Lab 3: Troubleshooting Integrations

Objective and Tasks

Resolve various issues related to enterprise integrations in the Workspace ONE UEM console:

  1. Troubleshoot an AirWatch Cloud Connector Configuration
  2. Troubleshoot a Directory Services Integration
  3. Troubleshoot a User Group Import
  4. Troubleshoot a Certificate Templates Issue
  5. Troubleshoot a Hub Catalog Display Problem

Task 1: Troubleshoot an AirWatch Cloud Connector Configuration

Scenario: In the Workspace ONE UEM console, the AirWatch Cloud Connector test connection failed. After speaking with the server administrator, you discovered the following recent changes:

  • After a Windows Server update, the AirWatch Cloud Connector server was restarted.
  • The Workspace ONE UEM tenant URL was changed from https://wsoneadmin.techseals.co to https://wsone.techseals.co. This URL change has been applied to some systems, but not to all systems and subcomponents.

Root cause: After investigating with the server administrator, you discover the following root causes for the AirWatch Cloud Connector test connection failure:

  • The AirWatch Cloud Connector service was stopped following a Windows Server restart.
  • The AirWatch Cloud Messaging (AWCM) URL configured for the AirWatch Cloud Connector service is no longer valid because the Workspace ONE UEM tenant URL changed.

IMPORTANT

The AirWatch Cloud Connector service default setting is Automatic. In this lab, the service is purposely set to Manual.

You restart the AirWatch Cloud Connector service and change the startup type to Automatic. You also update the AWCM URL for the AirWatch Cloud Connector service.

  1. From the lab environment interface, log in to the WS1-Connector VM.
    • Username: techseals\administrator
    • Password: Pa$$w0rd
  2. Open the Workspace ONE UEM administration console.
    1. On the WS1-Connector VM Windows taskbar, click the Google Chrome icon.
    2. From the bookmarks bar, select UEM.
      You can also enter https://wsone.techseals.co/Airwatch in the address bar to access the console page.
    3. Log in to Workspace ONE UEM.
      • Username: admin
      • Password: Pa$$w0rd
  3. On the Workspace ONE UEM console menu bar, verify that Techseals is selected from the Organization Group drop-down menu.
  4. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Cloud Connector.
  5. Scroll down and click Test Connection.
    • An Error: Reached AWCM but AirWatch Cloud Connector is not active message appears.
  6. Click x in the upper-right corner to close the Settings dialog box.
  7. On the WS1-Connector VM Windows desktop, double-click the Services icon.
  8. In the Services window, locate the AirWatch Cloud Connector service in the Name column.
    The status of the AirWatch Cloud Connector service is not Running, and Startup Type is set to Manual.
  9. Right-click AirWatch Cloud Connector and select Start.
  10. Change the startup type of the AirWatch Cloud Connector service to Automatic.
    1. Right-click AirWatch Cloud Connector and select Properties.
    2. From the Startup type drop-down menu, select Automatic.
    3. Click Apply and then click OK. You can leave the Services window open.
  11. On the WS1-Connector VM Windows taskbar, click the Google Chrome icon to return to the Workspace ONE UEM console.
  12. In the navigation pane on the left, select Groups  Settings  All Settings  System  Enterprise Integration  Cloud Connector.
  13. Scroll down and click Test Connection.
    The same Error: Reached AWCM but AirWatch Cloud Connector is not active message appears.
  14. Click x to close the Settings dialog box.
  15. Locate the error in the AirWatch Cloud Connector logs.
    1. On the WS1-Connector VM Windows taskbar, click the File Explorer icon.
    2. Navigate to This PC\Local Disk (C:)\AirWatch\Logs\Cloud Connector.
    3. Open the CloudConnector.log file.
    4. Scroll down to the bottom of the log file and locate the most recent error message.
      System.Net.WebException: The remote name could not be resolved: 'wsoneadmin.techseals.co' at System.Net.HttpWebRequest.EndGetRequestStream(IAsyncResult asyncResult, TransportContext context)
  16. Close Notepad.
  17. From File Explorer.
  18. Navigate to the This PC\Local Disk (C:)\AirWatch\Cloud Connector folder.
NOTE
The Cloud Connector folder contains two bank folders. The AirWatch Cloud Connector component constantly backs up files between the two Bank folders but keeps only one bank active.
  1. Identify which Bank folder contains the CloudConnector.exe.config file.
  2. Open the CloudConnector.exe.config file with Notepad.
    1. Right-click the CloudConnector.exe.config file.
    2. Select Edit with Notepad++.
    3. In the CloudConnector.exe.config file, locate the autoUpdateUrl and the awcmUrl values.
      Both values are configured with URLs that begin with https://wsoneadmin.techseals.co.
  3. Change the URLs to the new Workspace ONE UEM tenant URL.
    • autoUpdateUrl: https://wsone.techseals.co/Airwatch
    • awcmUrl: https://wsone.techseals.co:2001/awcm
IMPORTANT

You must leave the rest of the file unchanged.

  1. From the Notepad++ menu bar, select File > Save.
  2. Close Notepad++.
  3. Close File Explorer.
  4. Restart the AirWatch Cloud Connector service.
    1. On the WS1-Connector VM Windows taskbar, click the Services icon.
    2. Right-click AirWatch Cloud Connector and select Restart.
    3. Close the Services window.
  5. Navigate to the Workspace ONE UEM administration console in Google Chrome.
  6. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Cloud Connector.
  7. Click Test Connection. It should now show a successful connection message in green, saying, "Reached Cloud Connector running version..."
NOTE
AirWatch Cloud Connector might take several minutes to establish connectivity. If the Test Connection utility still shows a connection failure, wait a few minutes and then retry the test.
  1. Close the Settings dialog box.

Task 2: Troubleshoot a Directory Services Integration

Scenario: Recently, you received reports from your users that they cannot enroll new devices with their directory accounts. After investigating the settings in the Workspace ONE UEM console, you discover that the directory services test connection is failing. From the network administrator, you learned that the bind account password was reset because of the corporate password rotation policy.

Root cause: The bind account password used for the directory services integration has changed.

You update the bind account password.

  1. Log back in to the uem-01a VM with:
    • Username: TECHSEALS\administrator
    • Password: Pa$$w0rd
  2. Open the Workspace ONE UEM administration console on the uem-01a VM, if needed.
    1. On the uem-01a Windows taskbar, click the Google Chrome icon.
    2. If prompted, log in to Workspace ONE UEM.
      • Username: admin
      • Password: Pa$$w0rd
  3. On the Workspace ONE UEM console top menu bar, verify that Techseals is selected from the Organization Group drop-down menu.
  4. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
  5. Scroll down and click Test Connection.
    An error message appears in the Test Connection dialog box.
    Binding Information: techseals\administrator Server IP: controlcenter.techseals.co Directory call failed. System.DirectoryServices.Protocols.LdapException: Error code:49 User Name: administrator Error Details: Invalid credentials.
  6. To close the test results, click Cancel.
  7. Click x to close the Settings dialog box.
  8. Open the WS1-Connector VM.
    The AirWatch Cloud Connector service is installed on this VM.
  9. Locate the error in the AirWatch Cloud Connector logs.
    1. From the WS1-Connector VM Windows taskbar, click the File Explorer icon.
    2. Navigate to This PC\Local Disk (C:)\AirWatch\Logs\Cloud Connector.
    3. Open the CloudConnector file.
    4. Scroll down to the bottom of the log file and locate the most recent error message.
      System.DirectoryServices.Protocol.LdapException The supplied credential is invalid.
  10. Close Notepad.
  11. Close File Explorer.
  12. On the WS1-Connector VM Windows taskbar, click the Google Chrome icon to open the Workspace ONE UEM administrator console.
  13. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
  14. Verify that accessservice is entered in the Bind Username text box.
    This is the correct value.
  15. Change the bind password to its new value.
    1. Next to Bind Password, click Change.
    2. Enter Pa$$w0rdPa$$w0rd in the Bind Password text box.
  16. Scroll down and click Save.
  17. Scroll down and click Test Connection.
    A successful connection message now appears in the Test Connection dialog box, saying, Connection successful with the given server name, bind username, and password.
  18. To close the test results, click Cancel.
  19. Close the Settings window.

Task 3: Troubleshoot a User Group Import

Scenario: You tried to add a new user group to your Workspace ONE UEM environment. When you search for that group name, no group is found.

Root cause: You discover that the Base DN value for the group was not set.

You resolve the user group configuration issue and then synchronize it with a directory user group called Sales.

  1. Open the Workspace ONE UEM administration console.
    1. On the uem-01a Windows taskbar, click the Google Chrome icon.
    2. If prompted, log in to Workspace ONE UEM.
      • User name: admin
      • Password: Pa$$w0rd
  2. On the Workspace ONE UEM console menu bar, select Techseals from the Organization Group drop-down menu.
  3. In the navigation pane on the left, select Accounts > User Groups.
  4. From the Add drop-down menu, select Add User Group.
    The Add User Group dialog box appears.
  5. Enter Sales in the Search Text box and click Search.
    A Group Not Found. Please check Directory Settings and Group Name and try again error message appears.
  6. Click Cancel.
  7. When the prompt asks if you want to discard changes, click OK.
  8. Connect to the WS1-Connector VM.
  9. On the WS1-Connector VM Windows taskbar, click the File Explorer icon.
  10. Navigate to This PC\Local Disk (C:)\AirWatch\Logs\Cloud Connector.
  11. Open the CloudConnector file.
  12. Scroll down to the bottom of the log file and locate the following error message.
    ***Exception*** System.DirectoryServices.Protocols.DirectoryOperationException: The distinguish name contains invalid syntax.
    IMPORTANT - This error message means that the user group synchronization call to the Domain Controller contained an invalid 'default' syntax argument. You must use the Workspace ONE UEM console to verify the Group DN configuration.
  13. Close Notepad.
  14. Return to the Workspace ONE UEM console in the uem-01a VM.
    1. On the uem-01a Windows taskbar, click the Google Chrome icon.
    2. If prompted, log in to Workspace ONE UEM.
      • Username: admin
      • Password: Pa$$w0rd
  15. On the Workspace ONE UEM console menu bar, select Techseals from the Organization Group drop-down menu.
  16. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Directory Services.
  17. Click the Group tab and verify that default is selected under Base DN.
  18. Under Base DN, click the plus sign (+) icon and select DC=techseals,DC=co from the list.
  19. Scroll down and click Save.
    IMPORTANT - The Group Base DN value is now correct. You can retry adding a user group.
  20. Click x to close the Settings dialog box.
  21. On the menu bar, select Techseals from the Organization Group drop-down menu.
  22. In the navigation pane on the left, select Accounts > User Groups > List View.
  23. From the Add drop-down menu, select Add User Group.
  24. Enter Sales in the Search Text box and click Search.
  25. From the Group Name list, select Sales and click Save.
  26. On the User Groups List View page, select the Sales check box.
  27. From the More Actions drop-down menu, select Add Missing Users.
  28. When the message asks whether you want to continue, click OK.
  29. In the navigation pane on the left, select Accounts > Users.
  30. Verify that the Jill and Mark user accounts were added to the Workspace ONE UEM environment from the Sales group.
  31. IMPORTANT - If Jill and Mark are not listed, the AirWatch Batch Processing Service might not be running. Follow these steps to start it:
    1. On the uem-01a VM, open Services (Type "Services" in the search bar and click on Services in the Best match section)
    2. Right-click the "AirWatch Batch Processing Service" and select Start.
    3. Go back to the UEM Admin console and "Add Missing Users" again from the Sales user group.
    4. Verify that the Jill and Mark were added in Accounts  Users.

Task 4: Troubleshoot a Certificate Templates Issue

Scenario: The Techseals security administrator recently found excessive user certificate revocations and new certificate requests. The requested template is the Kerberos Authentication certificate template, which is only configured for use in Omnissa. The security administrator is concerned about a possible security breach and has asked you for help.

Root cause: In the Workspace ONE UEM console, when you review the certificate authority (CA) integration and certificate template configuration, you discover that Auto Renewal Period was configured incorrectly. As a result, the certificates are renewed too frequently.

You modify the Auto Renewal Period for the User Kerberos Auth Certificate request template.

  1. Open the Workspace ONE UEM administration console.
    1. On the uem-01a Windows taskbar, click the Google Chrome icon.
    2. If prompted, log in to Workspace ONE UEM.
      • Username: admin
      • Password: Pa$$w0rd
  2. On the Workspace ONE UEM console menu bar, verify that Techseals is selected from the Organization Group drop-down menu.
  3. In the navigation pane on the left, select Groups & Settings > All Settings > System > Enterprise Integration > Certificate Authorities.
  4. Click the Request Templates tab.
  5. Next to the Techseals ADCS - User Kerberos Auth Certificate request template, click the Edit (pencil) icon.
    The Certificate Template - Add/Edit dialog box opens.
  6. Scroll down to Auto Renewal Period (days).
    The Auto Renewal Period value is set to 360.
    IMPORTANT - The Auto Renewal Period value is the number of days before the certificate is automatically renewed. A certificate is normally valid for 364 days. In this case, the certificate is renewed every 4 days (364 - 360 = 4).
  7. Change the value to 5 in the Auto Renewal Period (days) text box.
    The certificate is now renewed every 359 days.
  8. Click Save.
  9. Click x to close the Settings dialog box.

Task 5: Troubleshoot a Hub Catalog Display Problem

Scenario: The IT director at Techseals wants to enable the Hub Catalog for all platforms. The Workspace ONE Intelligent Hub integration has already been configured for Windows devices. You are assigned to enable the Hub Catalog settings.

You help the Omnissa administrator enable Hub Catalog for all platforms.

  1. Open the Workspace ONE UEM administration console.
    1. On the uem-01a Windows taskbar, click the Google Chrome icon and open a new tab.
    2. If prompted, log in to Workspace ONE UEM.
      • Username: admin
      • Password: Pa$$w0rd
  2. On the Workspace ONE UEM console menu bar, select Techseals from the Organization Group drop-down menu.
  3. In the navigation pane on the left, select Groups & Settings > Configurations.
  4. Enter Intelligent Hub in the search box.
  5. Click Intelligent Hub.
  6. Click Intelligent Hub again.
  7. Click Launch.
    The Hub Services console appears.
  8. Click App Catalog.
  9. Turn on the Android, iOS, and macOS toggles to enable the Workspace ONE Intelligent Hub app catalog for all platforms.
  10. Scroll down and click Save.
  11. Click Log out of Hub Services. at the top-right of the window. This will take you back to the UEM Admin console.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.