Troubleshooting CGraph Connection
Overview
When Public API is enabled, you may get errors listed below when attempting to connect to the Cayosoft Administrator Service via the CGraph module. These errors have different root causes. This article contains instructions on how to resolve these errors.
Connection issues
| Errors | Resolution |
|---|---|
|
|
Steps to resolve |
Connect-CGraphAdminService : The remote server returned an error: (401) Unauthorized.
|
Steps to resolve |
|
|
Steps to resolve |
Connect-CGraphAdminService : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host. |
Steps to resolve |
Errors
Connect-CGraphAdminService : Unable to connect to the remote server.
Connect-CGraphAdminService : No connection could be made because the target machine actively refused it 192.168.130.100:7801
Connect-CGraphAdminService : An error occurred while sending the request.
Connect-CGraphAdminService : The underlying connection was closed: an unexpected error occurred on a send.Possible root causes
Public API is disabled in Cayosoft Administrator, the CGraph module is not installed, Firewall issue or wrong certificate.
Steps to resolve
- In the Cayosoft Administrator Console navigate to Configuration > Settings > Public API and ensure that Public API is enabled on this Administration Service is checked.
- If you connect from the machine where the Cayosoft Administrator Service is not installed, are you able to check that this machine belongs to the same domain where the Cayosoft Administrator Service is installed?
-
Check that the CGraph module is installed:
-
Run this PowerShell command:
get-installedmodule - CGraph Module and its version should be displayed in the list.
-
Run this PowerShell command:
- CGraph connection requires these ports to be accessible: 7801, 7802, 7803. Please check that Firewall doesn't block this connection. You may need to create an Inbound rule for these ports.
-
Check that there is a proper certificate that Public API can use. By default, Public API utilizes any certificate from "cert:\localmachine\my" which subject matches host FQDN.
When you enable Public API, Cayosoft Administrator enumerates available certificates and if there is no suitable certificate creates a self-signed certificate and uses it.
Error
Connect-CGraphAdminService : The remote server returned an error: (401) Unauthorized.Possible root cause
Kerberos Constrained delegation needs to be configured to allow the Cayosoft Administrator Service account to get the authorization client token from the connected account.
Steps to resolve
This issue can be fixed with a Service Principal Name (SPN) change. Add an SPN for the Cayosoft Administrator Service account for HTTP and HTTPS, using an elevated command prompt.
- On a Domain Controller click Start.
- Right-click Command Prompt.
- ClickRun as administrator to open an elevated command prompt.
-
Enter the command as follows:
setspn –A HTTP/<CA host> <domain\CAAccount> setspn –A HTTPS/<CA host> <domain\CAAccount>Replace
<CA host>with FQDN of the machine where the Cayosoft Administrator Service is running and<CAAccount>with the Cayosoft Administrator Service account name (to get this account you can open Service on the machine where Cayosoft Administrator Service is installed and check the Cayosoft Administrator ServiceProperties > Log on tab).For example:
setspn –A HTTP/m1.testlab.cayotest.net testlab\administrator
setspn –A HTTPS/m1.testlab.cayotest.net testlab\administrator
Errors
Connect-CGraphAdminService : unknown_error: OAuth authorized request returns unexpected result. HTTPStatus: 'RequestUriTooLong'.
Connect-CGraphAdminService : unknown_error: OAuth authorize request returns unexpected result. HttpStatus: 'OK'.Possible root cause
The connected user is a member of too many groups.
Steps to resolve
- Create a test user.
- Delegate this user role in the Cayosoft Administrator Console under Configuration > Roles > Web Administrators to be able to connect to the service.
-
Try to run the script under the created user (you can try the option
Run as different user on PowerShell ISE for testing):
$cred = Get-CredentialConnect-CGraphAdminService -Server <ServerName> -Credential $cred
- If the error still occurs, open Registry Editor on the Cayosoft Administrator server and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters.
-
Set values for the parameters:
MaxFieldLength = 65534 (DWORD decimal)
MaxRequestBytes = 16777216 (DWORD decimal)
If the parameters are absent you need to add new DWORD values.
NOTE: Changes made to the registry will not take effect until you restart the HTTP service or reboot the server. For details please see this article: Http.sys registry settings for Windows.
Error
Connect-CGraphAdminService : Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.Possible root cause
The TLS 1.2 protocol is required to be enabled in your environment to establish a connection to the Cayosoft Administrator Service.
Steps to resolve
Before running the Connect-CGraphAdminService command, run the following line to force the TLS 1.2 protocol to be used in the PowerShell session:
[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12
Comments
0 comments
Please sign in to leave a comment.