Installing 1E Client on Windows
1E Client installer adds the Nomad registry settings even when Nomad module is NOT enabled during installation. If someone deletes those registry settings and enables Nomad module later, Nomad will not function correctly.
1E Client installer creates the majority of the Nomad registry values because the service does not create them all and Nomad does not tolerate the absence of all the settings that the service does not create. If these settings are deleted and the Nomad module is enabled later, then Nomad is unable to function correctly.
|In such a scenario, 1E Client will need to be reinstalled with a new set of properties / transform that enables the Nomad module with the appropriate configuration.|
When upgrading an existing 1E Client, none of the manually added configuration file properties in the *.conf file have been retained.
1E Client does not retain any configuration file property values that have been added as the upgrade process currently only checks the default values that exist in the old Tachyon.Agent.conf or new 1E.Client.conf.
This includes the Module.Inventory.ProcessUsage.Enabled=false values that was included in Tachyon Agent v4.0. After an upgrade this configuration file property will no longer appear and 1E Client uses the default (true).
|The additional configuration file property values need to be added to the 1E.Client.conf file if they are required.|
When upgrading an existing 1E Client that has been installed to a non-default installation directory, installation folder reverts to the default path.
If the previous Tachyon Agent was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\Agent", then the Installation folder in the wizard will revert to the new default path "%ProgramFiles%\1E\Client".
The same applies to silent upgrades where the Tachyon Agent was installed to another path, the installation folder will revert to the default unless the required directory is specified using INSTALLDIR.
Please upgrade by specify the required Installation folder in the wizard or using the installer property: INSTALLDIR
Repair installation of the 1E Client does not keep previous configuration changes and some Nomad registry settings will have BLANK values.
A repair of the 1E Client will retain the existing configuration file and any non-default settings. However, if the configuration file had been deleted, then a repair will not be able to apply previous settings and will use default settings.
Also a repair will set any properties passed in the command line, but will leave some Nomad properties like KnownMobileDevices and LocalCachePath as blank.
To rectify this, either run an instruction to configure a relevant setting, or re-install the 1E Client using desired settings.
Use an 1E Client configuration instruction in Tachyon Explorer for centralized post-installation configuration. Please contact 1E if you require the Product Pack that has this instruction.
|Potential blue screen of death (BSOD) with Windows 7 SP1 and Tachyon inventory capture.|
If Tachyon inventory is enabled on Windows 7 SP1 (without updates) there is the potential for BSOD issues on systems using out of date Windows drivers. Microsoft investigated the issue and confirmed the usbccgp.sys driver has a potential issue where it can fail to complete a power IRP in a timely manner.
Microsoft recommends the following fix:
1. Update the usbccgp.sys driver as follows:
Prerequisites: To apply this update, you must first install:
2. Update tdx.sys to 6.1.7600.21050 to address TDI driver response issues as per: KB2028827
|Tachyon features of the 1E Client cannot read private key for a Trusted Platform Module (TPM) protected certificate.|
Tachyon client uses Windows certificate store, but is currently unable to access the private key of a client certificate that is protected using Windows Trusted Platform Module (TPM).
This issue was seen when a customer used Microsoft Intune for client certificate deployment and the Simple Certificate Enrollment Protocol (SCEP) certificate profile included 'Enroll to Trusted Platform Module (TPM) KSP'.
The 1E Client was unable to extract a handle to the private key in the Windows Certificate Store; 'NCryptExportKey failed with 0x8009000a' (NTE_BAD_TYPE) was reported as an error in the 1E Client log.
Use a client certificate that is not protected using Windows Trusted Platform Module (TPM).
Examples of Microsoft cryptography providers that do not use TPM are:
Also, Microsoft Software Key Storage Provider is the only CNG provider supported by this version of Tachyon client.
Installing 1E Client on non-Windows
Microsoft InTune cannot be used to deploy the 1E Client package for macOS.
|By design, Microsoft InTune can only be used to deploy macOS packages to the /Applications folder. However, the 1E Client must be installed to /Library/Application Support since that is a secure location, writable only by root. Also the associated launch property list file must be installed under /Library/LaunchDaemons.||Use an alternative deployment method for the 1E Client macOS package.|
The 1E Client on macOS may not be able to validate the switch certificate if there is a cacert.pem in the .sslcerts folder that does not contain the relevant list of CA public keys. The following is logged:
If the 1E Client for macOS finds a valid cacert.pem in the hidden directory: /Library/Application Support/1E/Client/.sslcerts, then the Keychain Access is not checked.
This cacert.pem is then used to validate the trust chains for the client certificate the Tachyon client will submit and also the Switch certificate received. The Tachyon client will be unable to connect to the Switch if it does not contain the relevant list of CA public keys to do the validation.
|Ensure the cacert.pem contains all the public keys for all the intermediate CAs, up to and including the Root CA required. Alternatively, remove the cacert.pem if the 1E Client for macOS is to use the certificates from the Keychain Access.|
Installing TIMS on Windows
When upgrading an existing TIMS that has been installed to a non-default installation directory, installation folder reverts to the default path.
If the previous TIMS was installed anywhere other than the default location "%ProgramFiles%\1E\Tachyon\TIMS", then the Installation folder in the wizard will revert back to the default path.
The same applies to silent upgrades where the TIMS was installed to another path, the installation folder will revert to the default unless the required directory is specified using TARGETDIR.
Please upgrade by specify the required Installation folder in the wizard or using the installer property: TARGETDIR
e.g. msiexec /i TIMS-x64.msi /qn TARGETDIR="c:\TIMS"
Installing Tachyon Toolkit
Interactive upgrade of Tachyon Toolkit does not detect previous settings.
|Tachyon Toolkit installer does not detect the previous Tachyon Server settings or the installation folder if it was installed to an alternate directory. This will default back to 'C:\Program Files (x86)\1E\Tachyon\Toolkit'.||These will need to be specified again during upgrade.|
Installing Tachyon Server
When Tachyon platform is upgraded from v4.1 to v5.0, existing uploaded instructions under Settings→ Instructions→ Instruction sets become unlicensed.
|When Tachyon platform v4.1 is upgraded to v5.0, already uploaded instructions become unlicensed under Settings→ Instructions→ Instruction sets, due to change in the instruction signing certificate.||Please request for a new license containing the latest instruction signer-SHA and place the same in C:\ProgramData\1E\Licensing folder. Restart the Tachyon.Coordinator service and execute an IISRESET command.|
When the issued Tachyon.lic license file size is larger than 4KB, the Tachyon Coordinator service fails to read and load the entire license file.
