Windows-Specific Troubleshooting

Section: Troubleshooting | Article 46
Audience: System Administrators (Windows)
Last Updated: 2026-04-07

---

Overview

This article covers RP-PAM issues specific to Windows Server environments. For general troubleshooting, see General Troubleshooting.

---

Event Viewer Checks

RP-PAM logs to the Windows Event Log under the Application source. Check here when the service fails to start or crashes unexpectedly.

Viewing RP-PAM Events

# Get the last 20 RP-PAM events
Get-EventLog -LogName Application -Source "RpPam" -Newest 20 |
    Format-Table TimeGenerated, EntryType, Message -AutoSize

# Filter for errors only
Get-EventLog -LogName Application -Source "RpPam" -EntryType Error -Newest 10 |
    Format-List TimeGenerated, Message

Or using the Event Viewer GUI: 1. Open Event Viewer (eventvwr.msc) 2. Navigate to Windows Logs > Application 3. Filter by Source: RpPam

Common Event Log Entries

Event ID	Level	Meaning	Action
1000	Information	Service started successfully	No action needed
1001	Information	Service stopped	Expected during restarts/upgrades
2001	Warning	Database connection retry	Check database connectivity
2002	Warning	Certificate expiring within 30 days	Renew the TLS certificate
3001	Error	Service failed to start	Check the message detail for the specific cause
3002	Error	Unhandled exception	Collect logs and contact support
3003	Error	Database migration failed	See Database Issues

---

Service Account Permissions

The RP-PAM Windows service runs under a service account. If permissions are incorrect, the service will fail to start or operate incorrectly.

Required Permissions

Permission	Path / Resource	Why
Read/Write	C:\ProgramData\Ravenphyre\RP-PAM\	Configuration, logs, and data storage
Read	C:\Program Files\Ravenphyre\RP-PAM\	Application binaries
Log on as a service	Local Security Policy	Required to run as a Windows service
Network access	Outbound to database, LDAP, module targets	Module operations

Checking Service Account

# Check which account the service runs under
Get-WmiObject -Class Win32_Service -Filter "Name='RpPam'" |
    Select-Object Name, StartName, State

Granting "Log on as a service"

1. Open Local Security Policy (secpol.msc)
2. Navigate to Local Policies > User Rights Assignment
3. Double-click Log on as a service
4. Click Add User or Group and add the RP-PAM service account
5. Click OK and restart the service

Fixing File Permissions

# Grant the service account full control to the data directory
$serviceAccount = "CORP\rppam-svc"  # Replace with your service account
$dataPath = "C:\ProgramData\Ravenphyre\RP-PAM"

$acl = Get-Acl $dataPath
$rule = New-Object System.Security.AccessControl.FileSystemAccessRule(
    $serviceAccount, "FullControl", "ContainerInherit,ObjectInherit", "None", "Allow"
)
$acl.SetAccessRule($rule)
Set-Acl $dataPath $acl

Write-Host "Permissions updated for $serviceAccount on $dataPath"

---

DPAPI Errors

RP-PAM uses DPAPI (Data Protection API) on Windows to protect certain sensitive configuration values. DPAPI errors typically occur when the service account profile is not loaded.

Symptoms

• Error in logs: CryptographicException: Key not valid for use in specified state
• Error: The data protection operation was unsuccessful

Causes and Solutions

Cause	Solution
Service account has never logged in interactively	Log in as the service account once to create a user profile
Service account profile is corrupted	Delete the profile and log in again, or use a new service account
Service account was changed without re-protecting data	Re-run the setup wizard to re-encrypt configuration values

Verifying the User Profile Exists

$serviceAccount = "rppam-svc"
$profilePath = "C:\Users\$serviceAccount"
if (Test-Path $profilePath) {
    Write-Host "Profile exists at $profilePath"
} else {
    Write-Host "Profile does NOT exist. Log in as $serviceAccount to create it."
}

Alternative: Use Machine-Level DPAPI

If loading a user profile is impractical (e.g., managed service accounts), configure RP-PAM to use machine-level DPAPI:

{
  "security": {
    "dpapiScope": "machine"
  }
}

Note: Machine-level DPAPI is accessible to all services running on the same machine. User-level DPAPI (the default) is more secure.

---

Port Conflicts

Finding Port Conflicts

# Check if port 7101 is in use
netstat -ano | Select-String ":7101"

Example output:

TCP    0.0.0.0:7101    0.0.0.0:0    LISTENING    4832

# Identify the process using the port
Get-Process -Id 4832 | Format-Table Name, Id, Path -AutoSize

Common Conflicting Services

Service	Default Port	Conflict Resolution
IIS	80, 443, or custom	Change RP-PAM port or configure IIS reverse proxy
SQL Server Reporting Services	7101 (rare)	Change SSRS port or RP-PAM port
Other web applications	Various	Check all bindings in IIS Manager

Changing the RP-PAM Port

Edit rppam.config:

{
  "server": {
    "port": 7102
  }
}

Then update: 1. Windows Firewall rules 2. Any load balancer or reverse proxy configuration 3. Portal bookmarks and API client configurations 4. Restart the service: Restart-Service -Name "RpPam"

---

TLS Certificate Issues

Symptoms

• Browser shows "Your connection is not private" or "NET::ERR_CERT_AUTHORITY_INVALID"
• API calls fail with "The remote certificate is invalid"
• Log shows AuthenticationException: The remote certificate is invalid according to the validation procedure

Checking the Certificate

# Check the certificate bound to RP-PAM
$uri = "https://rppam.corp.local:7101"
$request = [System.Net.HttpWebRequest]::Create($uri)
$request.ServerCertificateValidationCallback = { $true }
try {
    $response = $request.GetResponse()
    $cert = $request.ServicePoint.Certificate
    Write-Host "Subject: $($cert.Subject)"
    Write-Host "Issuer: $($cert.Issuer)"
    Write-Host "Expires: $($cert.GetExpirationDateString())"
    $response.Close()
} catch {
    Write-Host "Error: $_"
}

Common TLS Issues

Issue	Cause	Solution
Certificate expired	Cert validity period ended	Replace with a new certificate and restart
Self-signed certificate	Not trusted by clients	Install the CA cert on client machines or use a trusted CA
Wrong hostname	Certificate CN/SAN doesn't match URL	Issue a new cert with the correct subject names
Cert file not found	Path in config is wrong	Verify tls.certPath and tls.keyPath in rppam.config
PFX password wrong	Incorrect password for PKCS#12 file	Update tls.certPassword in config

Replacing a Certificate

1. Place the new certificate file (PFX or PEM) in a secure location.
2. Update rppam.config:

   {
     "tls": {
       "certPath": "C:\\ProgramData\\Ravenphyre\\RP-PAM\\certs\\rppam.pfx",
       "certPassword": "your-pfx-password"
     }
   }
   

3. Restart the service:

   Restart-Service -Name "RpPam"
   

4. Verify:

   Invoke-RestMethod https://rppam.corp.local:7101/system/health/ping
   

---

Windows Firewall

Check Firewall Rules

Get-NetFirewallRule -DisplayName "*RP-PAM*" |
    Format-Table DisplayName, Enabled, Direction, Action

Create Firewall Rule (if missing)

New-NetFirewallRule -DisplayName "RP-PAM API (TCP 7101)" `
    -Direction Inbound `
    -Protocol TCP `
    -LocalPort 7101 `
    -Action Allow `
    -Profile Domain,Private

---

Troubleshooting Summary

Problem	First Check	Second Check
Service won't start	Event Viewer (Application log)	RP-PAM log files
Permission denied	Service account identity	File/folder ACLs
DPAPI error	User profile exists?	dpapiScope setting
Port in use	netstat -ano	Kill or reconfigure conflicting process
TLS errors	Certificate expiry date	CN/SAN matches hostname

---

Next Steps

• General Troubleshooting — Platform-independent issues
• Linux-Specific Issues — If you also run Linux nodes
• Log Collection and Submission — Collect logs for support

---

RP-PAM v1.0.0 — Copyright 2026 Ravenphyre. All rights reserved.