Summary

Lists of the current known issues with implementing, configuring, using and extending Tachyon.

If you need further help, please refer to the Troubleshooting page for how to contact 1E Support and the technical support process.

On this page:

Implementing Tachyon

Installation and Upgrade

IssueDescriptionWorkaround

Microsoft InTune cannot be used to deploy the Tachyon macOS Agent

By design, Microsoft InTune can only be used to deploy macOS packages to the /Applications folder.However, the Tachyon macOS Agent must be installed to /Library/Application Support since that is a secure location, writable only by root. Also the associated launchd property list file must be installed under /Library/LaunchDaemonsUse an alternative deployment method for the tachyon macOS package.

Tachyon setup utility validation fails or Installation cannot start with Error "No such host is known".

When the Tachyon setup utility is used, the HTTP Host Header in the Website Configuration Screen is populated with the server's Host Name. If the Host Name is greater than 15 characters the Tachyon Installer only picks up the first 15 character and truncates the rest.Alternatively re-type the complete name into HTTP Host Header.

Interactive upgrade of Tachyon Toolkit does not detect previous settings.

Tachyon Toolkit installer does not detect the previous Tachyon Server settings or the installation folder if it was installed to an alternate directory. This will default back to 'C:\Program Files (x86)\1E\Tachyon\Toolkit'.These will need to be specified again during upgrade.

Tachyon Platform pages cannot be contacted after an upgrade of the Tachyon Server when there are additional IIS bindings that were manually in the previous installation.

On upgrade the bindings are retained, but the “Require Server Name Indication” may no longer be ticked and the SSL certificate not selected for the manually configured/added Site bindings. This is likely to occur if the certificated selected during the upgrade does not contain a matching Subject or SAN.After upgrade, use IIS Management Console to configure the additional HTTPS bindings:
  1. Expand Sites and navigate to and expand the Tachyon website
  2. Under the Edit Site actions, click on Bindings...
  3. In the Add Site Binding dialog, select type https, check the Host name is correct
  4. Check to enable Require Server Name Indication
  5. Select the Web Server certificate and click OK to save

Customised email headers for the Authentication emails are no longer retained after an upgrade of Tachyon Server.

Previously 2 separate email headers could be customised. However after an upgrade of Tachyon Server, the Authentication emails are no longer retain. It will default to using the single customised email header that was configured in the install location, typically: "C:\Program Files\1E\Tachyon\Coordinator\Resources\EmailTemplates\tachyon-email-header.jpg"

When upgrading an existing Tachyon Agent installation, the fields in the installer dialogs are empty.

The installer dialogs do not show the existing configuration values in the entry fields if the previous agent was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\Agent".

If the Agent was installed at the default location then the existing config values are picked up and shown in the dialogs.

The old version of the Tachyon Agent must have been installed to "%ProgramFiles%\1E\Tachyon\Agent" in order for the new installer to detect the existing settings and suggests them as the default values when traversing the dialogs.

It is most likely this will be noticed during "Proof of Concept" or sandboxed labs prior to roll out.

The Agent is meant to be deployed via script in production scenarios. The config settings can be set via the command line, so it is unlikely the installer will need to detect the old settings anyway. Potentially the old agent will have already been removed by script anyway.

This setting preservation is really a convenience for any user testing out the upgrade manually prior to scripting the production deployment.

Tachyon Mac Agent may not be able to validate the switch certificate if there is a cacert.pem in the .sslcerts folder that does not contain the relevant list of CA public keys. The following is logged:

ERROR - Either the Switch certificate or the Agent certificate is not trusted, use the Agent debug log setting to obtain certificate details

If Tachyon Mac Agent finds a valid cacert.pem in the hidden directory: /Library/Application Support/1E/Tachyon/Agent/.sslcerts, then the Keychain Access is not checked.

This cacert.pem is then used to validate the trust chains for the client certificate the Agent will submit and also the Switch certificate received. The Agent will be unable to connect to the Switch if it does not contain the relevant list of CA public keys to do the validation.

Ensure the cacert.pem contains all the public keys for all the intermediate CAs, up to and including the Root CA required. Alternatively, remove the cacert.pem if the Tachyon Mac Agent is to use the certificates from the Keychain Access.

Tachyon services stop if host time and 1E license server times are out by 6 minutes or more and the following warning is displayed in the Coordinator logs: WARN  LicensingCallback - License.dll callback: No Activation signature.

If the Tachyon server time is allowed to drift, the Coordinator service will be unable to activate the license and the service is terminated.

Coordinator logs: DEBUG LicensingCallback - License.dll callback: ERROR: DateTime out of Sync

Use NTP servers or Windows Time service to ensure the server is always synchronized.

If Tachyon Server is installed where TachyonMaster and TachyonResponses databases are hosted on different SQL Servers or separate SQL named instances the following error may be seen in logs: ERROR Tachyon.Server.Api.Consumer.Attributes. ConsumerAttribute - Platform error

System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'ACME\ACME-TCN01$'

Consumer will log a login failed for user if the TachyonMaster and the Tachyon Response are installed on different SQL instances.

This is happening due to a bug in N1E.MSI.Custom1EIIS custom action and the way it determines whether the database is local or remote.

On a single server installation, the TachyonMaster and TachyonResponses databases should be installed on a single SQL instance.

Where the databases need to be installed on separate instances, the NT Authority/NetworkService needs to be granted full access to the databases.



If an attempt is made to install Tachyon Server together with a hotfix patch at the same time in a single command, it will result in Error 1920. Service Tachyon.Workflow (Tachyon.Workflow) failed to start. 

Support for a single install of Tachyon server and MSP Hotfix patch together at the same time is not supported.Install the Tachyon Server first and then apply the patch afterwards separately.

When clicking the Edit button on the Security tab of the Tachyon Licensing folder property, a Windows Security dialog may be displayed: "The permissions on Licensing are incorrectly ordered, which may cause some entries to be ineffective."

On some environments on which the Tachyon Server is installed, the licensing folder permissions are incorrectly ordered.

View Properties of folder "C:\ProgramData\1e\Licensing". Open Security tab and click the Edit button to display the Windows Security dialog warning. Click OK to confirm. To resolve the issue, click Reorder on the subsequent Windows Security dialog which will be displayed:

The permissions on Licensing are incorrectly ordered, which may cause some entries to be ineffective.

- To order the permissions correctly, click Reorder.

- To leave the permissions unchanged (the view will be read-only), click Cancel.

Tachyon Consumer is unable to communicate with Coordinator as certificates cannot be applied on a Non-English Server during installation.

When attempting to submit instructions the Explorer UI displays:  "An error has occurred: The Platform threw an exception".

Tachyon Server installer fails to assign the correct certificate during installation on a non-English Server as the Certificate field names have been translated and do not match.

Tachyon.ConsumerAPI.log may displays platform errors related to:

Tachyon.Server.Common.ServiceErrors.Exceptions.PlatformException: Exception of type 'Tachyon.Server.Common.ServiceErrors.Exceptions.PlatformException' was thrown.    at Tachyon.Server.OperationalSafeGuards.OperationalSafeGuardsManager.GetFlatLicense()

This version of Tachyon requires the server to be US-English.

If you are affected by this, please contact 1E Support.

Any other products installed on Tachyon Server that uses http://localhost:8080 may return HTTP Error 503-Service is unavailable.

Tachyon Server uses port 8080 as its default value for communications between Consumer and Workflow service. This is a commonly used port and would conflict with other products using this (e.g. 1E SLA Platform website pre-v4.0).

The Tachyon Server can be installed using an alternative value for WORKFLOWWEBPORT on the msiexec command line. For example:

msiexec /i TachyonServer.msi WORKFLOWWEBPORT=8081


Note: If custom workflow ports are used, they will not be removed on uninstall.

Install Tachyon Server on a dedicated domain-joined (member) server.

If you need to co-host the Tachyon Server with another web application, for example in a lab, use a different port with the installer property WORKFLOWWEBPORT.

Check if the duplicate 8080 port exists after install using:

netsh http show urlacl

Manually delete the default 8080 port binding after install using:

netsh http delete urlacl url=http://+:8080/

Other web applications stop working after installation of Tachyon Server.

Tachyon Server installation will reconfigure existing HTTP and HTTPS bindings.

Install Tachyon Server on a dedicated domain-joined (member) server.

See Requirements: Server requirements

Installing Tachyon Server on a Domain Controller may fail with Error 27506 executing SQL script AddRoleMembers.sql

Installing Tachyon Server on a DC is not supported.

The failure occurs in the AddRoleMember.sql. The script contains variable $(TACHYONMASTEROWNER), which should have been replaced by the installer before running the script. However, the installer sets it to DOMAIN\None when run on a DC.

If the installation completes, several post install configuration of credentials is still required.

Install Tachyon Server on a dedicated domain-joined (member) server.

See Requirements: Server requirements.

Database exception is seen related to database being offline whilst Tachyon Server is being installed.

Occasionally Tachyon Server installation fails with following database error:

An error has occurred while modifying the database: A database script has failed with the error, Could not find database ID 11, name "11". The database may be offline. Wait a few minutes and then try again,*(code -2146232060). See the log for more details.

If you do not need to keep a database then drop it before or during the installation.

If you want to keep a database, then ensure it has no active connections.

Follow the process in Upgrading Tachyon, which includes a SQL command to report active connections.

Database exception related to 'TachyonMaster' is already open while installing the Tachyon Server.

If the TachyonMaster database has active connections and Tachyon Server installation was attempted, the following exception may be displayed:

An error occurred while modifying the database: A database script has failed with error "Database 'TachyonMaster' is already open and can only have one user at a time." (code -2146232060). See the log for more details.

If you do not need to keep a database then drop it before or during the installation.

If you want to keep a database, then ensure it has no active connections.

Follow the process in Upgrading Tachyon, which includes a SQL command to report active connections.

Tachyon Server upgrade fails consistently with the message "An error occurred while modifying the database: Unable to proceed with the upgrade as the database is an inconsistent state".

If performing a Tachyon an upgrade with a database on a remote SQL instance the installation will fail if there are any open sessions to the TachyonMaster or TachyonResponses databases.

To prevent this happening, ensure there are no active connections to the databases before starting an upgrade.

Follow the process in Upgrading Tachyon, which includes a SQL command to report active connections.

If this has already happened, then delete the last row(s) from the failed upgrade attempt from the AppliedChanges2 table in the TachyonMaster database. Then ensure there are no active connections.

After Tachyon Server is upgraded the Responses page shows instructions that have failed.

Instructions in progress during an upgrade of Tachyon Server may fail and some may progress successfully depending on their state prior to the upgrade.

Follow the process in Upgrading Tachyon.

Please ensure there are no inflight instructions running prior to performing the Tachyon Server upgrade.

After a server upgrade or re-installation in which the Tachyon Master database was dropped and recreated, any existing Tachyon Agents ignore the first instruction.

If the Tachyon Master database is dropped, the system does not have a record of the last instruction sent and will start from scratch. Tachyon Agents recover from this situation and start the new sequence, however the first instruction will always be lost and no responses will be received.

Re-submit the first instruction.


Tachyon Server upgrade requires existing details to be provided instead of getting them from the existing installation.

The installer pre-populates fields with defaults or with properties supplied on an msiexec command line, irrespective of whether it is a new installation or an upgrade. The installer does fetch details about the existing installation.

Existing installation details can be identified from the Tachyon server configuration files.


Alternatively, it's recommended that the Tachyon Server is upgraded using the Tachyon.Setup.exe which will pre-populate the fields with the existing configurations.

After upgrading a Tachyon Server using a different LOGPATH property to the original installation, the new Switch log file does not exist where expected, but remains in the original location.

LOGPATH can be specified as an msiexec command-line property in order to specify a non-default location for Tachyon Server logfiles. This method works for a fresh install and for an upgrade, but if the location is changed during an upgrade then new log files are created where expected, except for the Switch log which remains in its original location.

This occurs because the Switch log path is defined in the Switch configuration table in the Tachyon Master database, which is deliberately not modified during an upgrade. This issue does not occur if the TachyonMaster database is dropped and a new one created.

Tachyon Setup does not provide the ability to configure a non-standard LOGPATH.

If you have changed the log path during an upgrade, then you need to edit the SwitchConfiguration table in the TachyonMaster database to change the log path for the relevant Switch(es), then restart the relevant Switch Host service.

Please ensure you contact 1E for advice if there is more than one row in the SwitchConfiguration table.

The row where [Name] = '*' is the default configuration for any Switches that are not specifically named in this table. Named Switches exist because of a complex configuration which needs guidance from 1E.

Tachyon Switch fails to use updated certificates provided during an upgrade.

The Tachyon Server installer does not copy any of the certificates required for the Switch when performing an upgrade and the Tachyon.Switch.log will log: ERROR: 0xD0006003 Cannot ContinueTo rectify this, copy the required certificates to the Tachyon <InstallDir>\Switch\SSL folder and restart the 1E Tachyon Switch Host service.
Repair installation of the Tachyon Agent does not keep previous configuration changes.A repair of the Tachyon Agent will retain the existing configuration file and any non-default settings. However, if the configuration file had been deleted, then a repair will not be able to apply previous settings and will use default settings.

To rectify this, either run an instruction to configure a relevant setting, or re-install the Agent using desired settings.

Use an Agent configuration instruction in Tachyon Explorer for centralised post-installation configuration. Please contact 1E if you require the Product Pack that has this instruction.

Potential blue screen of death (BSOD) with Windows 7 SP1 and Tachyon Agent inventory capture.If Tachyon Agent inventory is enabled on Windows 7 SP1 (without updates) there is the potential for BSOD issues on systems using out of date Windows drivers.

Microsoft investigated the issue and recommended the following:

1. Update the usbccgp.sys driver as follows:

There is a potential issue with usbccgp.sys driver which means it can fail to complete a power IRP in a timely manner.

Hence we advise updating the usbccgp.sys driver by installing the following update: KB3125574

Prerequisites:  To apply this update, you must first install:

    • Service Pack 1 for Windows 7 or Windows Server 2008 R2: KB976932
    • April 2015 servicing stack update for Windows 7 and Windows Server 2008 R2: KB3020369

2. Update tdx.sys to 6.1.7600.21050 to address TDI driver response issues as per: KB2028827

Error 401 Unauthorized is displayed when attempting to connect to the Tachyon Explorer for the first time after a new installation of a Tachyon Server.

Or in Tachyon Platform "An error occurred!" page is displayed in the Edge browser.

This may be due to a number of reasons.

  1. If the website prompts you to provide an account and password, then you may be using using invalid credentials or an account in a domain that is not trusted by the Tachyon Server.

  2. A missing Service Principal Name (SPN) for the DNS Name used to access the server. See Implementation issues: 401 Not Authorized.

  3. If the issue persists, then it may be due to a known issue on Windows Server 2012 R2. Also applies to Windows 10. More information here: https://social.technet.microsoft.com/Forums/systemcenter/en-US/22120c03-e6c6-473b-bc73-ab2dfc65f7d6/knowledge-article-error-401-unauthorized.

Do not do the following unless you are experiencing the issue, and have tried other remedies.

  1. On the Tachyon Server, start Registry Editor (Regedit).
  2. Locate the following registry key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa
    1. Right-click Lsa, select New, and DWORD (32-bit) Value.
    2. Rename the new value Name to DisableLoopbackCheck, and press ENTER
    3. Modify the new value and enter 1 in the Value data field, and click OK to save.
  3. Locate the following registry key: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters
    1. Right-click  Parameters , select New, and DWORD (32-bit) Value.
    2. Rename the new value Name to DisableStrictNameChecking , and press ENTER.
    3. Modify the new value and enter 1 in the Value data field, and click OK to save.
  4. Quit Registry Editor
  5. For Edge, please run the following command:
    CheckNetIsolation LoopbackExempt -a -n=Microsoft.MicrosoftEdge_8wekyb3d8bbwe
  6. Restart your computer.

The Tachyon Coordinator may log to Tachyon.Workflow.log after a restart after an upgrade from v3.1.

The coordinator configuration is preserved after an upgrade, which results in the Coordinator service logging to the incorrect log. This is typically seen after a restart.

Replace the log file as follows:

In the Tachyon.Switch.Host.exe.config, replace C:\ProgramData\1E\Tachyon\Tachyon.Workflow.log under the log4net section with C:\ProgramData\1E\Tachyon\Tachyon.Coordinator.log.


Tachyon.Switch.Host configuration may not be preserved when upgrading from v3.1.

Configuration is preserved for the Switch.CommandLine configuration, but may not be added to the Switch.CommandLine.1 configuration parameter.Check on compare with the backup and copy additional switch parameters (such as -SkipCrlChecks) to the new Switch.CommandLine.1 configuration value.

Email and two-factor authentication

IssueDescriptionWorkaround

Users do not receive email communications related to Actions that have been initiated or emails related to Two-Factor-Authentication.

User A - Logged in to Configuration Manager Console

User B - Logged in to Tachyon Explorer

When User A initiated an action through CM Console right click extension, the action was getting initiated as User B and the required authentication code was being sent to User B instead of User A.

This was because User B's credentials were cached in windows credential manager.

Clear the cached credentials from Control Panel →Credential Manager

Users do not receive emails about approvals or response expiry.

Emails are not sent if the SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.

Correct the SMTP configuration. See Tachyon Server post-installation tasks.

Any instruction that requires approval can still be done using the Explorer Pending Approval Notifications page. 

Users do not receive emails about two-factor authentication codes.

If two-factor authetication has been enabled, when you submit an action you will be prompted to provide an authentication code after you have provided your password.

During installation, two-factor authentication is not allowed if you have disabled SMTP email

You will not Emails are not sent if the SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.


An Action can not be approved or in a failed state.

When the Coordinator service goes into faulted state (e.g. as the result of an internal error), any live instructions remain in the "created" state and cannot be approved.

Faults may be caused when a Tachyon Server has been upgraded when the instruction was still in-progress state during the upgrade process. The workflow will be unable to process the instruction after the upgrade and the error will be recorded in the Explorer portal Admin Log page.

The action needs to be re-submitted.

Configuring Tachyon

Agent Connections

IssueDescriptionWorkaround

Non-Windows agents may disconnect due to the keep-alive period being too high.

Tachyon Agents on Non-Windows may disconnect if the keep-alive period is too high.

Non-Windows agents need to have a maximum keep-alive time of 4 minutes (240s).

The keep-alive time needs to be updated in the Tachyon.Agent.conf file: ConnectionKeepaliveTimeInSecondsMin should be set to 120 (default) and ConnectionKeepaliveTimeInSecondsMax should be set to 240 (default is 600).

These settings can be set during installation or changed post-install.

An Agent does not start and the Agent log shows ERROR - Certificate Verification failed : CRL path validation error. This occurs even when CRLChecks=soft.

The Agent will not connect if it is unable to create a trust chain, despite having the correct root CA certificates. This is due to the local computer certificate store containing "CrossCA" certificates.

Please ensure the Agent certificate store does not contain any "CrossCA" certificates in the local Trusted Root or Intermediate CA stores.

The Agent fails to connect to the Switch and its log shows the Switch is unavailable. The Switch is not started and its log shows it has rejected its own certificate.

The Switch only checks its Certificate Revocation Lists (CRLs) on start up. Therefore any certificate revocation occurring after Switch start up, will be detected only when the Switch restarts and it will then stop.
  1. Issue a new certificate to the Web Server and update its HTTPS bindings.
  2. Then go through the process exporting the certificate and replacing the Switch <computer>.CER, <computer>.KEY and updating the existng CACERT.PEM.
  3. Restart the Switch Host service to restart the Switch.

The Tachyon Agent is unable to start on the Root CA.

A Tachyon Agent attempting to run on a Root CA server will log the following error:

WinTrustVerify returns 0x800b010a (CERT_E_CHAINING) “A certificate chain could not be built to a trusted root authority”

A Root CA sits at the top of the public key infrastructure (PKI), there are no higher authorities, and so it effectively self-signs its certificates, which Tachyon is specifically prevented from using.

It is not good security practice to have a Root CA online therefore not having an Agent installed is not considered a problem.

Resetting Hyper-V Agents can cause the Switch to become unresponsive and log erroneously.

Powering off or resetting a guest Hyper-V virtual machine without shutting it down, can cause the Switch to refuse connections from the Agent when it restarts, and the Switch starts spurious logging.

To rectify this issue restart both the Switch and the Agent.
The Tachyon Agent fails to start and the Agent log shows errors relating to Certificate Revocation List (CRL).

See Tachyon Agent configuration properties: CRLChecks.

An error is logged if CRLChecks=hard and the Tachyon Agent is unable to locate a valid HTTP-based CRL Distribution Point for a certificate.

An error is logged if CRLChecks=soft and the Tachyon Agent is able to get a CRL from the CRL DP, but the CRL indicates revocation of the device certificate or a certificate in its trust path.

 The Tachyon Agent requires a valid SSL certificate presented by each server it connects to. This includes any Tachyon Switch, Tachyon Background Channel or other HTTPS server from which the Agent downloads content. The Agent does not connect to a server if it knows a certificate is invalid.

CRLs are obtained by contacting the CRL Distribution Point(s) whose URL is embedded within the certificates. At present, the Tachyon Agent supports only HTTP-based CRL Distribution Points. It ignores any non-HTTP CRL DPs that may be included in a certificates, such as file or LDAP, and does not support OCSP.

If the machine is not be able to contact a HTTP-based CRL Distribution Point, please ensure CRLChecks=soft within the Tachyon.Agent.conf file. This will prevent the Agent from failing in the event of being unable to locate a CRL Distribution Point

Enabling, disabling, adding or removing network adapters on the Tachyon Server machine will cause issues with Switches issuing instructions or unable to use features like "Export All Results".

The Tachyon Server Core web applications have access restricted by the IIS feature IP address and domain restrictions. All connections are denied, except for local connections. Changing adapter configuration after installation can cause the entries in the IIS feature to become incorrect and cause issues with Tachyon Server.

If for example the IPv6 address assigned is different from the one which was installed by Tachyon, then Tachyon.Workflow.log is likely to contain errors:

"Posting Housekeeping to Core API 1 failed 'Forbidden'"

"Delete with ID 22 to Core API 1 failed 'Forbidden'"

Or Tachyon.ConsumerAPI.log may have "Data export fail" errors when attempting to "Export All Results".

Please update entries in the IP Address and domain restriction feature of the CoreInternal and the Core website to include all local IP v6 and v6 addresses.

Please refer to Implementation issues: IP address and domain restrictions.

Settings application

IssueDescriptionWorkaround

Create/Edit schedule UI says all dates/times are to be entered as UTC but scheduling logic in SLA uses local server time

When we create a schedule in SLA all dates/times are written to the database assuming UTC. But, the scheduler in SLA uses the local server time when executing schedules.

As the client and server may be in different time zones, neither of which are UTC+0, you don't know when a schedule will run.


Upload of instruction set fails with the following error after a upgrade of Tachyon Response stack that is on a different domain to the Tachyon Master Stack.

Error: Failed to update resource changes in Background channel(s).

If Tachyon Response Stack is installed on a separate domain to the Tachyon Master Stack, the Setup utility may be unable to determine the domain of the Master Stack server so it will be unable to add the appropriate permissions on the Background Channel.

Use IIS Management Console to grant the internal Tachyon Server (Master Stack) permission to manage the Background Channel on the Tachyon Response Server:

  1. Expand Sites and navigate to and expand the Tachyon website
  2. Click on Background and double-click on the Application Settings icon
  3. In the Application Settings view, double-click on the AllowedUsers value, and in the Edit dialog, append the computer account of the internal Tachyon Server to the list, and click OK. In our example this would be:
    • from NT AUTHORITY\Network Service;ACME\ACME-TCNDMZ$
    • to     NT AUTHORITY\Network Service;ACME\ACME-TCNDMZ$;ACME\ACME-TCNMST$

After an upgrade, attempting to re-upload the latest product packs displays the following error: "Something went wrong while processing request. Error: An error occurred while uploading the entries in the database".

 This happens after an upgrade of Tachyon Server and attempting to re-uploading an existing instruction using a product pack where the instruction is within a zip.

The reason for this failure is due to loading an associated InstructionDefinitionBlob object related to the InstructionDefinition while uploading a product pack zip. It is fine with single InstructionDefinition upload.

Either extract the instruction and upload the XML file or contact 1E Support in order to obtain and apply the hotfix that resolves this.

A user that has been disabled in Settings Permissions is able to ask/initiate questions and actions successfully in Tachyon Explorer.

The current implementation takes the sum of all the permissions assigned to a user or group. Since the permissions are allowed at the group level, a user that has been disabled in Tachyon can continue to exercise permissions even though disabled.When a user is disabled, please make sure that user is removed from all groups as well, if already part of.

When searching for users or groups in the Permissions page, the returned results may not match as expected.

When searching for a user account, the search uses CN or SAM account name. Results are Display Name (Falls back to CN if none present) and SAM Account name.

Therefore, in some cases it is possible for the result returned to not contain the search string (ie the user can search for "ABC" and get the result "XYZ" which, while valid, is confusing)


Members displayed for an Active Directory group may not be up to date on the Permissions page soon after a change has been made to the AD object.

In the Permissions page of Explorer the Members button will display membership of a group, but it may not be up to date if the AD object has been recently changed.

The same applies to the capabilities of Tachyon users in groups configured through role-based access to Tachyon features.

Allow time to elapse so permissions cache expires (10 minutes).

Unable to delete or update product packs in the Admin portal if any instructions go into an unexpected state.

It is not possible to delete and update product packs that have active instructions still running. A warning notification will be displayed.

If an instruction happens to go into an unexpected or unrecoverable state, the product pack can't be deleted as instructions are in-flight. The Explorer portal will not allow deletion of instructions in progress.

If you are affected by this, please contact 1E Support.

Server Configuration

IssueDescriptionWorkaround

Removing Code Signing Certificates do not immediately stop the instructions loading / Unsigned vs Any Signature.

Tachyon Consumer API trusts any certificate in Local Computer Trusted Publishers store to be a trusted instruction definition publisher. It loads those certificate only once and caches them for performance reason. As a result any changes to the certificates in that is not visible to it.

If a new certificate is added or an existing certificate is deleted from Local Computer Trusted Publisher store, the changes will not be visible to the Consumer API straightaway. This means user cannot upload an instruction definition signed by the new certificate. Similar situation is true for deleted certificate where user will still be able to upload an instruction definition signed by the deleted certificate. 

Server administrator needs to reset IIS to make the certificate changes to take effect. 

When implementing ServiceNow approvals feature, the following error may be seen committing the XML on the Jakarta instance:

The update set commit completed but some updates failed to commit due to errors. Review the Commit log for details

The warning is related to a warning about a duplicate column which is related to a bug in ServiceNow.

This warning can be ignored as Tachyon will still be integrated with ServiceNow and uses it for approving actions and scheduled instructions.

 Please refer to ServiceNow approvals for Tachyon.

Using Tachyon

Explorer application

IssueDescriptionWorkaround

Tachyon Explorer UI in Firefox browsers may briefly display blank areas with no text.

When using Firefox browser, the Tachyon Explorer page may not get rendered properly and displays some content as blank areas. This has been seen most often with Firefox version 61.This can be resolved by refreshing the Firefox browser using F5 function key or clicking anywhere else within the Tachyon Explorer UI page.

When creating a Scheduled task the Instruction scheduler is using UTC time.

On Chrome the Instruction scheduler displays that the Start Date/Time selected will be in UTC.

However, on other browsers (e.g. Firefox, Microsoft Edge and Microsoft Internet Explorer) the UTC text is missing and it may appear that the Date/Time selected is the current local time even though it uses UTC.


Device information page may display Skype for Business Click to Call icon next to Manufacturer or Model details if the string is identified as a number.

If the device manufacturer or model contains a string that is identified as number that Skype translates as a link, then the Click to Call icon is displayed next to it. This could be seen when clicking on the information icon next to any Tachyon Agent devices in the Explorer > Devices > Table or Response pages.

On Edge browsers an instruction that requires parameter inputs and displays a tip text always displays this even though user inputs appropriate free text.

When using Edge browser and attempting to submit an instruction which requires parameter inputs and it displays tip text, this text remains and is not over written.

The light grey tip text is only displayed in the Explorer page of the Edge browser and does not get submitted as part of the instruction so it can be ignored.


"Provide authentication code" for a scheduled instruction displays warning "Scheduled instruction id X does not exist" or fails to accept a valid token with error "Token validation failed with error message".

Scheduled instruction workflow is not displaying the appropriate warnings when multiple users have updated a scheduled instruction or when there are multiple updates on one that is pending approval or waiting for the authentication code to be applied.

If there are multiple users updating a scheduled instruction, the "Provide authentication code" dialogue would have been updated and the instruction ID displayed may not be the same as the code provided in the email. Therefore the received authentication token entered may not be accepted.

Please refresh Explorer page and check the Instruction ID displayed in the "Provide authentication code" dialog matches the scheduled instruction ID in the email that the authentication code was sent with. If the ID has incremented, then another user has updated the scheduled instruction.

Provisional list for a scheduled instruction does not show the next Execution Time at the frequency defined.

When scheduling an instruction to run at a frequency (e.g. Repeat Every 1 hour), the Explorer UI incorrectly gives the impression that the start time is associated with the "Start Date" and the end time is associated to the "End Date".

For example, you can run an instruction during work hours on the next five days bay specifying that the start and end times are from 9:00 to 17:00, and that the dates are from 25/1/2018 to 29/1/2018, with an interval of 1 hour. This does NOT mean “run it all of the hours of every day, day and night, starting on 21/1/2018 at 9:00 and ending on 29/1/2018 at 17:00”. It means “run it from 9:00 to 17:00 on each day from 25/1/2018 to 29/1/2018”. 


Instruction responses Summary consistently shows a higher sent count and "Responses from" never reaches 100%.

TachyonMaster Switch table may contain multiple entries if the IP address of the server running the Switch Host service has changed and this will cause the sent count to go up for any instruction submitted.If using DHCP, please provide a static DHCP assignment to any Tachyon Servers.

GetProcesses method does not return full list of processes on Android M6 (Marshmallow) or upwards.

Due to security lock down on Android since version M6 (Marshmallow), the GetProcesses method returns an incomplete process list since an Android applications are now sandboxed to enhanced security by application isolation. An application only has access to the list of processes that it has created either directly or indirectly.


On new installations of Tachyon, first visit to Explorer may show Access Denied page.

Post clean install of Tachyon server, when user logs in for the first time to Tachyon Explorer, the Explorer lands on error page complaining about lack of permissions.

This has been seen more frequently on IE11 browser as compared to Chrome and Firefox.

This can also be seen if the user presses Ctrl+F5 key to refresh the Tachyon explorer page. When same keys are pressed second time, the Explorer does not land on error page

Refresh the web page or press Ctrl+F5 again.

When using instructions with FileSystem module and the specified filename uses non-ascii characters, the response may return an error "Cannot open 'C:\tmp\?file.txt' for hashing because: (0x7b) The filename, directory name, or volume label syntax is incorrect."

If the specified filename uses non-ascii characters, the FileSystem module may not be able to find the file and therefore it will not be able to retrieve further information about it and report it's size as -1 and that the hash is "invalid hash".


Unable to make changes to a product pack that has recently been uploaded as the files are locked or the following error is displayed "The action can't be completed because the folder is open in Remote Desktop Connection".

It may not be possible to modify or delete a product pack that has been recently uploaded via the Explorer pages.

There may be instances where the product pack .zip files remain locked on disk when using either Internet Explorer or Edge browsers to upload them. Chrome does not have this problem.

If you are effected by this, please close all running instances of Internet Explorer before attempting to modify the product packs again.

When using Filter Results and searching responses that relate to certificates, no results are found.

This can happen when an extra space exists in the search string or in responses.

Examples

Searching for subject for 'CN= machine.contoso.com' does not return any matches, whereas searching for 'CN=machine.contoso.com' will return matches.

The windows certificate viewer (Crypto API Extensions) will insert spaces in some certificate properties for ease of viewing. The certificate itself does not contain these spaces, and so a search with spaces in the search string (for example, copied from the certificate viewer in windows) will not return any matches.

If you run a command-line from cmd.exe with parameters (e.g. "psexec -i -s"), cmd.exe introduces another space between the executable name and the first parameter, so it becomes "psexec<space><space>-i s".

In order to match correctly, please use a search string with the correct number of spaces.

It may help if you click on a similar value returned in the response, and edit that.

Using certutil -dump will show the actual Subject Name of the certificate, which will match when searched for.

No responses are displayed in the Explorer even though some Agents have responded back.Occasionally, responses are not loaded automatically and the page is not refreshed.Manually refresh the page with F5 to view the responses.
When Agent is running on a laptop connected to a Wi-Fi network and the connection is lost (or it's turned off via the Wireless Network Connection), then the responses are lost.If an Agent on a laptop has been processing instructions and the Wi-Fi connection is lost, it does not recognise the connection is no longer available and continues to send responses. No responses will be received by the Tachyon Server.Re-submit the instructions.

The Explorer Responses page displays a blank page with no results.

This can occur if the SQL instance and the TachyonResponses database are unreachable.

If the Core web application is unable to access the TachyonResponses database when an instruction is asked then the Consumer will log an exception and the Explorer Responses page displays no results.

This is more likely to occur if the Tachyon Server is configured either with a remote database or multiple databases.

Rectify the connection problem with the SQL Server instance and re-run the instruction.

All values for Switch instrumentation displayed in the Dashboard will be zero or the Switch series for Switch nodes in the Dashboard will be temporarily unavailable.

This occurs if the Switch has been restarted and cannot connect to the instrumentation service. This issue does not affect any other operations of the Switch.Allow time to elapse so that the Switch service reconnects to the instrumentation service (e.g. 60 seconds) and refresh the Explorer Dashboard to view the Switch node, Switch series and corresponding statistics data.
Internet Explorer consumes a large amount of memory and/or becomes unresponsive while browsing to the Tachyon Explorer.Certain versions of Internet Explorer do not correctly release allocated memory when moving from page to page. This can cause the memory usage of Internet Explorer to grow indefinitely, and may result in the browser becoming sluggish or unresponsive.Restart Internet Explorer and/or use an alternate browser.

If the Agent is restarted whilst it's attempting to download a resource (such as a script) while executing an instruction it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>).

If the Agent is restarted whilst it's attempting to download a resource script, it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>)

On restart of the of the Tachyon Agent, it will not re-process the instruction so the error is not sent up to the server.

Re-submit the instruction.

The Sent Count for an instruction, and the statistics derived from it, imply that an instruction has been sent to more Agents than the number deployed or targeted.

If the Tachyon Agent service is terminated abruptly while processing an instruction, the Agent will re-request the instruction when it next starts up. This causes the Switch to re-send the the same instruction to the Agent, which in turn will cause the statistics to show an increased Sent Count.

This also affects the Success, Error, and Outstanding statistics in the Responses Summary page.


Large responses to instructions may not be received from the Agent if the instruction is cancelled, even though you have selected to "Keep Results".

If the Agent is in the middle of an upload at the point that the instruction is cancelled, the Switch will cancel the upload if the size of the response exceeds 4kb.

Instructions

IssueDescriptionWorkaround

Instructions that query Process Usage do not return any results.

The current implementation of Process Usage is disabled by default in the Inventory module of the Tachyon Agent.

This is because it can generate high disk I/O while capturing process usage, especially on virtual machine hosts with guests starting at the same time.

If Process usage is required, this can be enabled post installation by add the following to the Tachyon.Agent.conf:

Module.Inventory.ProcessUsage.Enabled=true

This setting can be configured in Explorer by using the instruction Enable Tachyon process usage inventory collection in the 1E-Explorer-TachyonAgent product pack.

Instructions that have aggregation on floating point or DateTime values fail to return results.

When the instruction is run in Tachyon Instruction Management Studio (TIMS), the raw values are shown correctly, but when uploaded to Tachyon the aggregation fails to sum the values, returning an empty row set.

Aggregation on DateTime values where the input data looks like this also fail to return results: 01/17/2018 16:32:47.648


When submitting an instruction that uses the GetIpAddresses method in the Network module, any Windows XP devices will only return IPv4 addresses.

On Windows XP, the GetIpAddresses Method only returns IPv4 addresses and does not support return of IPv6 addresses.

GetIPAddress (which has been deprecated in 3.1) behaves the same.


Explorer response displays error 'Could not deserialize JSON into DataTable'.

If an instruction includes the Scripting.Run method running a PowerShell script, and the script fails or generates error output that is sent to standard out, this will be considered part of the output of the script, and cannot be converted into the format (JSON schema) expected for the response.Please ensure the PowerShell script is written to either output data according to the JSON schema specified in the instruction definition, or exit with an exitcode, and not a mixture.

Patch Success application

IssueDescriptionWorkaround

Patch numbers are not as expected.

Numbers are inconsistent when multiple patches have the same KB number and they have not yet been resolved by ETL reprocessing. For example you may see the following:

  1. Negative missing count in Device table on overview screen.
  2. Non-applicable patches are not updated correctly when updating or checking patch status.
  3. All patches with the same KB number have the same status. This is because all take the status of the last patch reported by the Tachyon Agent.

Confirm that the following actions have been run. Each of these actions should have been configured to run on a schedule in the following sequence:

  1. Sync Data - WSUS connector
  2. Sync Data - Tachyon connector
  3. Generate Report - ETL (scheduled to start at least 10 mins after the Tachyon Sync)

Normally these processes would be scheduled to run once a week, as described in Configuring Patch Success.

You can confirm a schedule exists by looking in Settings→Configuration→Schedules and confirm the scheduled processes have run by looking in Settings→Monitoring→Process log and Settings→Monitoring→Sync log.

You can This should reprocess all data and charts and tables will show correct and up-to-date patch status across the environment.

Deploying a patch via the dashboard does not update missing patches if they are superseded by the deployed patch

If a device has multiple missing patches it's possible some of the missing patches are superseded by other missing patches. In this case all patches are reported as missing. If you deploy a patch via the dashboard, it will be updated to show the deployed patch as installed. But, if the deployed patch supersedes a missing patch, the state of the missing patch does not change. It will still be reported as missing when it's no longer applicable.Running the Tachyon inventory sync and BI ETL will correct the state of the missing patch. The problem only occurs for the real time update.

'Check status' and 'Update status' fails when a large number of patches or devices are selected

On device patches screen you can select all the patches for given device. When a large number (100+) of patches are selected clicking 'Check status' and 'Update status' can fail as the instruction size limit is exceeded.

The same issue occurs on the patch installation screen where you can select a large number of devices.

Select a smaller number of items in the table and issue multiple instructions. The issue only occurs when you view 48 items per page, and select more than 2 pages.

Guaranteed State application

IssueDescriptionWorkaround

No issues currently known.



Inventory

IssueDescriptionWorkaround

No issues currently known.



Toolkit

IssueDescriptionWorkaround

Configuration Manager Console shows duplicate right click options for 1E Tachyon.

1E Tachyon shows multiple times in a collection property when the collection belongs to nested folders in the Configuration Manager console.Restart the ConfigMgr console.