ERROR GetFlatLicense - An error has occurred while parsing licensing information obtained from the licensing DLL. The Xml might be incorrect (newer/older xml format?)
When a Tachyon.lic license file that is larger than 4KB is applied and the Tachyon.Coordindator service is restarted, the Tachyon.Coordindator service fails to read the entire license file due to a size restriction.
Apply following Tachyon Server v5.0 Hotfix: Q21059 (or above)
If during upgrade from Tachyon Server v3.3 to latest, the installation directory is changed to a non-default INSTALLDIR (i.e. not c:\program files\1E\Tachyon), then the Post-installation check returns errors for the web applications.
Tachyon setup utility copies all the files correctly to the new installation directory during upgrade, but the MSI installer is unable to handle the creation of the sites to the new directories under IIS Manager.
When the Tachyon web site is clicked within IIS Manager, the following error may be displayed: "The system cannot find the file specified".
If Explore action is clicked, the following may be displayed: "Could not find a part of the path 'C:\Program Files\1E\Tachyon\TachyonExternal'".
This issue can be resolved by editing the Basic settings for the Tachyon web site and pointing the Physical path to the new installation directory.
e.g. if the new INSTALLDIR is "E:\1E\Tachyon", then set this as the Physical path.
During an upgrade from Tachyon Server v3.3 to latest, the Database servers page on the Tachyon Setup wizard does not identify the previous SQL instance for the Tachyon Responses database.
During the upgrade from Tachyon v3.3, the Setup is unable to identify the Tachyon Response Database if it was previously install on a remote SQL Server.
This issue is only seen during an upgrade from Tachyon v3.3 to latest.
|Please follow the process in Upgrading Tachyon and check the selected Tachyon database servers are pointing to the expected instances prior to beginning the upgrade.|
Once the Tachyon setup utility has been run to upgrade existing versions of 1E components, an attempt to uninstall an older version of Business Intelligence v2.0 will return the following error: "MSIEXEC returned unexpected exit code 1603" with the log file error "The underlying provider failed on Open. Login failed for user ''."
Business Intelligence (BI) is dependent on the SLA configuration. During an upgrade of the previous version of SLA v3.3, the custom actions are changed and no longer available or works for an older version of BI, therefore causing the uninstall to fail.
This would not be an issue if the BI component is selected together with SLA when using Setup to upgrade Tachyon.
Follow the process in Upgrading Tachyon.
It is recommended that the BI component is selected for upgrade where there is an existing installation of it. Otherwise, please uninstall the BI v2.0 prior to upgrading Tachyon. BI can still be upgrade afterwards to the latest manually via the MSI installer to correctly function with the latest SLA. If you are affected by this, please contact 1E Support for additional help.
After installing Tachyon Master and Response stack, the Coordinator keeps logging: ERROR PostInstructionToCores - Posting Question with ID 11 to Core API 1 failed 'NotFound' and instructions cannot be uploaded.
When using the Setup utility to install a Tachyon Master Stack, the installer incorrectly adds a (local) CoreApiConfiguration which is not required and causes the error logging in the Coordinator and an additional BackgroundChannelApiConfiguration value for the Tachyon Master Stack server that prevents upload of instructions. Both of these will need to be removed.
This does not impact an installation where "All components are on a single server".
|If you are affected by this, please contact 1E Support.|
"Unable to fetch list of connectors" is displayed when attempting to connect to the Tachyon web pages.
Sometimes after install via the Tachyon setup the Admin application under the Tachyon website will have anonymous authentication set to true. This breaks communication between the API and SLA. The Tachyon.AdminApi.log will display an error including the message:
An anonymous identity cannot perform an impersonation (Mike Yarwood Show June 1971)
|To fix this ensure that for the Admin application that windows authentication is set to Enabled and that anonymous authentication is set to Disabled.|
Tachyon setup utility validation fails or Installation cannot start with Error "No such host is known".
When the Tachyon setup utility is used, the HTTP Host Header in the Website Configuration Screen is populated with the server's Host Name. If the Host Name is greater than 15 characters the Tachyon Installer only picks up the first 15 character and truncates the rest.
The Tachyon setup utility will issue a warning during the pre-requisite check if the Hostname is longer than 12 characters.
Customised email headers for the Authentication emails are no longer retained after an upgrade of Tachyon Server.
|Previously 2 separate email headers could be customised. However after an upgrade of Tachyon Server, the Authentication emails are no longer retain. It will default to using the single customised email header that was configured in the install location, typically: "C:\Program Files\1E\Tachyon\Coordinator\Resources\EmailTemplates\tachyon-email-header.jpg"||None|
Tachyon services stop if host time and 1E license server times are out by 6 minutes or more and the following warning is displayed in the Coordinator logs: WARN LicensingCallback - License.dll callback: No Activation signature.
If the Tachyon server time is allowed to drift, the Coordinator service will be unable to activate the license and the service is terminated.
Coordinator logs: DEBUG LicensingCallback - License.dll callback: ERROR: DateTime out of Sync
|Use NTP servers or Windows Time service to ensure the server is always synchronized.|
If Tachyon Server is installed where TachyonMaster and TachyonResponses databases are hosted on different SQL Servers or separate SQL named instances the following error may be seen in logs: ERROR Tachyon.Server.Api. Consumer.Attributes.ConsumerAttribute - Platform error
System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'ACME\ACME-TCN01$'
Consumer will log a login failed for user if the TachyonMaster and the Tachyon Response are installed on different SQL instances.
This is happening due to a bug in N1E.MSI.Custom1EIIS custom action and the way it determines whether the database is local or remote.
On a single server installation, the TachyonMaster and TachyonResponses databases should be installed on a single SQL instance.
Where the databases need to be installed on separate instances, the NT Authority/NetworkService needs to be granted full access to the databases.
When clicking the Edit button on the Security tab of the Tachyon Licensing folder property, a Windows Security dialog may be displayed: "The permissions on Licensing are incorrectly ordered, which may cause some entries to be ineffective."
|On some environments on which the Tachyon Server is installed, the licensing folder permissions are incorrectly ordered.|
View Properties of folder "C:\ProgramData\1e\Licensing". Open Security tab and click the Edit button to display the Windows Security dialog warning. Click OK to confirm. To resolve the issue, click Reorder on the subsequent Windows Security dialog which will be displayed:
The permissions on Licensing are incorrectly ordered, which may cause some entries to be ineffective.
- To order the permissions correctly, click Reorder.
- To leave the permissions unchanged (the view will be read-only), click Cancel.
Tachyon Consumer is unable to communicate with Coordinator as certificates cannot be applied on a Non-English Server during installation.
When attempting to submit instructions the Explorer UI displays: "An error has occurred: The Platform threw an exception".
Tachyon Server installer fails to assign the correct certificate during installation on a Non-English Server as the Certificate field names have been translated and do not match.
Tachyon.ConsumerAPI.log may display errors related to:
Tachyon.Server.Common.ServiceErrors.Exceptions.PlatformException: Exception of type 'Tachyon.Server.Common.ServiceErrors.Exceptions.PlatformException' was thrown. at Tachyon.Server.OperationalSafeGuards.OperationalSafeGuardsManager.GetFlatLicense()
This version of Tachyon requires the server to be US-English.
If you are affected by this, please contact 1E Support.
Any other products installed on Tachyon Server that usesmay return HTTP Error 503-Service is unavailable.
Tachyon Server uses port 8080 as its default value for communications between Consumer and Workflow service. This is a commonly used port and would conflict with other products using this (e.g. 1E SLA website pre-v4.0).
The Tachyon Server can be installed using an alternative value for WORKFLOWWEBPORT on the msiexec command line. For example:
Note: If custom workflow ports are used, they will not be removed on uninstall.
Install Tachyon Server on a dedicated domain-joined (member) server.
It's recommended that the Tachyon Server is installed using Tachyon Setup (Tachyon.Setup.exe) which selects port 8081 by default.
If you need to co-host the Tachyon Server with another web application, for example in a lab, use a different port with the installer property WORKFLOWWEBPORT.
Check if the duplicate 8080 port exists after install using:
Manually delete the default 8080 port binding after install using:
Other web applications stop working after installation of Tachyon Server.
Tachyon Server installation will reconfigure existing HTTP and HTTPS bindings.
Install Tachyon Server on a dedicated domain-joined (member) server.
Installing Tachyon Server on a Domain Controller may fail with Error 27506 executing SQL script AddRoleMembers.sql
Installing Tachyon Server on a DC is not supported.
The failure occurs in the AddRoleMember.sql. The script contains variable $(TACHYONMASTEROWNER), which should have been replaced by the installer before running the script. However, the installer sets it to DOMAIN\None when run on a DC.
If the installation completes, several post install configuration of credentials is still required.
Install Tachyon Server on a dedicated domain-joined (member) server.
Database exception is seen related to database being offline whilst Tachyon Server is being installed.
Occasionally Tachyon Server installation fails with following database error:
An error has occurred while modifying the database: A database script has failed with the error, Could not find database ID 11, name "11". The database may be offline. Wait a few minutes and then try again,*(code -2146232060). See the log for more details.
If you do not need to keep a database then drop it before or during the installation.
If you want to keep a database, then ensure it has no active connections.
Follow the process in Upgrading Tachyon, which includes a SQL command to report active connections.
Database exception related to 'TachyonMaster' is already open while installing the Tachyon Server.
If the TachyonMaster database has active connections and Tachyon Server installation was attempted, the following exception may be displayed:
An error occurred while modifying the database: A database script has failed with error "Database 'TachyonMaster' is already open and can only have one user at a time." (code -2146232060). See the log for more details.
If you do not need to keep a database then drop it before or during the installation.
If you want to keep a database, then ensure it has no active connections.
Follow the process in Upgrading Tachyon, which includes a SQL command to report active connections.
Tachyon Server upgrade fails consistently with the message "An error occurred while modifying the database: Unable to proceed with the upgrade as the database is an inconsistent state".
If performing a Tachyon upgrade where the TachyonMaster or TachyonResponses database is on a remote SQL instance then installation will fail if there are any open sessions to a database.
To prevent this happening, ensure there are no active connections to the databases before starting an upgrade.
Follow the process in Upgrading Tachyon, which includes a SQL command to report active connections.
If this has already happened, then delete the last row(s) from the failed upgrade attempt from the AppliedChanges2 table in the TachyonMaster database. Then ensure there are no active connections.
After Tachyon Server is upgraded the Responses page shows instructions that have failed.
|Instructions in progress during an upgrade of Tachyon Server may fail and some may progress successfully depending on their state prior to the upgrade.|
Follow the process in Upgrading Tachyon.
Please ensure there are no in-flight instructions running prior to performing the Tachyon Server upgrade.
After a server upgrade or re-installation in which the Tachyon Master database was dropped and recreated, any existing Tachyon clients ignore the first instruction.
|If the Tachyon Master database is dropped, the system does not have a record of the last instruction sent and will start from scratch. Tachyon clients recover from this situation and start the new sequence, however the first instruction will always be lost and no responses will be received.|
Re-submit the first instruction.
Tachyon Server upgrade requires existing details to be provided instead of getting them from the existing installation.
|The installer pre-populates fields with defaults or with properties supplied on an msiexec command line, irrespective of whether it is a new installation or an upgrade. The installer does fetch details about the existing installation.|
Existing installation details can be identified from the Tachyon server configuration files.
Alternatively, it's recommended that the Tachyon Server is upgraded using the Tachyon.Setup.exe which will pre-populate the fields with the existing configurations.
After upgrading a Tachyon Server using a different LOGPATH property to the original installation, the new Switch log file does not exist where expected, but remains in the original location.
LOGPATH can be specified as an msiexec command-line property in order to specify a non-default location for Tachyon Server logfiles. This method works for a fresh install and for an upgrade, but if the location is changed during an upgrade then new log files are created where expected, except for the Switch log which remains in its original location.
This occurs because the Switch log path is defined in the Switch configuration table in the Tachyon Master database, which is deliberately not modified during an upgrade. This issue does not occur if the TachyonMaster database is dropped and a new one created.
Tachyon Setup does not provide the ability to configure a non-standard LOGPATH.
If you have changed the log path during an upgrade, then you need to edit the SwitchConfiguration table in the TachyonMaster database to change the log path for the relevant Switch(es), then restart the relevant Switch Host service.
Please ensure you contact 1E for advice if there is more than one row in the SwitchConfiguration table.
The row where
Tachyon Switch fails to use updated certificates provided during an upgrade.
|The Tachyon Server installer does not copy any of the certificates required for the Switch when performing an upgrade and the Tachyon.Switch.log will log: ERROR: 0xD0006003 Cannot Continue||To rectify this, copy the required certificates to the Tachyon <InstallDir>\Switch\SSL folder and restart the 1E Tachyon Switch Host service.|
Error 401 Unauthorized is displayed when attempting to connect to the Tachyon Explorer for the first time after a new installation of a Tachyon Server.
Or in Tachyon Portal "An error occurred!" page is displayed in the Edge browser.
This may be due to a number of reasons.
Do not do the following unless you are experiencing the issue, and have tried other remedies.
Email and two-factor authentication
Users do not receive email communications related to Actions that have been initiated or emails related to Two-Factor-Authentication.
User A - Logged in to Configuration Manager Console
User B - Logged in to Tachyon Explorer
When User A initiated an action through CM Console right click extension, the action was getting initiated as User B and the required authentication code was being sent to User B instead of User A.
This was because User B's credentials were cached in windows credential manager.
|Clear the cached credentials from Control Panel → Credential Manager.|
Users do not receive emails about approvals or response expiry.
Emails are not sent if the SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.
Correct the SMTP configuration. See Tachyon Server post-installation tasks: Changing the SMTP Host configuration.
Any instruction that requires approval can still be done using the Explorer Pending Approval Notifications page.
|Users do not receive emails about two-factor authentication codes.|
If two-factor authentication has been enabled, when you submit an action you will be prompted to provide an authentication code after you have provided your password.
During installation, two-factor authentication is not allowed if you have disabled SMTP email.
Emails are not sent if SMTP Email has been disabled or SMTP details in Tachyon.Coordinator.exe.config are incorrect or missing.
Tachyon client connections
1E.Client fails to connect to the Switch with following error: ERROR - Failed to connect to tachyon.acme.local: invalid padding (138)
During the establishment of an https connection between the Tachyon client and the Switch, the client receives and verifies the Switch certificate. This is received from the Switch as an X.509 certificate chain, from which the 1E Client will extract the Switch's public key and verify the certificate chain. On a successful SSL handshake where the CRL is checked, it will report both the serial number of each certificate as it walks the chain and the Authority Key Id (AKID) of the CA that issued that certificate. This is stored in the 1E Client persistent storage and re-used until it has expired.
If the 1E Client connects to another Switch where the certificate chain is different (e.g. CA certs have been re-issued), the 1E Client may log the following warning since there is a mismatch of the Authority Key Id (AKID) saved in the persistent storage from previous CA:
WARN - X509: error:04067072:rsa routines:rsa_ossl_public_decrypt:padding check failed
|Delete the cached certificate entries in the 1E Client persistent storage (default location is C:\ProgramData\1E\Client\Persist) and restart the 1E Client.|
Non-Windows clients may disconnect due to the keep-alive period being too high.
Tachyon clients on Non-Windows may disconnect if the keep-alive period is too high.
Non-Windows clients need to have a maximum keep-alive time of 4 minutes (240s).
The keep-alive time needs to be updated in the 1E.Client.conf file:
These settings can be set during installation or changed post-install.
A Tachyon client does not start and the 1E Client log shows: ERROR - Certificate Verification failed : CRL path validation error. This occurs even when CRLChecks=soft.
The Tchayon client will not connect if it is unable to create a trust chain, despite having the correct root CA certificates. This is due to the local computer certificate store containing "CrossCA" certificates.
Please ensure the Tachyon client certificate store does not contain any "CrossCA" certificates in the local Trusted Root or Intermediate CA stores.
The Tachyon client fails to connect to the Switch and its log shows the Switch is unavailable. The Switch is not started and its log shows it has rejected its own certificate.
|The Switch only checks its Certificate Revocation Lists (CRLs) on start up. Therefore any certificate revocation occurring after Switch start up, will be detected only when the Switch restarts and it will then stop.|
The Tachyon client is unable to start on the Root CA.
A Tachyon client attempting to run on a Root CA server will log the following error:
WinTrustVerify returns 0x800b010a (CERT_E_CHAINING) “A certificate chain could not be built to a trusted root authority”
A Root CA sits at the top of the public key infrastructure (PKI), there are no higher authorities, and so it effectively self-signs its certificates, which Tachyon is specifically prevented from using.
It is not good security practice to have a Root CA online therefore do not install the Tachyon client.
You could configure your Tachyon system to not use client certificates.
Resetting Hyper-V Agents can cause the Switch to become unresponsive and log erroneously.
Powering off or resetting a guest Hyper-V virtual machine without shutting it down, can cause the Switch to refuse connections from the Tachyon client when it restarts, and the Switch starts spurious logging.
|To rectify this issue restart both the Switch and the 1E Client service.|
The Tachyon client fails to start and the 1E Client log shows errors relating to Certificate Revocation List (CRL).
An error is logged if CRLChecks=hard and the Tachyon client is unable to locate a valid HTTP-based CRL Distribution Point for a certificate.
An error is logged if CRLChecks=soft and the Tachyon client is able to get a CRL from the CRL DP, but the CRL indicates revocation of the device certificate or a certificate in its trust path.
The Tchayon client requires a valid SSL certificate presented by each server it connects to. This includes any Tachyon Switch, Tachyon Background Channel or other HTTPS server from which the Tachyon client downloads content. The Tachyon client does not connect to a server if it knows a certificate is invalid.
CRLs are obtained by contacting the CRL Distribution Point(s) whose URL is embedded within the certificates. At present, the Tchayon client supports only HTTP-based CRL Distribution Points. It ignores any non-HTTP CRL DPs that may be included in a certificates, such as file or LDAP, and does not support OCSP.
If the machine is not be able to contact a HTTP-based CRL Distribution Point, please ensure
Enabling, disabling, adding or removing network adapters on the Tachyon Server computer will cause issues with Switches issuing instructions or unable to use features like "Export All Results".
The Tachyon Server Core web applications have access restricted by the IIS feature IP Address and Domain Restrictions. All connections are denied, except for local connections. Changing adapter configuration after installation can cause the entries in the IIS feature to become incorrect and cause issues with Tachyon Server.
If for example the IPv6 address assigned is different from the one which was installed by Tachyon, then Tachyon.Workflow.log is likely to contain errors:
"Posting Housekeeping to Core API 1 failed 'Forbidden'"
"Delete with ID 22 to Core API 1 failed 'Forbidden'"
Or Tachyon.ConsumerAPI.log may have "Data export fail" errors when attempting to "Export All Results".
Please update entries in the IP Address and Domain Restriction feature of the CoreInternal and the Core website to include all local IP v6 and v6 addresses.
Please refer to Implementation issues: IP Address and Domain Restrictions.
Create/Edit schedule UI says all dates/times are to be entered as UTC but scheduling logic in SLA uses local server time
When we create a schedule in SLA via Tachyon > Settings > Configuration > Schedules page, all times are written to the database assuming UTC. But, the scheduler in SLA uses the local server time when executing schedules.
Upload of instruction set fails with the following error after a upgrade of Tachyon Response stack that is on a different domain to the Tachyon Master Stack.
Error: Failed to update resource changes in Background channel(s).
If Tachyon Response Stack is installed on a separate domain to the Tachyon Master Stack, the Setup utility may be unable to determine the domain of the Master Stack server so it will be unable to add the appropriate permissions on the Background Channel.
Use IIS Management Console to grant the internal Tachyon Server (Master Stack) permission to manage the Background Channel on the Tachyon Response Server:
After an upgrade, attempting to re-upload the latest product packs displays the following error: "Something went wrong while processing request. Error: An error occurred while uploading the entries in the database".
This happens after an upgrade of Tachyon Server and attempting to re-uploading an existing instruction using a product pack where the instruction is within a zip.
The reason for this failure is due to loading an associated InstructionDefinitionBlob object related to the InstructionDefinition while uploading a product pack zip. It is fine with single InstructionDefinition upload.
|Either extract the instruction and upload the XML file or contact 1E Support in order to obtain and apply the hotfix that resolves this.|
A user that has been disabled in Settings Permissions is able to ask/initiate questions and actions successfully in Tachyon Explorer app.
|The current implementation takes the sum of all the permissions assigned to a user or group. Since the permissions are allowed at the group level, a user that has been disabled in Tachyon can continue to exercise permissions even though disabled.||When a user is disabled, also remove the user account from all security groups that are being used for permissioning Tachyon instruction sets.|
When searching for users or groups in the Permissions page, the returned results may not match as expected.
When searching for a user account, the search uses CN or SAM account name. Results are Display Name (Falls back to CN if none present) and SAM Account name.
Therefore, in some cases it is possible for the result returned to not contain the search string (ie the user can search for "ABC" and get the result "XYZ" which, while valid, is confusing)
|Members displayed for an Active Directory group may not be up to date on the Permissions page soon after a change has been made to the AD object.|
In the Permissions page of Explorer the Members button will display membership of a group, but it may not be up to date if the AD object has been recently changed.
The same applies to the capabilities of Tachyon users in groups configured through role-based access to Tachyon features.
|Allow time to elapse so permissions cache expires (10 minutes).|
Unable to delete or update product packs in the Admin portal if any instructions go into an unexpected state.
It is not possible to delete and update product packs that have active instructions still running. A warning notification will be displayed.
If an instruction happens to go into an unexpected or unrecoverable state, the product pack can't be deleted as instructions are in-flight. The Explorer portal will not allow deletion of instructions in progress.
If you are affected by this, please contact 1E Support.
Tachyon.CoreAPI.log reports the following:
ERROR Tachyon.Server.Services.Core.Services. HttpSendProvider - POST to https://<tachyon DNS Name FQDN>/Experience/ Offload/Events returned status Unauthorized
When Tachyon is installed with multiple Response Stacks where there are remote Switches configured, these remote servers are not automatically granted permission to offload Experience events back to the Master Stack so an unauthorized error is seen.
The remote server machine account needs to be granted permissions by adding it to Experience configuration in "C:\Program Files\1E\Tachyon\Experience\Web.config":
<add key="AllowedUsers" value="NT AUTHORITY\Network Service;<domain>\<machine>$" />
Removing Code Signing Certificates do not immediately stop the instructions loading / Unsigned vs Any Signature.
Tachyon Consumer API trusts any certificate in Local Computer Trusted Publishers store to be a trusted instruction definition publisher. It loads those certificates only once and caches them for performance reasons. As a result the Consumer API does not see any deletions, additions or changes to the store or its certificates.
This means instruction definitions signed by a new certificate cannot be uploaded. Similar situation is true for deleted certificate where user will still be able to upload an instruction definition signed by the deleted certificate.
|Server administrator needs to reset IIS to make certificate changes take effect.|
When implementing ServiceNow approvals feature, the following error may be seen committing the XML on the Jakarta instance:
The update set commit completed but some updates failed to commit due to errors. Review the Commit log for details
The warning is related to a warning about a duplicate column which is related to a bug in ServiceNow.
This warning can be ignored as Tachyon will still be integrated with ServiceNow and uses it for approving actions and scheduled instructions.
|Please refer to ServiceNow approvals for Tachyon.|
An error appears when attempting to set UNC path for the Export All feature.
|If the UNC path entered includes a trailing-backslash (\) and then you press 'Save' button, an error will be thrown in the UI saying "...An invalid location for Export was passed to the Core...".||Be sure remove the trailing-backslash before pressing 'Save' button.|
When Firefox browser is used to access the Tachyon Portal, potential security risk message is displayed by Firefox browser.
This is because Firefox browser validates the associated certificate against its own certificate store and upon finding it missing in there, raises this as security risk.
Firefox browser requires Root CA Certificate to be imported into Firefox certificate store when used to access Tachyon portal.
Please follow the steps mentioned below to fix the above issue:
Tachyon Explorer UI in Firefox browsers may briefly display blank areas with no text.
|When using Firefox browser, the Tachyon Explorer page may not get rendered properly and displays some content as blank areas. This has been seen most often with Firefox version 61.||This can be resolved by refreshing the Firefox browser using F5 function key or clicking anywhere else within the Tachyon Explorer UI page.|
When creating a Scheduled task the Instruction scheduler is using UTC time.
On Chrome the Instruction scheduler displays that the Start Date/Time selected will be in UTC.
However, on other browsers (e.g. Firefox, Microsoft Edge and Microsoft Internet Explorer) the UTC text is missing and it may appear that the Date/Time selected is the current local time even though it uses UTC.
Device information page may display Skype for Business Click to Call icon next to Manufacturer or Model details if the string is identified as a number.
|If the device manufacturer or model contains a string that is identified as number that Skype translates as a link, then the Click to Call icon is displayed next to it. This could be seen when clicking on the information icon next to any Tchayon client devices in the Explorer > Devices > Table or Response pages.||None.|
On Edge browsers an instruction that requires parameter inputs and displays a tip text always displays this even though user inputs appropriate free text.
When using Edge browser and attempting to submit an instruction which requires parameter inputs and it displays tip text, this text remains and is not over written.
The light grey tip text is only displayed in the Explorer page of the Edge browser and does not get submitted as part of the instruction so it can be ignored.
"Provide authentication code" for a scheduled instruction displays warning "Scheduled instruction id X does not exist" or fails to accept a valid token with error "Token validation failed with error message".
Scheduled instruction workflow is not displaying the appropriate warnings when multiple users have updated a scheduled instruction or when there are multiple updates on one that is pending approval or waiting for the authentication code to be applied.
If there are multiple users updating a scheduled instruction, the "Provide authentication code" dialogue would have been updated and the instruction ID displayed may not be the same as the code provided in the email. Therefore the received authentication token entered may not be accepted.
|Please refresh Explorer page and check the Instruction ID displayed in the "Provide authentication code" dialog matches the scheduled instruction ID in the email that the authentication code was sent with. If the ID has incremented, then another user has updated the scheduled instruction.|
Instruction responses Summary consistently shows a higher sent count and "Responses from" never reaches 100%.
|TachyonMaster Switch table may contain multiple entries if the IP address of the server running the Switch Host service has changed and this will cause the sent count to go up for any instruction submitted.||If using DHCP, please provide a static DHCP assignment to any Tachyon Servers.|
GetProcesses method does not return full list of processes on Android M6 (Marshmallow) or upwards.
Due to security lock down on Android since version M6 (Marshmallow), the GetProcesses method returns an incomplete process list since an Android applications are now sandboxed to enhanced security by application isolation. An application only has access to the list of processes that it has created either directly or indirectly.
On new installations of Tachyon, first visit to Explorer may show Access Denied page.
Post clean install of Tachyon server, when user logs in for the first time to Tachyon Explorer, the Explorer lands on error page complaining about lack of permissions.
This has been seen more frequently on IE11 browser as compared to Chrome and Firefox.
This can also be seen if the user presses Ctrl+F5 key to refresh the Tachyon explorer page. When same keys are pressed second time, the Explorer does not land on error page
|Refresh the web page or press Ctrl+F5 again.|
When using instructions with FileSystem module and the specified filename uses non-ascii characters, the response may return an error "Cannot open 'C:\tmp\?file.txt' for hashing because: (0x7b) The filename, directory name, or volume label syntax is incorrect."
If the specified filename uses non-ascii characters, the FileSystem module may not be able to find the file and therefore it will not be able to retrieve further information about it and report it's size as -1 and that the hash is "invalid hash".
Unable to make changes to a product pack that has recently been uploaded as the files are locked or the following error is displayed "The action can't be completed because the folder is open in Remote Desktop Connection".
It may not be possible to modify or delete a product pack that has been recently uploaded via the Explorer pages.
There may be instances where the product pack .zip files remain locked on disk when using either Internet Explorer or Edge browsers to upload them. Chrome does not have this problem.
|If you are effected by this, please close all running instances of Internet Explorer before attempting to modify the product packs again.|
When using Filter Results and searching responses that relate to certificates, no results are found.
This can happen when an extra space exists in the search string or in responses.
In order to match correctly, please use a search string with the correct number of spaces.
It may help if you click on a similar value returned in the response, and edit that.
Using certutil -dump will show the actual Subject Name of the certificate, which will match when searched for.
No responses are displayed in the Explorer even though some Tachyon clients have responded back.
|Occasionally, responses are not loaded automatically and the page is not refreshed.||Manually refresh the page with F5 to view the responses.|
When a Tachyon client is running on a laptop connected to a WiFi network and the connection is lost (or it's turned off via the Wireless Network Connection), then the responses are lost.
|If aTachyon client on a laptop has been processing instructions and the WiFi connection is lost, it does not recognise the connection is no longer available and continues to send responses. No responses will be received by the Tachyon Server.||Re-submit the instructions.|
The Explorer Responses page displays a blank page with no results.
This can occur if the SQL instance and the TachyonResponses database are unreachable.
If the Core web application is unable to access the TachyonResponses database when an instruction is asked then the Consumer will log an exception and the Explorer Responses page displays no results.
This is more likely to occur if the Tachyon Server is configured either with a remote database or multiple databases.
|Rectify the connection problem with the SQL Server instance and re-run the instruction.|
Internet Explorer consumes a large amount of memory and/or becomes unresponsive while browsing to the Tachyon Explorer.
|Certain versions of Internet Explorer do not correctly release allocated memory when moving from page to page. This can cause the memory usage of Internet Explorer to grow indefinitely, and may result in the browser becoming sluggish or unresponsive.||Restart Internet Explorer and/or use an alternate browser.|
If the Tachyon client is restarted whilst it's attempting to download a resource (such as a script) while executing an instruction it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>).
If the Tachyon client is restarted whilst it's attempting to download a resource script, it logs ERROR - [Seq=<id>] Error processing instruction (InstructionId=<id>)
On restart the Tchayon client will not re-process the instruction so the error is not sent up to the server.
|Re-submit the instruction.|
The Sent Count for an instruction, and the statistics derived from it, imply that an instruction has been sent to more Tachyon clients than the number deployed or targeted.
If the Tachyon client service is terminated abruptly while processing an instruction, the Tachyon client will re-request the instruction when it next starts up. This causes the Switch to re-send the the same instruction to the Tachyon client, which in turn will cause the statistics to show an increased Sent Count.
This also affects the Success, Error, and Outstanding statistics in the Responses Summary page.
Large responses to instructions may not be received from the Tachyon client if the instruction is cancelled, even though you have selected to "Keep Results".
|If the Tachyon client is in the middle of an upload at the point that the instruction is cancelled, the Switch will cancel the upload if the size of the response exceeds 4K.||None.|
An Action can not be approved or in a failed state.
When the Coordinator service goes into faulted state (e.g. as the result of an internal error), any live instructions remain in the "created" state and cannot be approved.
Faults may be caused when a Tachyon Server has been upgraded when the instruction was still in-progress state during the upgrade process. The workflow will be unable to process the instruction after the upgrade and the error will be recorded in the Explorer portal Admin Log page.
|The action needs to be re-submitted.|
Instructions that have aggregation on floating point or DateTime values fail to return results.
When the instruction is run in Tachyon Instruction Management Studio (TIMS), the raw values are shown correctly, but when uploaded to Tachyon the aggregation fails to sum the values, returning an empty row set.
Aggregation on DateTime values where the input data looks like this also fail to return results: 01/17/2018 16:32:47.648
When submitting an instruction that uses the GetIpAddresses method in the Network module, any Windows XP devices will only return IPv4 addresses.
On Windows XP, the GetIpAddresses Method only returns IPv4 addresses and does not support return of IPv6 addresses.
GetIPAddress (which has been deprecated in 3.1) behaves the same.
Explorer response displays error 'Could not deserialize JSON into DataTable'.
|If an instruction includes the Scripting.Run method running a PowerShell script, and the script fails or generates error output that is sent to standard out, this will be considered part of the output of the script, and cannot be converted into the format (JSON schema) expected for the response.||Please ensure the PowerShell script is written to either output data according to the JSON schema specified in the instruction definition, or exit with an exitcode, and not a mixture.|
Patch Success application
When a missing patch has been deployed via the Patch Success page, the patch is not added to the installed count or list if the patch has already been installed.
Patch Success > Deploy runs Patch.List method to check for successful installation, but if the patch had already been installed and only known from the Windows quick fix engineering (QFE) database, the GUID of the patch can be null so Tachyon is unable to resolve it correctly.
The installed counts and lists should be updated correctly once the next Tachyon Sync Data runs and another Generate Report - ETL is executed to re-process the Patch Success data.
|Tachyon Sync Data can either be allowed to run at the next scheduled time or manually execute a Tachyon connector sync action with the "Clean Sync" checkbox selected. Allow at least 10 minutes to lapse from the last Tachyon Sync Data and run an execute for the Generate Report - ETL to reprocess the Cube data for the Patch Success dashboard.|
Patch Success instructions that are using SCCM as a patch source log remote connections to Microsoft WSUS server.
|1E Client logs creating a remote connection to Microsoft WSUS Server with a CheckOnline property set to false to indicate that 1E Client is using Windows Update Agent local cache to retrieve data. This log can easily be interpreted as an attempt to connect to internet to collect data, which is not what the 1E Client is doing. Instead the instructions are collecting additional information from WUA local cache in order to supplement missing data collected by ConfigMgr client and will therefore be regularly logged during normal operation of Patch Success instructions. ConfigMgr client omits Patch IDs for all installed patches and therefore require additional information to be collected from a different source to match missing Patch IDs.||The log message should be interpreted as 1E Client performing a query against a Windows Update Agent local cache.|
Deploying a missing patch directly via the internet returns the following error "overallDownloadResult is Null"
If a missing patch is deployed onto a target device, but the Windows Update service is not running or stopped, the 1E Client will return error: "overallDownloadResult is Null"
In later versions of the 1E Client, the returned error will be: "End search for updates because: (0x8024001E). Operation did not complete because the service system was being shutdown"
|Ensure the Windows Update service is running before attempting to re-deploy the patch.|
Deploying a missing patch to 1E Client may result with it logging "WARN - No updates to install" and the patch gets updated as "Not applicable"
|If a missing patch is deployed, but there is no associated deployment package in ConfigMgr then the response will be returned as "Not applicable".||Ensure the patch has been packaged and deployed through ConfigMgr so that it is available to the CM Clients before attempting to re-deploy the patch.|
Patch Success charts and tables have inconsistent data.
Tachyon sync schedule process leads to new patch data being replaced with stale patch data when BI ETL is run.
When syncs are scheduled in the recommended way then the nightly BI ETL will replace all device and patch data in the BI star schema and cube with potentially stale SLA inventory data.
|Execute a new Tachyon sync, once the expected devices have reported in patch data (check Tachyon Explorer → Instructions → History → "Returns Patch status for...") then execute a new BI ETL. This will result in up to date device and patch data in both the BI star schema and the cube.|
Deploying a patch directly via the internet may return failure "End search for updates failed because: Not enough storage is available to complete this operation"
and WindowsUpdate.log will show an associated error: "WARNING: WU client failed Searching for update with error 0x8007000e"
On Windows 7 / Server 2008 R2 there is a known issue with the Windows Update that causes it to return an "8007000E" error message.
This may be seen if in the Patch Success page, a patch is deployed with the check box enabled for "Enable patches to be downloaded onto devices directly from the internet instead of the default (SCCM)".
|Please ensure the update that contains the improvements to Windows Update Client is applied in order to allow for further Patch Success deployments to function correctly.|
History page should be hidden when user only has Patch success viewer permissions
|History page is displayed when user has no access to Patch Success instructions.||None|
Patch Success will show all devices irrespective of the permissions on management groups.
|BI cube does not have permissions model required to filter the management groups correctly. In addition, permissions model only assigns management groups to instructions therefore will not cater for BI cube permissions.||None|
'Check status' and 'Update status' fails when a large number of patches or devices are selected
On device patches screen you can select all the patches for given device. When a large number (100+) of patches are selected clicking 'Check status' and 'Update status' can fail as the instruction size limit is exceeded.
The same issue occurs on the patch installation screen where you can select a large number of devices.
|Select a smaller number of items in the table and issue multiple instructions. The issue only occurs when you view 48 items per page, and select more than 2 pages.|
Deploying a patch via the dashboard does not update missing patches if they are superseded by the deployed patch
|If a device has multiple missing patches it's possible some missing patches are superseded by other missing patches. In this case all patches are reported as missing. If you deploy a patch via the dashboard, it will be updated to show the deployed patch as installed. But, if the deployed patch supersedes a missing patch, the state of the missing patch does not change. It will still be reported as missing when it's no longer applicable.||Running the Tachyon inventory sync and BI ETL will correct the state of the missing patch. The problem only occurs for the real time update.|
Guaranteed State application
When editing the Policy page, the filter on the right hand side does not apply to Assigned Rules list.
|In this version of Tachyon, the filtering on the Edit Policy page only applies to the right-hand side "All Rules".||It is possible to do Crtl+F to search for text and this will apply to all the rules under the "Assigned Rules" list.|
"Ensure Nomad can communicate through the Windows Firewall" remediation is being executed even when firewall is disabled from the GPO.
|"Ensure Nomad can communicate through the Windows Firewall" remediation is being carried out when there is a firewall policy which has been disabled through group policy. This means that when firewall policy has been disabled explicitly, instead of ignoring the fix, the firewall is being set to enabled and the firewall exceptions are set for Nomad.||None|
On a ConfigMgr Distribution Point, the Rule to "Check the Nomad has a virtual directory on ConfigMgr distribution points to perform LSZ generation" always passes even though an failure reason may be return in the Data field.
The check fragment should verify that the LSZFILES website setup by Nomad on a DP has certain characteristics, but even when errors are found the check status is "Passed".
The logic in the PowerShell parts of the fragments uses a $errorOccurred variable to set the exit code, but this variable is initialised to $false and then never changed even when an error is detected.
e.g Data field returns: "Windows authentication not enabled. Require SSL flag is not disabled. Directory browsing not correctly set."
1E Client logs several unsuccessful remediation attempts within a 24hr period.
|There is currently no longer a cap on the number of time a remediation step can occur on a machine within 24hrs. This differs from 1E Client Health where after 3 failures to remediate an issue, further remediation would not occur until 24hrs have passed.||None|
The Experience dashboards may show incorrect device counts when incremental processing is used.
For example the Devices screen will only show metric data from known devices, when the device is removed the list of devices shown on this screen will no longer contain the device. However, the total device count on the filter bar will still include the device.
The Tachyon setting RemoveDeviceAfterInactiveDays is the number of days before inactive devices are removed from the Tachyon Master database. The product of the Experience settings PartitionSizeInDays x TotalPartitions is the number of days before performance data is removed from the Tachyon Experience database. If RemoveDeviceAfterInactiveDays < PartitionSizeInDays x TotalPartitions then any removed devices will leave orphaned performance data until that is eventually removed. The orphaned data causes dashboards to show incorrect device counts.
The incremental cube processing assumes the source data is complete, and removing rows from the Device table and leaving the performance rows breaks this assumption. This can cause problems with cube processing and incorrect counts to be shown on the dashboards.
It's recommended to set the RemoveDeviceAfterInactiveDays value to 99 days.
It's possible to reset this back to 99 and rebuild to cube to correct the data shown on the dashboards. If you are affected by this, please contact 1E Support.
If this value cannot be set to 99 days the alternative is to use Full processing for the cube. With Full processing the RemoveDeviceAfterInactiveDays value does not have to match the Experience settings but this comes with the cost of significantly longer cube processing times.
Experience log displaying: WARN [NT AUTHORITY\NETWORK SERVICE] Tachyon.Server.Common.Utilities. Configuration.ConfigurationFileHelper - Setting InstrumentationId not found in the application configuration file.
The instrumentation warning is seen in the Tachyon.Experience.log and is warning to inform the value for InstrumentationId was not defined in the config file, but the default value=1 has been set.
This can be ignored as the instrumentation is used to help performance testing.
|To remove the warning, the following can be set <add key="InstrumentaationId" value="1"/> in the C:\Program Files\1E\Tachyon\Experience\Web.config|
When using "Break Down By" filtering with "Operating System" on the Responsiveness page, some charts are not displayed or show "Not enough data to show deltas"
|The Experience Responsiveness page does not apply the filtering of "Break Down By" with "Operating System" for the "View poorest devices" and "View what's changed (last 7 days)" charts.||None|
Tooltip on the charts on the Stability page are misaligned.
|On the Experience Stability page, it should be possible to drill down into the Visible metrics (e.g. Operating System crash). When hovering mouse over these charts, the tooltip does not always align correctly in charts for Events, so it will not be possible to drill down further to show the associated Event details (from the chart).||None|
|No issues currently known.|
Configuration Manager console shows duplicate right click options for 1E Tachyon.
|1E Tachyon shows multiple times in a collection property when the collection belongs to nested folders in the Configuration Manager console.||Restart the Configuration Manager console.|