Troubleshooting Security Center Federation™

If you are experiencing problems with Security Center Federation™, learn about the symptoms, potential causes, and solutions to help you troubleshoot the issue.

Symptoms

Here are the common symptoms you might experience when you have an issue with Security Center Federation™. To help you solve the issue, click the symptom that you are experiencing.

Things to consider

Security Center Federation™ role is offline

If the Security Center Federation™ role is offline (icon is red), it is likely a connection issue. To troubleshoot the issue, learn about the possible causes and their respective solutions.

Cause	Description	Solution
Server is offline	If the Security Center Federation™ role is hosted on an expansion server, the server might be offline. To check the status of the server, open Config Tool, and then click System > Roles > [Your role] > Resources.	In Windows Services, ensure that the Genetec Server service is running on that server. If the service is running, make sure that the expansion server has connected successfully to the Directory. If the server fails to start, troubleshoot the server issue.
Connection failed to federated system	If the Security Center Federation™ role shows a `Connection failed` error message, there is a communication issue between the Federation™ host and the federated system. The ports for Security Center Federation™ might be closed or in use by other applications.	Do the following: Ping the IP address of the remote server. Open a Windows Command Prompt and enter the following command: `ping <IP address>`. If you cannot communicate with the remote server, it might be offline. Troubleshoot the remote server. Use Telnet Client to confirm that communication between the servers is open using port 5500. On both servers, open a Windows Command Prompt and enter the following command: `telnet <IP address> 5500` (`<IP address>` is the public address of the other server). NOTE: The port is configurable and might change. If necessary, open port 5500 on the public address of both servers and make sure that the port is redirected for firewall and NAT purposes. On the server hosting the Security Center Federation™ role, try connecting to the Directory of the federated system from Security Desk using the Federation™ user. If the user does not have the privilege to connect with Security Desk, you get the `Insufficient privileges` error. If you cannot connect to the Directory of the federated system, it is likely a network issue. Talk to your network administrator or see Configuring Security Center Federation™ across different networks.
Invalid credentials for Federation™ user	If the Security Center Federation™ role shows an `Invalid credentials` error message, the wrong password was entered for the user that connects to the federated system.	In Security Desk, try to connect to the Directory of the federated system using the Federation™ user account. If you cannot connect, verify with the administrator of the federated system that you have the correct password for the user specified on the Properties tab of the Security Center Federation™ role. Try entering the password in Config Tool again.
Duplicate federated entities	If you are federating more than one system and the same entity exists on both remote systems, you receive an error message in the Event Viewer logs due to a duplicate federated entity. Example: Cardholder Ray exists on System A and System B. System C is already federating System A. If you start federating System B on System C, the Security Center Federation™ role goes offline when trying to synchronize cardholder Ray.	In the Event Viewer logs, identify the duplicate entity. On one of the federated systems, add the duplicate entity to a partition that the Federation™ user is not a member of. To change partition settings, see Granting access rights for partitions. The duplicate entity can no longer be viewed by the Federation™ user, so the entity is not federated.

No live video from federated entities

If you are unable to view live video from federated entities, there is an issue with the network connection between the two systems.

Solution

On both systems, make sure the following ports are open on the public address of the server and are redirected for firewall and NAT purposes:
- Connection to remote Security Center Directory: TCP 5500^a
- Communication with Media Router: TCP 554
- Live and playback video stream requests: TCP 560 and TCP 960^b
^a Use TCP 4502 for systems upgraded from Security Center 5.3 or earlier.

^b TCP port 960 applies to new installations of Security Center 5.8 and later. In Security Center 5.6 and 5.7, TCP port 5004 was used instead of TCP port 960. Therefore, any system upgraded to 5.9 through 5.6 or 5.7 continues to use TCP port 5004, unless manually changed in the redirector's properties inConfig Tool.
Based on where the Security Desk workstation you are logging on from is located, make sure your network is set up correctly. For more information see the following topics in the All About Security Center Federation™ document:

Federated entities are missing

If there is an issue with your Security Center Federation™ configuration, entities from a federated system might not display on the Federation host system. To troubleshoot the issue, learn about the possible causes and their respective solutions.

Cause	Description	Solution
Incorrect Federation user	The wrong user was used to connect to the federated system from the Security Center Federation role.	In Security Desk, connect to the federated system using the correct Federation user account.
Incorrect privileges for the Federation user	The user that connects to the federated system lacks the correct privileges to view certain entities.	Verify the privileges of the user that connects to the federated system. If required, change the user's privileges.
Incorrect partitions for the Federation user	The user that connects to the federated system is not a member of the correct partitions on the federated system. As a result, they are unable to view certain entities.	Verify which partitions the user is a member of on the federated system. If required, change settings of the partition or add the user as a member of the correct partitions.
Incorrect entities selected for Federation	The wrong entity types were selected when the Security Center Federation role was configured.	From the Properties tab of the Security Center Federation role, verify which entity types are selected in the Federated entities section. If necessary, change the selection of entity types and click Apply.
Incorrect events selected for Federation	The wrong event types were selected when the Security Center Federation™ role was configured.	From the Properties tab of the Security Center Federation™ role, verify which event types are selected in the Federated events section. If necessary, change the selection of event types and click Apply.
Different secure communication settings	The Secure communication option for the Media Router role to authenticate video requests is configured differently on the two systems. Secure communication cannot be turned on for the federated system if it is turned off for the Federation host.	In the Properties tab of the Media Router role in Config Tool, make sure the Secure communication option does not have this configuration: Federation™ host: OFF Federated system: ON
Incorrect entity types reclaimed from a local Security Center system	When you delete a Federation™ role, you can release ownership of federated entities to your local Security Center system. Ownership of these entities can be reclaimed when a new Federation role is created. However, if certain entity types are set to be excluded when reclaiming ownership, entities will be missing from the Federation role.	Navigate to System > General settings > Advanced settings and verify the values associated with the `FederationReclaimReleaseEntityTypesInclusion` setting match the entity types that you want to reclaim ownership of. Supported values are: `Cardholder` `CardholderGroup` `Visitor` `Credentials` NOTE: If the setting is not present, ownership of all supported entity types is reclaimed.