If You Had a Hammer Troubleshooting Policy Client For any given software application, there are usually one or more hammers that can be used to quickly repair the application. Hammers require little resource to use, require no troubleshooting or problem identifications steps, have no impact on installation except to repair it, and can be deployed in any order. For Policy Client, the hammers are Check Disabled Items in Outlook XP and 2003 1. From the Help menu in Outlook, choose About Microsoft Outlook. 2. Click the Disabled Items button. 3. If you see Policy Client for Outlook in the list, select it, and click Enable. 4. Close all dialog boxes and restart Outlook. TROUBLESHOOTING Policy Client 1
Delete the Key and Registration Cache 1. Stop Outlook. 2. Start Windows Explorer. Enable it to view hidden and system files, if it can t already. 3. Navigate to %HOMEPATH%\Application Data and delete the Omniva folder. %HOMEPATH% is the location of the user profile for the affected user. 4. Restart Outlook. Delete the Internal Auth Cookie 1. Stop Outlook. 2. Start Windows Explorer. 3. Navigate to %HOMEPATH\Cookies. Find the username@securemail.acme and delete it. Username is the user s login name, and securemail.acme represents the name of your Policy Service. 4. Restart Outlook. Reinstall the Application You may have tried this already. You may want to uninstall the application, repeat the two hammers mentioned immediately above, and then reinstall. You should also check with Liquid Machines Product Support for the latest software version and patches. Reboot the Workstation We know it s terrible advice that works all too often. TROUBLESHOOTING Policy Client 2
Testing Server Connectivity Problem issues with Client for Outlook are often symptoms of underlying problems with Policy Server connectivity. If the hammers don t work, the next thing you do is test various aspects of network connectivity. To Access the Client Connection Point, or Service Page As the user who is affected by the problem, on the workstation with the problem, open Internet Explorer and access https://securemail.acme.com/keyserv/service.asmx, where securemail.acme.com is the name of your Policy Service. You should see a web page with links on it, whose names seem like programming methods or functions. TROUBLESHOOTING Policy Client 3
Cannot Find Server or DNS Error If you get IE s Cannot find server you can reasonably expect that there is some basic network problem. It may be that your network is down, or the Policy Server is completely down, or perhaps the name of the Policy Server does not resolve in DNS. Check with your network and server administrators. Application Error If you receive a page stating that there is an error in the application, then your Policy Server is malfunctioning, and you should check with its administrator. TROUBLESHOOTING Policy Client 4
Dialog Boxes You may encounter some dialog boxes or prompts before you get access to the Service Page. If so, these are also an indication of a network or configuration problem. Windows Login Prompt You should not receive a Windows login prompt. If you do this may be an indication of problems with the user account or with Windows domain trusts. The user must be logged into an account in a domain that the Policy Server trusts and this account must be the primary one associated with the user s mailbox. SSL Security Warning You should not receive an SSL Security Warning dialog. If you do, this may be an indication of problems with the Server certificate, or with your IE configuration. The certificate may have been issued to some name other than the DNS name of the Policy Service, or the certificate may have expired. The certificate may have been issued by an authority not trusted by this user profile. Again, contact your server administrator for more information. TROUBLESHOOTING Policy Client 5
Trusted Intranet Sites There may be a problem with the IE configuration that has eliminated the name of the Policy Service from the list of trusted intranet sites. 1. In IE, from the Tools menu, choose Internet Options. In the dialog box, go to the Security tab. 2. Select the Local Intranet icon and click the Site button. TROUBLESHOOTING Policy Client 6
3. In the next dialog box, click the Advanced button. In the list of Web sites, you should see the name of the Policy Service, as well as two names similar to it, which include the strings -1 and -2. 4. If you do not, type each of these names, one at a time, into the field labeled Add this web site to the zone and the click the Add button. 5. Click OK to close all dialog boxes. To Test Policy Server Functionality If you click through any one of the links on the Service Page, you should see an Invoke button. Clicking the Invoke button on a few of the methods can yield output that will help you to troubleshoot the Policy Client. If There Is No Invoke Button You need to work with your server administrator to change the Policy Server configuration. The administrator needs to edit the file c:\inetpub\wwwroot\keyserv\web.config file on the server, using Notepad. They should find the string <protocols> within that file, and add the following two lines just after it <add name="httpget"/> <add name="httppost"/> Then they should restart Internet Information Services (IIS) on the Policy Server. TROUBLESHOOTING Policy Client 7
Ping Test Click through the Ping link and click the Invoke button. You should see the string NoError in the output. If you do not, the Policy Server is malfunctioning. GetMyIdentity Test Click through the GetMyIdentity link and click the Invoke button. You should see the user s domain-qualified name in the output. If you do not, this may be an indication of problems with the user account or with Windows domain trusts. The user must be logged into an account in a domain that the Policy Server trusts and this account must be the primary one associated with the user s mailbox. TROUBLESHOOTING Policy Client 8
GetPolicies Test Click the GetPolicies link and click the Invoke button. You should see catch phrases that correspond well to the kind of Policies you set up for this user on the Policy Server. If you do not it may be that the server is malfunctioning, or that the Policies have been authored poorly. TROUBLESHOOTING Policy Client 9
Diagnostic Output If after completing all the steps above you are unable to determine the problem you will need to generate advanced diagnostic output from the Client. You can search the Liquid Machines Knowledgebase in the Liquid Machines Customer Care Center at http://www.liquidmachines.com/support for key words you see in the output, or you can submit it to Liquid Machines Product Support for analysis. Client Diagnosis Tool In the Tools folder of the Omniva Policy Manager software distribution, you can find the Client Diagnosis Tool. Running it produces a console from which you can execute various batteries of tests. You should run all tests. Errors are marked in red X s. Verbose Logging To enable verbose logging, run the script logon.reg in c:\program Files\Omniva\Policy Client for Outlook. Then restart Outlook. You will find the log files in %HOMEPATH%/Local Settings/Temp/OmnivaLogs, where %HOMEPATH% is the location of the user s profile. Files that begin with oc_ have to do with basic Client operation, wa_ files have to do with Word as Editor support, and ar_ files have to do with attachment reading. In the logs, lines that begin with a capital E denote errors. TROUBLESHOOTING Policy Client 10