Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Thycotic sync debug
#1
Hi,

We are implementing Thycotic as a password source.
Can we enable advanced debugging for the synchronisation of thycotic?

when executing the sync command from the command prompt, the log says :

Information - Sync finished - Sync operation executed successfully.

we have the issue that for the moment only one credential from the root folder is synced. (asg2020)
Reply
#2
There is no "advanced debugging" mode - is the same sync working if you execute from UI? Did you choose some subfolders? Because we found a bug in folder selection that will be fixed iwith the next patch

Root
=>Folder1
=>SubFolder1
=>SubFolder2
=>Folder2

If only Root and SubFolder2 is selected - Folder1 is ignored (that is the bug) and so SubFolder2 is also not synced - if that matches your problem you can get a private fix that already solved this issue
Regards/Gruss
Oliver
Reply
#3
(19-03-2020, 09:14 AM)DevOma Wrote: There is no "advanced debugging" mode - is the same sync working if you execute from UI? Did you choose some subfolders? Because we found a bug in folder selection that will be fixed iwith the next patch

Root
=>Folder1
    =>SubFolder1
    =>SubFolder2
=>Folder2

If only Root and SubFolder2 is selected - Folder1 is ignored (that is the bug) and so SubFolder2 is also not synced - if that matches your problem you can get a private fix that already solved this issue

when selecting "browse", only the root folder is listed, no other folders are visible.
according to the Thycotic engineer the user rights are ok to view all the folders.

the sync is working since the objects stored directly in the root are synced


Attached Files Thumbnail(s)
   
Reply
#4
Did you try with another user? If the API requests are failing it would add an error log entry - but if there are no error logs all requests seems to be ok but Thycotic do not list any child objects?!?

I have currently no environment active - so it could take some days to reproduce - but I know a lot of customers are using Thycotic sync and it's working fine...

You are using the Cloud for your Thycitic Secret Server instance? Just to setup the same for testing...
Regards/Gruss
Oliver
Reply
#5
(23-03-2020, 03:55 PM)DevOma Wrote: Did you try with another user? If the API requests are failing it would add an error log entry - but if there are no error logs all requests seems to be ok but Thycotic do not list any child objects?!?

I have currently no environment active - so it could take some days to reproduce - but I know a lot of customers are using Thycotic sync and it's working fine...

You are using the Cloud for your Thycitic Secret Server instance? Just to setup the same for testing...

another user did not work as well.
no error logs -> Sync operation executed successfully.
We are using the secret server cloud.
i'm Admin in secret server, and see the folders/credentials on the web portal of Thycotic.

i'm currently debugging with the Thycotic engineers, they ask which api request is sent when clicking on the "browse" button.
we are currently using the 2020 version.just tried with 2019 and it is working.

so the issue must be in the new 2020 version i think.
Reply
#6
I tried to get a test license - but currently it seems to be difficult - so I asked again today - I think it will be easier if we can reproduce it...
Regards/Gruss
Oliver
Reply
#7
I think I found the issue - let me create a private build for testing - I will inform you via PM today where you can download
Regards/Gruss
Oliver
Reply
#8
(27-03-2020, 10:43 AM)DevOma Wrote: I think I found the issue - let me create a private build for testing - I will inform you via PM today where you can download
 ok thanks,one other question.

when clicking on browse, it seems like every folder is fetched individually.
we have over 2000 folders.
opening the browse window takes up to an hour before folders can be selected to be synced.
can this be speed up any way?
Reply
#9
2000 folders for credentials - wow...

We have already optimized Thycotic access - only solution would be that you need to click on a folder before it will open - but this will be some more effort...
Regards/Gruss
Oliver
Reply
#10
For your info - we have now a running cloud version of Thycotic Secret Server and found another code issue - already fixed that - and I think in the next days we will publish a Patch - if you need the version before just let me know and I will give you a link to a private build
Regards/Gruss
Oliver
Reply
#11
(31-03-2020, 02:03 PM)DevOma Wrote: For your info - we have now a running cloud version of Thycotic Secret Server and found another code issue - already fixed that - and I think in the next days we will publish a Patch - if you need the version before just let me know and I will give you a link to a private build

Hi, that would be great to test the beta version.
Reply
#12
Regarding your last error - please tell me how you use the sync - Auth with Username/Password? Have you stored the password in the credential object or do you enter the password when starting to work with Thycotic (browse/sync)? Is the error popping up directly after "browse"? Or perhaps run for at least 30 seconds and then pops up? Because you have a large amount of folders and normally you should run in timeout and ASGRD should request a new token...

Please give as much feedback/details you can - might be easier to see what's going wrong...
Regards/Gruss
Oliver
Reply
#13
My account was locked in Thycotic, causing the error message.

Browsing the folders works now, but still takes a very long time.
Will the folder sync run automatically when opening ASG/every x minutes?
Can we schedule the sync command to update the folder automatically?
Will this command change over time? (/syncid)

Can personal values be activated on the thycotic folder to update the thycotic folder instead of Default Values?
We need to use username/password to sync the folder, we cannot use a service account since thycotic logs the credential usage and we need to audit which user accesses which credential.
Each user has his own AD integrated login in Thycotic secret server online, windows authentication is not possible in the online version.

Extracting the passwords via the ASG Powershell API works in the 32Bit version, in the 64Bit version the password remains blank.
But we can work with the 32Bit version, so no issue there for the moment.
Reply
#14
To sync the folder automatically you can retrieve the command line in the sync configuration (button Command Line) - this command (perhaps you have to customize your login information) can be used within a Task - Administrative Tools => Task Scheduler - configure when and how often it should run! In UI there is no automatic sync - but you can always run it manually

Let me check how the issue with "Personal Values" - will come back...

Extracting passwords in x86/x64 should be no difference - will check that also...
Regards/Gruss
Oliver
Reply
#15
Personal Folders - could you describe how you wish to have this? Just sync folders under "your personal folder" - so the personal folder is equal to username for login I think - does every user have it's own login and just want to see/sync the values under personal folders? We could make this also configurable like "Sync only personal folders / Sync only default folders / Sync all folders"

The problem is - we support several password managers - but if you do not use these tools daily it is not easy to see the needs that customers might have - so we like to hear in detail how customers are like to have it and try to customize it then?!?
Regards/Gruss
Oliver
Reply
#16
(07-04-2020, 09:59 AM)DevOma Wrote: Personal Folders - could you describe how you wish to have this? Just sync folders under "your personal folder" - so the personal folder is equal to username for login I think - does every user have it's own login and just want to see/sync the values under personal folders? We could make this also configurable like "Sync only personal folders / Sync only default folders / Sync all folders"

The problem is - we support several password managers - but if you do not use these tools daily it is not easy to see the needs that customers might have - so we like to hear in detail how customers are like to have it and try to customize it then?!?

the folder structure is as the following:

Credentials
-Thycotic
--Customer secrets
---Customer X
----global credential X
----Personal credential Y
----global credential Y
---Customer Y

yes it would be handy to have "sync only personal folders/default" option as well.

We have AD integrated login to Thycotic for tracking purposes, so every user needs to sync credentials/view with his own AD account.
For that to work, every user needs to change the default credentials value for the global Thycotic ASG folder to the personal credential to login.
Windows authentication is not possible in Secret server online, so username/password must be provided.

We have setup a "root" Customer Thycotic folder in ASG which everyone can access for global credentials because the sync/browse folder takes to long.
We do not want to have every user to sync all the 2000 "public" credential folders to a personal ASG folder, the database will grow to large impacting performance.


Attached Files Thumbnail(s)
   
Reply
#17
Ok - try to add that option for the next patch!
Regards/Gruss
Oliver
Reply
#18
hi, could you also have a look in speeding up the sync & browse folder?
it now takes about 5hours to complete.
Reply
#19
Wow - we already optimized the code - do not authenticate every call, using the Token as long as it is possible and renew afterwards...

Only thing that could make sense - to expand the folders only when clicking on it in the Browse Folders dialog - then not the whole structure must be loaded... I have this as feature request in our ToDo-List - but I can't give you a date when it will be implemented...
Regards/Gruss
Oliver
Reply




Users browsing this thread: 1 Guest(s)