advanced, Environment Variables, and edit Path under System Variables.  Copy the Variable value into notepad and determine if the Java installation path is correctly added.  If not, you may add it to the end of the value after a semicolon.
 
Note: Be very cautious what changes you make to you Java installation/Environment Variables. AirWatch recommends reinstalling ACC if possible, since it will resolve both issue above, and reduces the chance of error.
 
fixin_java.png

Check the Configuration

You can check the AirWatch Cloud Connector configuration file which is “cloudconnector.exe.config” located in {InstallPath}\AirWatch\AirWatch X.X\CloudConnector on your ACC server. The <cloudConnector /> line in the config file should contain four URL’s. They are :

  • autoUpdateURL – should point to the console. Correct format is https://{url}/airwatch.
  • awcmUrl – should point to the AWCM server. Correct format is https://{url}:{port}/awcm.
  • awId – should contain a URL that AWCM uses to identify the Cloud Connector client which is the AirWatch Console. The {url} should be the AirWatch Console URL. Correct format is https://{url}/{groupID}/accClient.
  • accId – should contain a URL that AWCM uses to identify the Cloud Connector. The {url} should be the AirWatch Console URL. Correct format is https://{url}/{groupID}/acc.

If these values are incorrect then check the Console Site URL in the Site URLs page and make sure it is correct (i.e. not http://localhost). If the Console Site URL value is correct in the site URLs then you need to fix them in the database and in the ACC Config file. You can update the values in the database (dbo.systemcodeoverride where systemcodeid=955 and 956) or go to the Cloud Connector page in System Configuration\System\Enterprise Integration\Cloud Connector and re-Save the page. Manually edit the “cloudconnector.exe.config” file on the ACC server and restart the ACC service.

Troubleshooting AWCM (On-Premise Only)

1. When installing AWCM, DO NOT use a self signed SSL certificate, instead check the box for “custom SSL”.   Here you should use the public SSL certificate you installed on IIS for your Device Services server. 

2. Make sure that REST API is enabled in the OG where you are enabling AWCM.

3. Make sure that AWCM is enabled in the Site URL’s page in the AirWatch Console.  The External URL should NOT contain http:// or https://. The Internal Service URL should contain https:// instead of http:// and should have the port number after the URL and “/awcm” at the end. It should look like https://{url}:2001/awcm.

4. Browse to the AWCM Status page by going to https://{url}:2001/awcm/status. If this page doesn’t come up or if there is an SSL error stop and fix it before you go on. Check the SSL Certificate common name, it should match the name of the DS URL. If it says “Air Watch “ then you need to uninstall and reinstall AWCM, this time installing the correct SSL Certificate (see #1). ACC and MAG WILL NOT WORK if you use a self signed certificate.

ACC Workflow

  1. ACC is installed in the internal network and has access to enterprise resources (LDAP, certificate authorities, etc.). ACC also has an outbound connection to the AWCM server.

  2. Both ACC and AWCM have the Secure Channel certificate installed in their respective Java Keystores, which is used to establish trust beween them. All communication between AWCM and ACC is encrypted.

  3. ACC communicates with AWCM via the (configurable) external or internal AWCM URL. This connection is persistent, as ACC will continue to listen for new commands even when idle. The ACC does have retry logic built-in should a connection be terminated prematurely.

  4. When an internal resource needs to be accessed (such as during authentication against an LDAP system), the AirWatch application establishes a session with AWCM. This session contains a unique session ID, along with specific information regarding the requester's Organization Group. AWCM queues this message.

  5. ACC will receive only the messages intended for that configuration based on the session ID and Organization Group Details. This message will be processed by ACC, and the resulting data will be conveyed back to the AirWatch application through AWCM.

Other Resources

Have more questions? Submit a request

0 Comments

Article is closed for comments.