Troubleshooting SCIM Error Messages

This page covers various errors & troubleshooting methods for SCIM. See below for:

• SCIM Error Messages
• Troubleshooting SCIM with Event Viewer App

SCIM Error Messages

When configuring SCIM, you may see the following errors if your provisioning agent communicates with Directory Server over HTTPS: 

• "Connection reset" Error
• "Unable to find valid certification path to requested target" Error

Note: When configuring SCIM, if you do not want your provisioning agent to communicate with Directory Server over HTTPS, please see Bypass HTTPS Communication.

"Connection reset" Error

This error can occur due to the lack of a certificate bound to HTTPS port 5049 in the XMLEndpointUtility.exe.

To resolve this error, ensure that a certificate is bound to the Laserfiche Directory Server HTTPS port 5049 by using XMLEndpointUtility.exe.

"Unable to find valid certification path to requested target" Error

This error can occur when the Okta agent's Java Runtime Environment file, cacerts, is missing the Laserfiche Directory Server HTTPS certificate.

To resolve this error, open a command prompt (not Powershell) as an administrator and run the following lines:

"<1>" -import -trustcacerts -keystore "<2>" -storepass changeit -noprompt -alias <3> -file "<4>"

• <1> is by default C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\bin\keytool.exe.
• <2> is by default C:\Program Files\Okta\On-Premises Provisioning Agent\current\jre\lib\security\cacerts.
• <3> is the alias you would like to give your Laserfiche Directory Server HTTPS certificate.
• <4> is the path to the Laserfiche Directory Server HTTPS certificate (.cer) file.

Note: If you wish to bypass this error, you can configure your provisioning agent to Bypass HTTPS Communication.

Bypass HTTPS Communication

When bypassing HTTPS for Okta's provisioning agent communication with Laserfiche Directory Server, it is recommended the provisioning agent and Laserfiche Directory Server be on the same machine.

Note: It is recommended to have the Okta provisioning agent communicate with Laserfiche Directory Server over HTTPS. The Base SCIM URL link generated in Laserfiche Directory Server defaults to the HTTPS Directory Server endpoint.

1. Allow HTTP communication for Okta's provisioning agent by appending the agent.config file with allowHttp = true. By default, the location of this file is C:\Program Files\Okta\On-Premises Provisioning Agent\current\user\config\ProvisioningAgent\agent.config
2. After this value is added, the Okta On-Premise Provisioning Agent service should be restarted.
3. Now, specify http://<lfdsMachine>:5048/lflicmgr/SCIM/v1/<licensingSiteName>/<idpId> as the SCIM connect base URL in Okta, replacing <lfdsMachine>, <licensingSiteName>, and <idpId> in the URL with your information.

Viewing The Directory Server Event Log

To view the event logs for Laserfiche Directory Server, navigate to the Event Viewer app on the Windows machine where Laserfiche Directory Server is installed.

1. Open the Event Viewer app.
2. Click Applications and Services Logs, then click Laserfiche.
3. Select Directory Service, then click Server.

   

4. Click Operational trace. Select the error to view the event details. For examples of error events, see the event description images below.
   • If a user is registered using SCIM, but there were no more licenses available, then the event description will look like this:

     

   • If the Basic Authentication credentials are changed in Directory Server, but not in Okta, then the event description will look like this: