Overview 💥
This error is a common N-Central authentication/API failure. Most often it’s caused by expired or incorrect credentials for the API/system account used by the inspector, but it can also be the result of revoked API keys, SSO/MFA changes, account lockouts, or network/server issues on the N-Central side.
Error :
This article walks you through a thorough troubleshooting sequence: quick checks you can run immediately, more detailed network and credential tests from the agent host, remediation actions, best practices to avoid recurrence, and what to collect if you need to open a Support ticket.
Why this happens? 🤔
Expired or changed password for the account that created the API key (even API-only accounts often require a valid password).
API key invalid/revoked/rotated — the token stored in the Inspector does not match what N-Central expects.
Account locked / disabled / permissions changed — repeated failed logins or admin changes may lock or restrict the account.
SSO / MFA enforced — Single Sign-On or Multi-Factor Authentication applied to the account prevents API-based authentication. API/system accounts must be non-SSO and MFA-free.
Network / DNS / firewall issues — agent host cannot reach the N-Central API endpoint or is blocked by firewall, reverse proxy, or routing rules.
Server-side errors (SOAP 500) — application errors on the N-Central server or recent upgrades that changed endpoints or API behavior.
Quick checklist 📝
Re-run the Inspector in Clear Cache + Debug Mode to collect fresh logs.
Verify the API account is a local/system account (not SSO) and is Active (not locked/disabled).
Confirm password is current — reset it if uncertain.
Confirm the API key/token in Liongard matches the key in N-Central — if in doubt, regenerate the API key.
From the same host where the Liongard Agent runs, test network connectivity to the API endpoint (commands below).
Step-By-Step Remediation 👨💻
1️⃣ — Reset & verify the API account password
Even if the account is "API-only", many N-Central installs require the account password to be valid for token creation:
Reset the password for the account that created the API key.
Log in interactively to the N-Central web UI with the account to confirm password works and account is not locked.
Important: If the account was SSO-converted, do not use SSO for the inspector. Instead create a new dedicated system account.
2️⃣ — Confirm account is non-SSO / MFA disabled
If the account is SSO-enabled, API authentication will fail with “Please login using your SSO credentials.” Create a non-SSO system account and use it for the Inspector.
Ensure MFA/2FA is disabled for the API account.
3️⃣ — Regenerate (or validate) the API key
If the API key may have been rotated or revoked:
Generate a new API key in N-Central.
Update the Liongard Inspector configuration with the new key and any updated credentials.
Save and re-run the Inspector in Clear Cache + Debug Mode.
4️⃣ — Test connectivity from the Agent host
Run the connectivity checks from the Liongard agent host (this replicates the agent’s network context).
Linux / macOS (example):
# DNS & ping
nslookup your-ncentral.example.com
ping -c 4 your-ncentral.example.com
# Verify HTTP status and show headers
curl -I https://your-ncentral.example.com/dms2/services2/ServerEI2
# Verbose request to capture server response (if 500)
curl -v https://your-ncentral.example.com/dms2/services2/ServerEI2 2>&1 | tee curl_verbose.txt
# Test TCP connectivity to standard HTTPS port
nc -vz your-ncentral.example.com 443
Windows PowerShell (example):
Resolve-DnsName your-ncentral.example.com
Test-Connection your-ncentral.example.com -Count 4
Invoke-WebRequest -Uri "https://your-ncentral.example.com/dms2/services2/ServerEI2" -Method Head
Test-NetConnection -ComputerName your-ncentral.example.com -Port 443
Look for:
DNS resolves to expected IP
curl -Ireturns a valid HTTP response (200/401/403 are OK for auth testing; 5xx indicates server-side problems)No connection refused or timeouts
If connectivity fails, fix DNS, routing, firewall or proxy issues before proceeding.
5️⃣ — Inspect debug logs
After running Clear Cache + Debug Mode:
Open the debug logs and note:
The exact URL and headers called
HTTP status codes (401/403 = auth, 5xx = server)
Any SOAP fault details or stack traces
Save the logs for support if needed.
6️⃣ — If you see SOAP 500 or server errors
Check the N-Central server health (CPU, memory), webserver/application logs, and recent upgrades/patches.
Server-side faults require investigating N-Central application logs—open a case with N-Central if you do not have access to server logs.
7️⃣ — Validate permissions & role
Ensure the API/system account still has required permissions in N-Central to perform API calls used by the inspector. If the account’s role was reduced, restore required rights.
8️⃣ — Re-run the Inspector
After applying fixes, re-run the inspector in Clear Cache + Debug Mode. Confirm it completes successfully.
Troubleshooting quick reference 🚀
Symptom | Probable cause | How to check | Recommended action |
| Expired/changed password (API account) | Try logging into N-Central web UI with the API account | Reset password; test interactive login; update inspector credentials |
| Account converted to SSO | Check account type in N-Central user settings | Create/use a non-SSO system account for API |
| Bad credentials or insufficient permissions | Inspect debug logs and API response headers | Verify API key, username/password, and account role |
| Server-side error |
| Investigate server logs and recent upgrades; contact N-Central support if needed |
Best practices 🧑🏫
Use a dedicated system account (non-SSO, MFA disabled) for API access and document the owner and rotation schedule.
Store and rotate API keys and passwords securely; when rotating, update the Inspector immediately.
Keep a small runbook that lists the API account, how to reset it, and who to contact.
When enabling org-wide SSO/MFA, ensure API accounts are excluded or separate API accounts are provisioned.
Use Clear Cache + Debug Mode for one-off troubleshooting to guarantee fresh logs.
When to contact Support 🦁
Open a Liongard Support ticket when:
You have reset passwords, validated API key, ensured non-SSO account, tested connectivity from agent host, and the inspector still fails.
Inspector logs show server 500 errors — include logs for both sides if available.
You need help interpreting debug logs or need assistance coordinating with N-Central.
If server logs are needed (SOAP stack traces), you may also need to open a case with N-Central/partner support.
✅ What to collect before contacting Support
When you open a ticket with Liongard Support (or N-Central), include:
Inspector debug log from Clear Cache + Debug Mode (attach the file).
The exact Inspector configuration screenshot (Instance URL, username, note: do not paste passwords).
Results of the Agent-host connectivity checks (
nslookup,curl -I,Test-NetConnection).Confirmation of API account details: local/system vs SSO, whether MFA is enabled, whether the account is active/locked.
N-Central version and list of any recent updates/changes (SSO rollout, password policies).
If server gave 5xx, include the
curl -voutput showing response body/headers.
This information significantly speeds triage.
References 📚
Third-Party Link Disclaimer ‼️
We may reference external third-party resources solely as additional guidance.
Liongard does not own, control, or guarantee the accuracy, security, or reliability of third-party sites. Please use them at your own discretion and risk.