Issue:

If time is not synchronized on the ESX and ESXi servers, intermittent issues can occur, such as roles not being granted to the administrative account for the appliance. (757873)

Solution:

Configure NTP on the ESX or ESXi server.

Issue:

The initialization page takes a long time to display if there is no DHCP server in your environment. The initialization page eventually appears and assigns a 192.xxx.xxx IP address to the appliance.

Workaround:

Edit the VMX file for the appliance before the first boot. For more information, see “Configuring the Appliance without a DHCP Server” in the NetIQ CloudAccess Installation and Configuration Guide.

Issue:

If you want to change the preferred DNS server, you must select Use the following IP address in Step 1 on the initialization page, which assigns a static IP address to the appliance. (754137)

Workaround:

After the initialization process completes, on the Admin page, change the IP address from static to DHCP.

Issue:

After adding a new node to the cluster, the node is red on the Admin page and the status of the node is Command Failure. This issue is intermittent.

Workaround:

Restart the new node.

Issue:

After adding a new node to the cluster, the progress goes to 100%, but the Initialization page displays a message stating you must restart the new node and try again to complete the initialization process. Restarting the new node does not fix the problem.

Workaround:

You must completely remove the new node and try again.

1. Log in to the Admin page.
2. Delete the new node that is red.
3. Remove the VMware image for the failed node from your VMware server.
4. Deploy the image to the VMware server again. For more information, see “Deploying the Appliance” in the NetIQ CloudAccess Installation and Configuration Guide.
5. From the Initialization page, add the new node to the cluster. For more information, see “Adding a Node to the Cluster” in the NetIQ CloudAccess Installation and Configuration Guide.

Issue:

During an update, the progress bar is not representative of the actual download progress. For example, if the download is large, the progress bar stays at 2% until the file is downloaded, and then the progress bar jumps to 80%. (792997)

Workaround:

No workaround is available at this time. The time to complete an update depends on the size of the download and your Internet connection. It could take over an hour for an update to download.

Issue:

When you add a node to an existing cluster, CloudAccess may display the following error: Join Cluster. Failed to Join cluster. Check settings and try again. A request timeout has expired after 30000 ms. (799978)

Workaround:

It is possible that CloudAccess added the node successfully despite the error message. Navigate to the Admin page and check whether the icon for the new node is now present. If so, wait for the spinner on the node to stop and then verify that the health and command status indicators on all nodes are green. If they are green, you can close the browser session in which you were running the Initialization process when the error occurred. If the icon for the new node is not present on the Admin page, restart the failed node and run the Initialization process again.

Issue:

User email address changes in Active Directory are not provisioned to Salesforce. (717153)

Workaround:

No workaround is available at this time.

Issue:

If a user is removed from a mapped group when there is an outstanding approval request, CloudAccess provisions the deleted user to the SaaS application when the administrator grants the approval. (752527)

Workaround:

Verify that the user is a member of the group before granting approval, or deny the request after removing the user from the group.

Issue:

If you assign a user to a role in CloudAccess and then remove that user from the identity source, CloudAccess does not automatically remove the role assignment. So, if the user's context in the identity source is later restored, CloudAccess shows that user as having the same role that was previously assigned. (765609)

Workaround:

To work around this issue, before you remove a user in the identity source, ensure that you have revoked all roles from that user on the Roles page in CloudAccess.

Issue:

The Policy Mapping page does not display the connectors for the SaaS applications.

Solution:

There are two possible solutions:

• Verify that the connectors are configured properly and enabled. For more information, see the appropriate sections for configuring connectors in the NetIQ CloudAccess Installation and Configuration Guide.
• Click the Refresh List icon in the upper-right corner of the Policy Mapping page.

Issue:

If the master node is not running, the Policy Mapping page returns a 500 Internal Server Error. (755282)

Workaround:

Solve the problem that caused the master node to stop running, or promote another healthy node to master. The Policy Mapping page is dependent on the master node.

Issue:

When you rename or move a group in an identity source, and that group has role mappings with approvals in CloudAccess, group members are disabled in the SaaS applications and CloudAccess generates new approval requests for those users. When you rename or move a mapped group without approvals, group members are temporarily disabled in the SaaS applications and then re-enabled. Renaming or moving groups without mappings has no adverse effects. (798639, 800128)

Workaround:

For the scenario where CloudAccess generates new approval requests, accounts in the SaaS applications will be active again once the new requests have been approved.

