How to troubleshoot issues with credentials

This article describes common credential-related issues in Cayosoft Guardian and explains how to resolve them.

Fix credentials that are not assigned to any managed system

If a credential record is no longer used by any managed system, remove it to avoid confusion.

1. Go to Configuration > Credentials.
2. Select the unused credential record by Account name.
3. Click Delete.
4. Confirm the deletion.

Fix incorrect credentials for Cloud Services

If credentials used by a Cloud Service are incorrect, expired, or no longer supported, the Cloud Service cannot authenticate successfully.

A Cloud Service cannot be deleted if it is referenced by Forest Recovery sites, backup locations, or temporary storages. In that case, Guardian displays an error indicating that the managed subscription cannot be deleted because it is referenced by other objects.

When this happens, do not delete the Cloud Service. Update the credentials by using the appropriate procedure below.

Update credentials for an Azure Cloud Service

Use this procedure if:

• the Azure subscription was added in an earlier version of Cayosoft Guardian by using legacy user-account credentials;
• the Azure subscription already uses Entra application credentials and needs to be refreshed (for example, when rotating the certificate);
• you need to revalidate Azure access after a credential-related failure;
• you want to switch from a Guardian-created Entra application to a customer-provided one (or the reverse).

Steps:

1. Go to Forest Recovery > Cloud Services.
2. Click Add > Azure subscription to open the Add Azure subscription wizard.
3. On the Select application option page, choose either:
   • Create a new application — Guardian creates the Entra application and certificate. Sign in with an Azure account that can grant the required permissions when prompted.
   • Use an existing application — enter your Subscription ID, Application ID, Tenant ID, then click Upload certificate and select a .pfx or .p12 file that includes the private key. If the certificate is password-protected, enter the password in Certificate password.
4. On the Select Azure resource subscription page, select the same Azure subscription that is currently registered.
5. On the Manage subscription page, review the details and complete the wizard.

When the wizard completes, Cayosoft Guardian handles the Azure subscription based on its current state:

• If the subscription is new, Guardian adds it.
• If the subscription is already registered and still uses legacy user-account credentials Cayosoft Guardian updates it to use Entra application credentials.
• If the subscription is already registered and already uses Entra application credentials, Cayosoft Guardian updates the existing configuration the same way as the Grant access action and refreshes the certificate when applicable.

During the update, Cayosoft Guardian also updates related Azure references, including the Azure Cloud Service record, associated backup locations, and temporary Azure locations used by recovery sites. Cayosoft Guardian then validates access to Azure resources.

NOTE: When you run Add Azure subscription for an already registered Azure subscription, Cayosoft Guardian no longer displays the "already exists" error if the goal is to update the existing credentials.

Certificate-related issues (Use an existing application)

If the wizard fails on the Application and certificate details page or validation fails on the Manage subscription page, check the following:

• The certificate file is a .pfx or .p12 file that includes the private key. Public-key-only files (.cer, .crt) are not supported.
• The Certificate password matches the password used when the file was exported. Leave the field empty if the certificate has no password.
• The certificate is registered on the Entra application identified by the Application ID and Tenant ID you entered, and has not expired.
• The service principal has the Contributor role (or the equivalent custom role) on the target Azure subscription or resource group.
• The customer-provided certificate is renewed before expiration; Guardian does not rotate customer-provided certificates automatically and reports a warning through credential health checks as expiration approaches.

Update credentials for an AWS Cloud Service

If the credentials for an AWS Cloud Service are no longer valid, update them as follows:

1. Go to Forest Recovery > Cloud Services.
2. Select the AWS Cloud Service.
3. Click Properties.
4. Under Credentials, click the edit icon.
5. Click Grant access.
6. Provide the updated Access Key ID and Secret Access Key.
7. Complete the wizard.

When the wizard finishes, Cayosoft Guardian updates the stored AWS credentials and validates access to AWS resources.

Fix credentials used by a managed system

If a managed system such as an AD domain, SQL Server, or Azure tenant cannot authenticate, update the assigned credential record.

1. Go to Configuration > Credentials.
2. Locate the credential used by the managed system.
3. Double-click the credential to open its properties.
4. Re-enter the password, secret, or key as required.
5. Save the changes.

NOTE: Cayosoft Guardian applies the updated credentials to all managed systems that use that credential record.

If authentication still fails after updating the credentials:

• verify that the correct credential record is assigned to the affected managed system or Cloud Service
• verify that the account still has the required permissions in the target environment
• for Azure, verify that the sign-in account used during the wizard can grant the required access to the subscription