Issue:

The initialization page takes a long time to display if there is no DHCP server in your environment. The initialization page eventually appears and assigns a 192.xxx.xxx IP address to the appliance.

Workaround:

Edit the VMX file for the appliance before the first boot. For more information, see “Configuring the Appliance without a DHCP Server” in the NetIQ CloudAccess Installation and Configuration Guide.

Issue:

If you want to change the preferred DNS server, you must select Use the following IP address in Step 1 on the initialization page, which assigns a static IP address to the appliance. (754137)

Workaround:

After the initialization process completes, on the Admin page, change the IP address from static to DHCP.

Issue:

CloudAccess cannot currently set the TenantName attribute on events sent to Sentinel using the Sentinel Link collector. As a result, for events received from CloudAccess, reporting and identity tracking functionality does not work properly within Sentinel. (812159)

Workaround:

No workaround is available at this time.

Issue:

If Integrated Windows Authentication is enabled in CloudAccess, and a user is logged in to a domain where Kerberos is configured but Kerberos is not enabled in the browser, if the user enters invalid credentials at the OSP prompt or clicks Cancel, different browsers may display errors or may not behave as expected. (802257)

Workaround:

To prevent this issue, ensure that Kerberos is configured in the browser.

Issue:

After you add a node to the cluster, the health status for the node may display a "No time server configured!" error, even though the node is correctly configured. (816968)

Workaround:

To work around this issue, restart the appliance. CloudAccess displays health status correctly afterwards.

Issue:

User email address changes in Active Directory are not provisioned to Salesforce. (717153)

Workaround:

No workaround is available at this time.

Issue:

If a user is removed from a mapped group when there is an outstanding approval request, CloudAccess provisions the deleted user to the SaaS application when the administrator grants the approval. (752527)

Workaround:

Verify that the user is a member of the group before granting approval, or deny the request after removing the user from the group.

Issue:

If you assign a user to a role in CloudAccess and then remove that user from the identity source, CloudAccess does not automatically remove the role assignment. So, if the user's context in the identity source is later restored, CloudAccess shows that user as having the same role that was previously assigned. (765609)

Workaround:

To work around this issue, before you remove a user in the identity source, ensure that you have revoked all roles from that user on the Roles page in CloudAccess.

Issue:

The Policy Mapping page does not display the connectors for the SaaS applications.

Solution:

There are two possible solutions:

• Verify that the connectors are configured properly and enabled. For more information, see the appropriate sections for configuring connectors in the NetIQ CloudAccess Installation and Configuration Guide.
• Click the Refresh List icon in the upper-right corner of the Policy Mapping page.

Issue:

CloudAccess does not reconcile pending approvals with changes to policy mappings. Users with pending approvals are granted the pending requests even if the mappings were removed after the requests were launched. (787938)

Workaround:

If a policy mapping for a resource occurs by mistake, decline all the requests for that resource. If a policy mapping for a resource occurs correctly, but then the mapping is removed, simply decline all outstanding approval requests. You can often avoid this issue by ensuring that requests are approved or denied in a timely manner.

Issue:

If you simultaneously use more than one browser or browser window to map authorizations, CloudAccess does not warn you if you inadvertently do the same mapping in two different browsers. Clicking Refresh displays two identical mappings on the Approvals page, but only one of them is a valid mapping. If you remove one of the mappings, CloudAccess may not actually deprovision the user until you remove the authorization that is mapped to the group. (815825)

Workaround:

You can avoid this issue by using only one browser when creating policy mappings. To work around this issue, on the CloudAccess Policy page, manually remove all duplicate authorization mappings from the role, then map the desired authorizations back to the role.

Issue:

If you use wildcards such as an asterisk (*) or question mark (?) in the Filter field on the Roles page, CloudAccess does not correctly filter results. (813540)

Workaround:

No workaround is available at this time. To ensure accurate results, do not use wildcards for filtering on the Roles page.

Issue:

After you delete connectors, reports still contain information about the deleted connectors. (756690)

Workaround:

No workaround is available at this time.

Issue:

The numeric value in the mapping report appears after deleting and recreating mappings for connectors. (753321)

Workaround:

No workaround is available at this time.

Issue:

When you use policy mapping to map an Active Directory group to a Google Apps resource with approval required, the Overview report, the Resource by Resource report, and the Resource by User report may not show the actual current state of the user's resource allocation. If you do not use approvals, mappings work as expected and are shown correctly in the report. (789437)

Workaround:

No workaround is available at this time.

Issue:

When you add a user to a role (group in the identity source), an entry is added to the reporting database. When you map an authorization (resource) to the role using the Policy Mapping tool, another entry is added which associates the resource with the role. The current reports have a defect where, when you grant a user an authorization by their group membership (with or without approval), the report shows the correct resource as being granted to the user, but may have duplicate entries for the role from which the user received the resource.

For example: The group "Sales" has been mapped to the resource "GApps_Sales." The user is a member of the group "Sales" and "Marketing" in the identity source. When you run the report, the user has duplicate entries for the "GApps_Sales" resource (one for "Sales" group and one for "Marketing"). While the resource grant is accurate for the "GApps_Sales" resource, the report is incorrect in showing any relationship between the "Marketing" group and the "GApps_Sales" resource. (837443)

Workaround:

No workaround is available at this time.

Issue:

After implementing CloudAccess, you might have some issues with existing Google Apps for Business accounts. Any users that either do not exist in the identity store, or are not merged with the existing Google account, can no longer log in to the Google domain. For example, user jsmith has an account in Google Apps for Business. You implement CloudAccess with single sign-on. User jsmith attempts to log in to the Google domain and fails. Google Apps for Business does not allow direct login and single sign-on to the domain.

Solution:

Give users authorization to access the Google Apps for Business resource through CloudAccess.

1. (Conditional) If the matching account exists in Active Directory, skip to Step 2. Otherwise, create a matching account in the identity store (Active Directory).
2. Grant the user authorization to the Google Apps for Business resource by adding the user to the proper group in Active Directory. Or, map the Active Directory group to the Google Apps for Business group through the Policy Mapping page. For more information, see “Loading Google Apps for Business Authorizations” in the NetIQ CloudAccess Installation and Configuration Guide. The two accounts merge when the user receives authorization for Google Apps for Business through the Policy Mapping page. CloudAccess automatically generates a new password and resets the Google Apps for Business password. When users access the resource after the merge occurs, they automatically log in to Google Apps for Business through single sign-on.

Issue:

If time is not synchronized, provisioning fails, configurations fail, and authentication for users fails.

Solution:

Use the following items to resolve time synchronization issues:

• Ensure that all nodes in the cluster reside in the same time zone.
• Configure NTP on the ESX or ESXi server.
• If you convert the OVF file to a VMX file, deselect the default option Edit Settings > Options > VMware Tools > Synchronize guest time with host. (748923)

Issue:

Logging out of the Identity Provider welcome page may not result in logout from the SaaS accounts, depending on support and configuration for SAML Single Logout at the SaaS provider. Many SaaS providers do not support the SAML Single Logout service. The same issue exists with service provider-initiated logouts. (753156, 837076)

Workaround:

Close the browser to allow the abandoned browser session to time out, so the session cannot be accessed again.

Issue:

The Admin page in CloudAccess does not currently provide a means of viewing the critical content in an uploaded metadata file, such as when configuring the Connector for Salesforce. (793495)

Workaround:

No workaround is available at this time. Since metadata for connectors must be unique, ensure that the metadata file is correct before uploading it.

Issue:

The Access Connector Toolkit does not currently provide a logout option, though the session does time out after 60 minutes of inactivity. (789303)

Workaround:

Close the browser after you finish working in the Access Connector Toolkit.

Issue:

When you install the connector for Office 365 on the Windows server, the installer prompts you for login credentials and the DNS name for the CloudAccess cluster. When you click Next, the installer validates your credentials against the CloudAccess appliance. Intermittently, the installer displays an error message incorrectly stating that the credentials are invalid. After the installer has gathered the remaining information required for installation, another failure may occur and the installer may display the following message: Incorrect username or password provided. Please verify the NetIQ CloudAccess credentials. (775245)

Workaround:

Click Next repeatedly without modifying the credentials you entered. Validation eventually succeeds and the installer advances to the next step.

Issue:

If you change the display name of a user in Active Directory or eDirectory, the display name in Office 365 is not updated accordingly. CloudAccess constructs the display name from the first and last name and does not synchronize the display name and full name from the identity source. (794602)

Workaround:

To work around this issue, change the user's first and last name in the identity source instead of the display name.

Issue:

If an authorization at the Office 365 account is renamed, any existing policy mappings in CloudAccess are lost, because CloudAccess uses the account name rather than the underlying static ID of the authorization for policy mapping. (811460)

Workaround:

No workaround is available at this time. After changing the Office 365 authorization name, use Policy Mapping to re-map and Approvals to re-approve if necessary.

Issue:

When you deprovision Office 365 users, CloudAccess may not consistently remove all licenses and authorizations for those users. (815104)

Workaround:

No workaround is available at this time. After you deprovision users, check to ensure that all licenses, security groups, and other authorizations have been removed. If necessary, remove any remaining authorizations manually.

Issue:

When assigning or unassigning Office 365 subscriptions to users, if you select Office Web Apps, you must also select SharePoint Online. This is a Microsoft Office 365 dependency, and the Office 365 admin portal page displays an error if you attempt to do this. The Policy page in CloudAccess does not actually prevent you from assigning Office Web Apps by itself, but nothing happens and the logs show "Unable to assign this license." In addition, if you assign several subscriptions to a user, and you include Office Web Apps but do not include SharePoint Online, none of the other licenses in that operation are applied until you add SharePoint Online. This behavior occurs on the Office 365 admin portal page as well as in CloudAccess.

Workaround:

Ensure that when you assign or unassign Office Web Apps to a user, you also assign or unassign SharePoint Online.

Issue:

If you have an L4 switch in your environment that is configured for round robin mode, the installer for the Connector for Office 365 is likely to fail. (841341)

Workaround:

Change the hosts file on the Office 365 server to resolve the DNS to a single node in the cluster instead of the L4.

Issue:

After CloudAccess provisions a user with an existing account, the user is provisioned correctly, but when the user uses single sign-on with an existing account, the First Name and Last Name are not updated to match the values from the identity source. This issue does not affect users with new accounts. (796583)

Workaround:

No workaround is available at this time.

Issue:

If you set the user session timeout for the cluster to 75 minutes or longer, the Box connector displays an error when users attempt to use single sign-on to Box. (814752)

Workaround:

To ensure that single sign-on works for the Box connector, set the User session timeout value to 74 minutes or less. This is a cluster-level setting so it will affect behavior of user sessions not using Box as well.