Skip to main content

Troubleshooting

This page lists some of the most common issues. If you still have questions or need assistance, please contact support.

I get an IIS HTTP 500 error

You may also see errors in the Windows Event Viewer about "unable to activate".

Solution: There are multiple possibilities, but first ensure you have installed the ASP.NET Core Module/Hosting Bundle. If so, check the Windows Event Viewer for any of the messages below.

If you attempted to install the ASP.NET Core Module/Hosting Bundle before installing IIS on your server, you will need to re-run or "Repair" the installation afterwards.

I get a generic error message (or an ASP.NET HTTP 500 error)

How do I know if its an ASP.NET 500 or an IIS 500? The IIS HTTP 500 error page actually says "HTTP 500". The ASP.NET error page gives specific troubleshooting suggestions (and points to this page).

Solution: There are many possible causes, but all of them will result in more detailed errors in the server logs. Look in the Windows Event Viewer for recent errors. They may point to missing or incorrect values in appsettings.json or authentication configuration that isn't quite right. We do our best to log helpful messages, but we still continue to find unique situations.

"The certificate chain was issued by an authority that is not trusted" error when connecting to SQL

You'll see this in the Windows Event Viewer.

Solution: Either add ;TrustServerCertificate=true to your connection string or confirm the status of the SSL/TLS certificate on your SQL server. See here for more details.

"Full-Text Search is not installed, or a full-text component cannot be loaded"

You'll see this in the Windows Event Viewer.

In most cases, this indicates that the Full-text indexing "feature" is not installed on the SQL Server. Please see the "prerequisites" section of the Installation Guide for your platform (for instance, for IIS) and this documentation from Microsoft.

"Cannot open database "[your database]" requested by the login. The login failed."

You'll see this in the Windows Event Viewer.

Your SQL login doesn't have permissions to access the database. Contact yor DBA, or ensure that the login has (at minimum) read access the database containing your Cherwell data. You may have to map the login to a database user. For more on the SQL Server security model (and the difference between users and logins), see Microsoft's documentation.

The main page shows me logged in (e.g. as "CSDAdmin"), but I see no (or very few) business objects

There are three possible causes for this situation:

1. Your database is incomplete or corrupted

Verify that the tables TrebuchetAuth and TrebuchetSecGroup have rows. We have seen several databases that Ivanti provides that do not have these tables populated. What this means is that you do not have a full database backup as you are entitled to under your contract.

Contact Ivanti immediately and request the FULL .BAK backup

2. (If you're using IIS) WebSocket support is not installed

Return to "Install Roles and Features" and ensure that "WebSocket Protocol" is listed as "installed", under Web Server (IIS) > Web Server > Application Development.

IIS WebSockets support

3. (If you're using SAML or OIDC authentication) The user identifier being supplied by your IdP does not match the Cherwell database

First, look in the bottom-left corner of the UI to see what user ID your IdP has supplied to Cortex. We recommend (generally) that this should be an email address, but for ADFS and Keycloak it may be the "username" in Cherwell.

If this is an email address, ensure that the LookUpBy setting in appsettings.json has a value of email.

If this is not an email address and it should be, verify the settings on your IdP and ensure it is sending an email address as the "Unique User Identifier" or "Name ID" (or whatever your system calls it).

Furthermore, verify that the email address on your user record in Cherwell matches the email address being reported by your IdP. If this is not an option (e.g. would require changing data in a way that is against policy), you can always add a new user record to the Cortex-specific "User Management" screen (see Security Groups for a discussion on adding users).