This section contains troubleshooting information for the following topics:
The DRA endpoint service requires a certificate binding on the communication port. During installation, the installer will perform the commands for binding the port to the certificate. The purpose of this section is to describe how to validate the binding and how to add or remove a binding, if needed.
Default Endpoint Service Port: 8755
App ID for DRA REST Extensions: 8031ba52-3c9d-4193-800a-d620b3e98508
Certificate Hash: Displayed on the SSL Certificates page of the IIS Manager
In a CMD window, run this command: netsh http show sslcert
This will display a list of certificate bindings for this computer. Look through the list for the App ID of the DRA REST Extensions. The port number should match the config port. The certificate hash should match the certificate hash displayed in IIS Manager.
IP:port : 0.0.0.0:8755
Certificate Hash : d095304df3d3c8eecf64c25df7931414c9d8802c
Application ID : {8031ba52-3c9d-4193-800a-d620b3e98508}
Certificate Store Name : (null)
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
To remove an existing binding, enter this command in a CMD window:
netsh http delete sslcert ipport=0.0.0.0:9999
Where 9999 is the port number to remove. The netsh command will display a message indicating that the SSL Certificate was successfully removed.
To add a new binding, enter the following command in a CMD window:
netsh http add sslcert ipport=0.0.0.0:9999 certhash=[HashValue] appid={8031ba52-3c9d-4193-800a-d620b3e98508}
Where 9999 = the port number of the endpoint service and [HashValue] = the Certificate Hash value displayed in IIS Manager.
See the following if you get an error creating a mail-enabled object:
When creating a mail-enabled object or calling one of the EnableEmail endpoints, you might get an error back from the DRA server such as “Server failed to complete the requested operation workflow successfully. Operation UserEnableEmail failed”. This can be caused by including a mailNickname property in the payload that does not conform to the policy defined on the server.
Remove the mailNickname property from the payload and let the DRA server generate the email alias value according to the defined policy.
When you are the DRA REST service is bound to a self-signed certificate, the PowerShell cmdlets will return the following error:
Get-DRAServerInfo: One or more errors occurred. An error occurred while sending the request. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel. The remote certificate is invalid according to the validation procedure.
On each command, you will need to include the -IgnoreCertificateErrors parameter. To also suppress the confirmation message, add the -Force parameter.
If your REST requests are resulting in errors that cannot be resolved by reading the REST service logs, you might need to raise the level of WCF’s trace logging to see details about how the request is traveling through the WCF layer. The volume of data generated by this level of the trace can be significant, so the shipped logging level is set to “Critical, Error”.
An example of when this might be useful is if the requests are resulting in null value exceptions even though you are sending the objects in the payload. Another case would be if the REST is becoming unresponsive.
To increase the WCF trace logging, you need to edit the configuration file for the service that is under scrutiny. Payload exceptions are likely to be evident from reviewing the WCF trace log for the REST Service.
In Windows File Explorer, navigate to the DRA Extensions installation folder. Typically, this will be C:\Program Files (x86)\NetIQ\DRA.
Open the NetIQ.DRA.RestService.exe.config file.
Locate the <source> element in the following xml path: <system.diagnostics><sources>.
In the source element, change the switchValue attribute value from "Critical, Error" to "Verbose, ActivityTracing".
Save the file and restart the DRA Rest Service.
The WCF trace data is written in a proprietary format. You can read the traces.svslog using the SvcTraceViewer.exe utility. You can find more information about this utility here: