VaultOne: Troubleshooting

The Actions button is not appearing

Resolution: The user must contact an administrator of their VaultOne platform. The administrator can then grant the required permissions to the user, and the Actions button will become visible, allowing them to manage the resource.

The Actions button for a resource (like a computer, credential, or website) may not appear for a specific user. This is a security feature in VaultOne. The absence of the Actions button indicates that a user can see that a resource exists, but they do not have the necessary permissions to act on it.

Error: Response Code: This Problem…

Resolution: This error indicates a problem with the internal network of the computer. You need to verify the network and ensure it can connect to the VaultOne API.

Error: Active Directory user, access denied error in the script

Resolution: The script must be executed by a user with elevated (Administrator) permissions. If the user does not have elevated permissions, they need to have the "Reset Password" permission enabled specifically for this action.

Error: This credential doesn’t rotate because the version is different!

Resolution: This error means the password rotation could not be completed because the last attempt resulted in a version mismatch error. To fix this, go into your vault, find your credential, and click Actions > Synchronize password. Select the current password for the user and click Confirm.

Error: You need administrator privileges to continue using this script

Resolution: The password rotation script always requires administrative privileges to run. The user executing the script must have administrator permissions.

Error: Response Code: 429

Resolution: This error, a "Too Many Requests" message, is due to a large number of password rotation requests in a short time. You will need to wait at least one hour before trying again.

Error: Could not authenticate in VaultOne API

This problem can occur for any of the following reasons:

• The password rotation feature is not enabled for the credential in your vault
• The asset used for password rotation was changed or updated
• The authentication key in the vault was changed but not updated in the script

Resolution: Generate a new authentication key in VaultOne. On the computer running the script, delete the .passwordRotation file located in the directory %LOCALAPPDATA%\VaultOne\PasswordRotation\<user of the credential>. After deleting the file, restart the script to insert the new key.

Error: <user> not found. Please, ensure the user exists and try again.

Resolution: The specified user was not found on the local machine. Verify that the user exists in your Windows installation.

Error: <user> not found in your domain. Please, ensure the user exists in your domain and try again.

Resolution: The specified user was not found in the domain. Verify that the user exists within the domain where the computer is located.

Error: Response Code: 401 – Could not authenticate in VaultOne API

Resolution: This error indicates a problem with the authentication key. It can occur if:

• The password rotation feature was not enabled for the credential in your vault.
• The asset used for password rotation was changed or updated.
• The authentication key in the vault was changed but not updated in the rotation script.

To resolve this, you must generate a new authentication key in VaultOne. Then, on the computer where the script is running, delete the .passwordRotation file from the directory "$HOME/VaultOne/PasswordRotation/<user credential>". After deleting the file, restart the script to enter the new key.

Error: Response Code: 000

Resolution: This error suggests a network connectivity problem. You need to verify the internal network of the computer and check if it is able to connect to the VaultOne API.

Error: <user> not found. Please, ensure the user exists and try again.

Resolution: The user specified for the rotation was not found on the local machine. Verify that the user exists in your Linux/Unix installation and that the username is entered correctly.

Error: Response Code: 429

Resolution: This error, a "Too Many Requests" message, is due to a high number of password rotation requests. You will need to wait at least one hour before trying again.

VaultOne accesses the website, but the login isn’t completing automatically

Find and copy the unique CSS selector for the website’s login button

1. Access the website link directly (outside of VaultOne).
2. Right-click on the Login or Sign In button.
3. From the context menu, select Inspect to open your browser's developer tools.
4. In the developer tools, you will be directed to the HTML tag for the button you inspected.
5. Right-click on this tag, select Copy, then Copy selector.

Paste the element selector into VaultOne

1. In VaultOne, click the Websites menu and find the website you want to configure.
2. Go to Actions > Edit > Extension.
3. In the Extension window, find the "Login button selector" field.
4. Paste the selector you copied in the previous section into this field.
5. Click Save.

VaultOne accesses the website but login fields are not automatically filled

If you're trying to access a website via VaultOne and the username, email, or password fields are not being filled automatically, you can use the following steps to configure the auto-fill feature:

Find and copy the unique CSS selector for the website’s field

1. Access the website link directly (outside of VaultOne).
2. Right-click on the Login or Sign In button.
3. From the context menu, select Inspect to open your browser's developer tools.
4. In the developer tools, you will be directed to the HTML tag for the field you inspected.
5. Right-click on this tag, select Copy, then Copy selector.

Paste the Element Selector into VaultOne

1. In VaultOne, click the Websites menu and find the website you want to configure.
2. Go to Actions > Edit > Extension.
3. In the Extension tab, locate the "Username/email field selector" field.
4. Paste the selector you copied in the previous section into this field.
5. Click Save.

Error: Accessing VaultOne Resources Using HOSTNAME error

Resolution: This is a common error that occurs when trying to access resources in VaultOne using a hostname instead of an IP address. While VaultOne does allow you to register resources with a hostname, access is managed through the VaultOne connector installed in your infrastructure.

Validate Hostname Resolution

1. Open a terminal or command prompt on the machine where the VaultOne connector is installed.
2. Run the following command to check if the connector can successfully resolve the hostname: ping (HOSTNAME)

If the ping command fails, it indicates a DNS resolution issue within the connector's network environment.

Check the Full Hostname

If the error persists even after the first validation, you may need to check how the hostname is registered in VaultOne.

1. Ensure that you are using the full hostname (e.g., companyx.network.local) instead of a simple nickname (e.g., companyx). The VaultOne container might not be able to resolve a nickname, but it can often resolve the fully qualified domain name.

Error: Webservice currently unavailable Error 502

This message indicates that the VaultOne connector was unable to connect to the registered website.

Resolution:

Confirm That Connector Containers Are Running

1. Access the machine where your connector is installed.
2. Run the following command: docker ps -a
3. Check the status of the four containers - all of them should show a status of "Up".

Check Your Connection to the Website

1. On the same machine where the connector is installed, run the following command to test the connection: cURL -v (full url)
2. Replace (full url) with the complete URL of the website you are trying to access (e.g., https://www.example.com).
3. A successful cURL command will show a positive connection response.

Collect and Submit Connector Logs

If the connector cannot access the site, you need to collect the platform logs for our support team to analyze.

1. On the machine where the connector is installed, type the following command to generate the log file:

2. Submit this log file to Support for validation.

Error: ERR_CONNECTION_REFUSED, TIMEOUT, DENIED

This error indicates a communication issue between your machine and the VaultOne Connector.

Resolution:

Confirm That Connector Containers Are Running

1. Access the machine where the connector is installed.
2. Use a ROOT user and run the following command: docker ps -a
3. Check the output to ensure that the status of all four containers is "Up."

Check Your Firewall Rules

The error may be caused by a firewall rule that is blocking the connection:

• External Firewall - use an online tool, like https://www.yougetsignal.com/tools/open-ports/ to check if your port is open. If it's closed, you'll need to open it in your external firewall settings
• Internal Firewall - contact your firewall administrator to validate if there is a block on the port you are using or any other specific rule preventing the connection

Perform a Telnet Test

Perform a telnet test from your machine to the connector machine to verify the connection:

1. On your machine, type the following command: telnet (IP or name of the machine where the connector is installed) (Port)
2. A successful telnet will show a positive connection response, confirming that the port is open and accessible.

Verify Your NAT Configuration

If you are using Network Address Translation (NAT) for the port that connects to the connector, the NAT configuration might be incorrect. Ensure that your NAT is correctly pointing to the VaultOne service and not to another service.

Error: You are Already Connected in the Database

You may receive this error when attempting to initiate a new database connection while a previous session is still active. This often happens if you close the database viewing tab without properly ending the session, leaving the connection running in the background.

Resolution: Choose one of the following methods to terminate the existing session:

Option 1: Close the Browser Tab

If the browser tab where the database session was started is still open, simply close it. This will automatically end the active connection, allowing you to start a new session normally.

Option 2: End the Session from the Database Screen

1. In the Database menu, locate the asset in question.
2. Click the icon to the left of the asset name. A pop-up will appear with connection information.
3. In this pop-up, hover over the user's name to display the Disconnect icon.
4. Click the icon and confirm ending the session.

Option 3: End the Session from the Connectors Screen

1. Go to the Administration > Connectors menu.
2. Find the connector associated with the database asset.
3. Click on Active connections.
4. A pop-up will show all active sessions from that connector. Locate the correct session.
5. Click the Disconnect icon and confirm ending the action.

Once the previous session is closed, the error will be resolved, and you will be able to connect to the database again.

Error: Your Connection Has Been Ended

The "Your connection has been ended" error message, which you may encounter when attempting to access a computer or server, typically indicates an issue with the VaultOne connector installation.

Resolution: Reinstall the connector.

Reinstall the Connector

1. Log in to your VaultOne platform.
2. Navigate to Administration > Connectors.
3. Find the specific connector that is causing the issue.
4. Click on Actions next to that connector, and select Install.

Run the Installation Command

1. A window will open with the installation command. Copy the command or download the installation script.
2. Access the target machine (where the connector will be installed) with a root user.
3. Enter the installation command you copied in the previous step.
4. Authenticate with the user or email you use for VaultOne access.

Verify the Containers

After the installation is complete, you should verify that the connector's containers are running correctly.

1. On the target machine, run the following command in the terminal or command prompt: docker ps -a
2. Check the output to ensure that the four containers associated with the connector are all listed with an "Up" status.

If all four containers are running correctly, the connector is properly installed. You can now try to access the computer or server again.

Error: VaultOne will not be able to log in some users automatically, because they don’t have the “connect” permission linked with any credentials

Resolution: To avoid this message below and allow the user to connect automatically, the administrator needs to grant the user the Connect permission for the credential.

When an administrator creates a resource, such as a computer or a website, and shares it with another user, it is essential to grant that user the Connect permission for the associated credential. Otherwise, the user will not be able to log in automatically.

When registering a computer/website, the user will deal with two types of creation, the creation of the website/computer and the creation of the credentials that will be used in these assets.

1. Inside the Sharing Preferences area, select the Connect permission for the resource and the credential.
2. Click Save.

Error: The remote station cannot be found

When attempting to access a machine through RDP and this error message appears, it indicates that the connection successfully reached the VaultOne Connector, but the Connector was unable to locate the destination machine.

Resolution:

Verify the VaultOne Connector Status

Access the machine where the VaultOne Connector is installed and run the following command using the root user:

docker ps -

You should see five containers running with their STATUS listed as “Up”, as shown in the example below:

Check Network Connectivity to the Target Machine

Verify that the VaultOne Connector can communicate with the target machine. To do this, perform a TELNET test from the Linux server where the Connector is installed.

Run the following command:

• Replace <IP> with the address registered in the VaultOne Platform.
• Replace <Port> with the port number used for RDP (typically 3389).

Example of a successful TELNET connection:

If the connection is successful, it means that network communication between the Connector and the destination machine is working properly.

If the TELNET command fails (e.g., shows "Connection refused" or "Unable to connect"), it indicates a network or firewall issue between the Connector and the destination machine.

Validate Configuration in the VaultOne Platform

If the TELNET test was successful but the RDP error still occurs, check the following settings inside the VaultOne platform:

• Verify the Credential Information:
  • Ensure that the credential is registered with the correct username and password.
• Check Domain Requirement:
  • On the “Edit Credential” screen (see example below), confirm whether the credential needs to include a domain (e.g., DOMAIN\\username or [email protected]).

• Validate the Security Protocol:
  • On the “Edit Server” screen, review which security protocol is selected for the RDP connection.

Extract Logs from the Connector

If you’ve completed all the validations above and the error still persists, the next step is to extract the Connector logs and send them to our support team for further analysis.

Enable DEBUG Mode on the Connector

To capture detailed logs, you need to activate DEBUG mode on the Linux server where the VaultOne Connector is installed.

Run the following commands using the root user:

This will restart the Connector container with debug logging enabled.

Extract and Send the VaultOne Connection Logs

Once DEBUG mode is enabled, you can extract the VaultOne Connector logs by using some Linux commands, here is an example:

Replace <file_name> with the desired name for the log file.

Example:

This command will generate a text file with the most recent logs from the vo-core container.

Contact Support

Please send the generated log file to our support team along with a brief description of the issue you’re experiencing. Our technical team will analyze the logs and get back to you as soon as possible.