Issue:

When translating Active Directory group memberships to role memberships, CloudAccess retrieves only the first 1500 members of the group. (792582)

Workaround:

To work around this issue, change the appropriate setting on the Active Directory server as outlined in the following and other Microsoft support articles: "How to view and set LDAP policy in Active Directory by using Ntdsutil.exe" (http://support.microsoft.com/kb/315071).

Issue:

CloudAccess does not reconcile pending approvals with changes to policy mappings. Users with pending approvals are granted the pending requests even if the mappings were removed after the requests were launched. (787938)

Workaround:

No workaround is available at this time.

Issue:

Whenever the Policy Mapping page in CloudAccess is accessed, the /var/log/catalina.out log file on the master node logs the following event: [Fatal Error] :-1:-1: Premature end of file. (797102)

Workaround:

This error is cosmetic only and can be ignored. CloudAccess successfully displays the Policy Mapping page despite this error.

Issue:

If the master node is not running, the Approval page is blank. (755282)

Workaround:

Solve the problem that caused the master node to stop running, or promote another healthy node to master. The Approval page is dependent on the master node.

Issue:

After you delete connectors, reports still contain information about the deleted connectors. (756690, 745937)

Workaround:

No workaround is available at this time.

Issue:

The numeric value in the mapping report appears after deleting and recreating mappings for connectors. (753321)

Workaround:

No workaround is available at this time.

Issue:

If the master node is not running, the Reporting page is blank. (755282)

Workaround:

Solve the problem that caused the master node to stop running. The Reporting page is dependent on the master node.

Issue:

When you use policy mapping to map an Active Directory group to a Google Apps resource with approval required, the Overview report, the Resource by Resource report, and the Resource by User report may not show the actual current state of the user's resource allocation. If you do not use approvals, mappings work as expected and are shown correctly in the report. (789437)

Workaround:

No workaround is available at this time.

Issue:

Login to the SaaS applications using Internet Explorer 9 fails if Kerberos is enabled, but the user is not authenticated to the Active Directory domain. (713247)

Workaround:

This is a known Internet Explorer issue and the Microsoft incident number is 687000. The user must be authenticated to Active Directory to log in.

Issue:

After implementing CloudAccess, you might have some issues with existing Google Apps for Business accounts. Any users that either do not exist in the identity store, or are not merged with the existing Google account, can no longer log in to the Google domain. For example, user jsmith has an account in Google Apps for Business. You implement CloudAccess with single sign-on. User jsmith attempts to log in to the Google domain and fails. Google Apps for Business does not allow direct login and single sign-on to the domain.

Solution:

Give users authorization to access the Google Apps for Business resource through CloudAccess.

1. (Conditional) If the matching account exists in Active Directory, skip to Step 2. Otherwise, create a matching account in the identity store (Active Directory).
2. Grant the user authorization to the Google Apps for Business resource by adding the user to the proper group in Active Directory. Or, map the Active Directory group to the Google Apps for Business group through the Policy Mapping page. For more information, see “Loading Google Apps for Business Authorizations” in the NetIQ CloudAccess Installation and Configuration Guide. The two accounts merge when the user receives authorization for Google Apps for Business through the Policy Mapping page. CloudAccess automatically generates a new password and resets the Google Apps for Business password. When users access the resource after the merge occurs, they automatically log in to Google Apps for Business through single sign-on.

Issue:

When using the Prompt Before Provisioning option to claim an existing Salesforce account, single sign-on (SSO) fails intermittently and the browser shows the generic Salesforce error page stating that single sign-on using an identity provider's certificate failed. (775133)

Workaround:

If the user waits a few minutes, then goes back to the OSP welcome page and clicks the Salesforce auth card again, SSO is typically successful. SSO failure of a claimed account may persist for as long as two or three minutes, but usually SSO is successful on the first browser redirect.

Issue:

If the Connector for Office 365 is disabled or deleted in CloudAccess, when users try to sign in to Office 365, the following error message appears: "An undetermined problem in the message format has occurred." The error message is technically correct, but it does not indicate the source of the error or how to resolve it. (789105)

Workaround:

To work around this issue, configure the Connector for Office 365 correctly (disable or fix the single sign-on configuration).

Issue:

If time is not synchronized, provisioning fails, configurations fail, and authentication for users fails.

Solution:

Use the following items to resolve time synchronization issues:

• Ensure that all nodes in the cluster reside in the same time zone.
• Configure NTP on the ESX or ESXi server.
• If you convert the OVF file to a VMX file, deselect the default option Edit Settings > Options > VMware Tools > Synchronize guest time with host. (748923)

Issue:

Logging out of the Identity Provider welcome page does not result in logout from any of the SaaS connectors. The same issue exists with service provider-initiated logouts. (753156)

Workaround:

No workaround is available at this time. However, you can close the browser to allow the abandoned browser session to time out, so the session cannot be accessed again.

