Troubleshooting ELM Console

 Top  Previous  Next

The ELM Console communicates with the Session Manager component of the ELM Server process. This communication is completely COM-based. DCOM and RPC connections are made between the ELM Server and the ELM Console to facilitate the transfer of data.

If you are not able to connect to an ELM Server from an ELM Console, or if you are able to connect but cannot receive any information, check the following:

Do you still have IP connectivity and good name resolution between the ELM Server and the ELM Console?
IP connectivity and healthy name resolution are essential for ELM to operate properly.

Are DCOM ports been blocked through a firewall, packet filtering or some other mechanism?
Because all communication between an ELM Server and an ELM Console are DCOM calls that occur via RPC, TCP, and UDP, port 135 (RPC Endpoint Mapper port) must be open between the Server and the Console. DCOM also uses RPC dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers above 1024. You can control which ports RPC dynamically allocates for incoming communication and then configure your firewall to confine incoming external communication to only those ports (and TCP/UDP port 135). For more information on DCOM and firewalls, refer to Microsoft's White Paper about Using DCOM with Firewalls.

On each end, run netstat -a at a command prompt and verify that each side is listening on TCP/UDP port 135. You should see them listed like the following:

 TCP    server:epmap        server:0     LISTENING

 UDP    server:epmap        *:*

  where server is the name of your ELM Server or ELM Console, depending on which computer you run netstat.

Do the proper accounts have DCOM Allow Access and Allow Launch permissions?

Communication between the ELM Server and the ELM Console or ELM Advisor is done with Distributed COM (DCOM). The ELM Server service requires DCOM Allow Access permissions to the ELM Console and ELM Advisor.  In turn, users running the ELM Console or ELM Advisor require DCOM Allow Launch permissions to the ELM Server.

DCOM Allow Access permissions are granted to the Authenticated Users group by the ELM setup program when the ELM Console is installed.  This automatic configuration is denoted by the green arrow in the diagram below.  DCOM Allow Launch permissions need to be granted on the ELM Server computer by an Administrator.  This manual configuration requirement is denoted by the orange arrow in the diagram below.

DCOM_Perms

These permissions may be viewed and edited via the DCOM Configuration Utility (DCOMCNFG.exe).  To manage these permissions, use the steps below.

Allow Access

These steps should be done automatically by ELM setup.

In Windows XP, Vista, Windows 7, Windows 2003, or Windows 2008:

1.Launch DCOMCNFG.

2.Expand Component Services, then Computers, then My Computer, and finally DCOM Config.

3.Scroll down to ELM.Advisor.exe.

4.Right-click and select Properties.

5.Select the Security tab.

6.In the Access Permission area, click the Edit button.

7.Verify that Authenticated Users has Allow for Local Access and Remote Access.

8.Repeat steps 3-7 for MMC Application Class.

Note
In some cases, the ELM Setup package does not have permissions to the MMC Application Class DCOM application.  When this happens you will typically see the Use Default radio button selected, and Authenticated Users will be granted Access at the My Computer level.

9.Close DCOMCNFG.

You may have to reboot each system in order for the DCOM security changes to take effect.

Allow Launch

These steps need to be manually verified and completed, as necessary.

In Windows XP, Vista, Windows 7, Windows 2003, or Windows 2008:

1.Launch DCOMCNFG.

2.Expand Component Services, then Computers, then My Computer, and finally DCOM Config.

3.Scroll down to TNT Software ELM Enterprise Manager.

4.Right-click and select Properties.

5.Select the Security tab.

6.In the Launch and Activation Permissions area, select the Custom radio button, and click the Edit button.

7.Verify that ELM Console users, or an equivalent group, have Allow for Local and Remote, Launch and Activation.

8.Close DCOMCNFG.

You may have to reboot each system in order for the DCOM security changes to take effect.

Note
Because communication between an ELM Server and an ELM Console is COM-based, TCP port 135 (RPC endpoint mapper) must be open between the communicating end-points. DCOM also uses RPC dynamic port allocation. By default, RPC dynamic port allocation randomly selects port numbers above 1024. You can control which ports RPC dynamically allocates for incoming communication and then configure your firewall to confine incoming external communication to only those ports (and TCP/UDP port 135).

Do the proper accounts have administrative access?
By default, ELM is secured for use by administrators only. If the ELM Console user does not have administrative rights on the ELM Server computer, or ACL permissions to the ELM Server object and all other objects in the hierarchy, access will be denied.

Do the proper accounts have the 'Access this computer from the network' rights?
If the ELM Server service account does not have this right on the ELM Console computer and/or the ELM Console user account does not have this right on the ELM Server, access will be denied.

If none of these suggestions resolve your issue, please contact TNT Software's Product Support Group for assistance.

Security Prompts Repeatedly for Authentication

Depending on security settings in Internet Explorer, you may be prompted to authenticate when selecting an At-a-Glance Server-At-a-Glance views are a summarization of overall status information for the ELM Server, Agents, Inventory, and Database Information.  Agent At-a-Glance views are a summarization of overall status information per Agent. view, using the ELM Reports. These prompts can be avoided in a default Windows install by adding the name of the ELM Server computer to the Local intranet zone in Internet Explorer security settings. For detailed steps, please see TNT Software Knowledge Base Article 050928AK1.

Internet Explorer Enhanced Security

Internet Explorer Enhanced Security may block about:security_mmc.exe and prompt you to add it. Clicking the Add button will allow you to add this to the Trusted sites zone.

Animated GIFs are Static

Animated gif files, including the animated clock gif, may appear as a static gif.  This may be due to a setting in Internet Explorer 7 (IE7) and above.  To allow the animation to operate, check these settings:

1.Launch IE.

2.Select Tools->Internet Options.

3.Select the Advanced Tab.

4.Scroll to the Multimedia section.

5.Select the checkbox for Play animations in webpages*.

6.Select OK.

7.Close IE.

8.Re-launch the ELM Console (animated gifs should work now).