When you first deploy the Evo LDAP Agent, it will initiate a scan to confirm if there are any users to be connected (synced) with Evo. Some users have experienced an issue where users were not appearing in Evo as expected.
* We’re actively working on investigating the best solution for both items to ensure a better installation experience.
Service Failures
Although there should be no failures with the service, we want to be certain that the service is running as expected and hasn’t encountered any errors.
The first thing to check is to be sure the Evo LDAPS Authentication service is running, let’s proceed over to the service manager to confirm the current running state of the service.
- From the Windows server, type WindowsKey+R to open the Run dialog.
- Type services.msc
- In the list of services locate the Evo LDAPs Authentication service.
- If the service doesn’t appear to be running. Right-click on the service and click Start.
- If there are any errors with starting/restarting the service, you may need to reinstall the LDAP service on your system.
The next item to check the service is generating events by checking events within Event Viewer > Log Summary > EvoSecurity. If an error was recorded, please contact our team and we’re happy to help.
Users not syncing
Users will only sync from your local Active Directory to your instance of Evo under the following conditions:
- User exists in Active Directory.
- User was created with a unique email address and password.
- User is a member of a group selected to sync.
Before we check Active Directory, let’s confirm if the user appears in the sync logs.
From the server that the Evo LDAP Service was installed, browse to C:\ProgramData\EvoSecurity\LDAPs. Open the failedpayload.json file in your favorite text editor.
If the user does appear in the logs, but doesn’t appear in your instance of Evo, please contact our team so that we can investigate further.
If the user doesn’t appear in the logs, let’s check the user details in Active Directory.
- From your server, open Server Manager.
- From the Tools menu, click Active Directory Users and Computers.
- From Users, locate the user that hasn’t synced into your instance of Evo.
- Double click on the user to open the user properties.
- General tab, confirm that the user has a unique email address.
- If yes, move on to step 6.
- If no, enter a unique email address for the user.
- Member Of tab, confirm the groups that the user is a member of. Does the user reside under a group that was selected to sync?
- If yes, let’s proceed to the next scenario > Firewall rules
- If no, click Add… to add the user to the appropriate group(s). Click OK.
Now that we’ve confirmed the user profile settings are set as expected. Let’s go ahead and restart the service to sync the user, otherwise it will happen on the next sync schedule.
- From the Windows server, type WindowsKey+R to open the Run dialog.
- Type services.msc.
- In the list of services locate the Evo LDAPs Authentication service.
- Right-click on the service and click Restart.
If you’re still experiencing issues with users syncing, please contact our team so that we can investigate further.
LDAP Agent cannot rotate Domain Account's password
By default, the LDAP Agent can rotate a Domain account password without requiring any extra work. In some environments, the domain controller could lack the necessary permission(s) to rotate the password.
You may see an error in Activity logs showing: "Failure changing password in AD".
To fix this issue, you just simply add the DC to your "Domain Admins" group.
Navigate to your Active Directory > Domain Controllers > double click on the DC to open the properties > Member Of > add "Domain Admins" and "Administrators" groups.
Partner Portal (SAML)
If you’ve configured a partner portal (such as K15t Viewport), and are experiencing issues logging in, we need to confirm the SAML details are correct.
Open your partner portal to the SAML provider settings details. Let’s confirm the following:
- Relying party identifier
- Assertion consumer service URL
- Metadata
If the details don’t mention your instance of Evo, please contact our team and we’ll be more than happy to help
Firewall Settings (SAML)
If your firewall is interfering with sync or login, let’s confirm the authentication server settings.
We want to specifically confirm the following field values:
- Server ID
- Authentication service URL
- Logout service URL
Note that the above field names are from a SonicWALL device. The field names could be different for the firewall you have.
If the details don’t match your instance of Evo, please contact our team and we’ll be more than happy to help.
LDAP Agent "Connection Test" fails or Elevated Access does not work
It could be the LDAP token is out of sync. You just simply re-download and re-install the new LDAP Agent. Please make sure to uninstall the broken LDAP Agent and delete EvoSecurity folder in C:\ProgramData before installing the new one.
Note: If your on-prem AD Virtual Machine is hosted on Azure, there could be a possibility the timeout values of the VM is blocking the connection between Evo and the LDAP Agent, please follow the link below to change those values.
On-prem AD Virtual Machine hosted on Azure (timeout settings) – Evo Support (evosecurity.com)