Issue:

The Admin page in CloudAccess does not currently provide a means of viewing the critical content in an uploaded metadata file, such as when configuring the Connector for Salesforce. (793495)

Workaround:

No workaround is available at this time. Since metadata for connectors must be unique, ensure that the metadata file is correct before uploading it.

Issue:

When you install the Office 365 connector on the ADFS host, the installer prompts you for login credentials and the DNS name for the CloudAccess cluster. When you click Next, the installer validates your credentials against the CloudAccess appliance. Intermittently, the installer displays an error message incorrectly stating that the credentials are invalid. After the installer has gathered the remaining information required for installation, another failure may occur and the installer may display the following message: An error occurred while communicating with the AG4C server. Incorrect username or password provided. Please verify the AG4C credentials. (775245)

Workaround:

Click Next repeatedly without modifying the credentials you entered. Validation eventually succeeds and the installer advances to the next step.

Issue:

Users that have authenticated to Office 365 through CloudAccess do not get logged out properly when clicking the Sign Out link on the Office 365 pages. An error message similar to the following appears: Error. dsm-ad115.cloudtest2.info There was a problem accessing the site. Try to browse to the site again. Reference number: 58e4c4ab-29b7-4fbd-95c1-4db02a722892 Users are not actually logged out of CloudAccess unless the user session has timed out in CloudAccess, so they can still use single sign-on to access Office 365. (775884)

Workaround:

No workaround is available at this time. Users should ensure that they close the browser when they are finished with their Office 365 session. Closing the browser removes the session, so users are required to enter their credentials the next time they attempt to access Office 365.

Issue:

If you uninstall the Connector for Office 365 on the Windows server while it is unable to communicate with the CloudAccess appliance, the connector is uninstalled from the Windows server, but it remains on the CloudAccess appliance and CloudAccess displays its status as green. (792280)

Workaround:

Ensure that the Windows server where the Connector for Office 365 is installed can communicate with the CloudAccess appliance before you attempt to uninstall the connector on the Windows server. If you encounter this issue, you can manually uninstall the connector from CloudAccess so it no longer appears in the console as follows:

1. On the Admin page, click the Connector for Microsoft Office 365, then click Disable.
2. Click the Connector for Microsoft Office 365 again, then click Remove.
3. Click Apply to commit the changes to the appliance.

Issue:

If you change the display name of a user in Active Directory or eDirectory, the display name in Office 365 is not updated accordingly. CloudAccess constructs the display name from the first and last name and does not synchronize the display name and full name from the identity source. (794602)

Workaround:

To work around this issue, change the user's first and last name in the identity source instead of the display name.

Issue:

The Connector for Office 365 does not automaticlly detect when you change the DNS name or the key pairs for the CloudAccess cluster. (784293)

Workaround:

Run the installer for the Connector for Office 365 in the Repair mode, then the Connector for Office 365 can detect the new DNS name or the new key pairs.

Issue:

In a configuration where multiple Office 365 authorizations (for example, user account, license, and two group memberships) have been mapped to a single eDirectory group, when you delete the mapping on the Policy Mapping page, only the first user account is properly deprovisioned at the Office 365 account. The remaining user accounts in Office 365 are set to a "Single Sign-in status" of blocked, but the user's licenses are not revoked nor is the user removed from assigned groups. (801825)

Workaround:

Manually remove user licenses and group memberships for Office 365 users that are not correctly deprovisioned.

Issue:

The Access Connector Toolkit does not contain a logout option, and the session does not time out after a period of inactivity. (789303)

Workaround:

Close the browser after you finish working in the Access Connector Toolkit.

Issue:

After CloudAccess provisions a user with an existing account, the user is provisioned correctly, but when the user uses single sign-on with an existing account, the First Name and Last Name are not updated to match the values from the identity source. This issue does not affect users with new accounts. (796583)

Workaround:

No workaround is available at this time.

Issue:

When you use the Tab key to navigate through the Connector for Google Apps configuration options in Internet Explorer 9, if you use the space bar to select a check box, the tab navigation stops working. This issue occurs when you click a connector on the Admin page and click Configure, then configure the connector details. (787762)

Workaround:

To work around this issue, use the mouse to navigate once the tab navigation no longer works.