Overview π₯
This article helps you diagnose and fix common N-central inspector failures related to authentication, API endpoint access, and account configuration. These errors often show when the inspector cannot authenticate to the N-Central API (SSO-enforced accounts, locked/expired system accounts, revoked API credentials), or when the API endpoint is unreachable or returning server errors.
The guidance below walks you through quick checks, deeper tests to run from the agent host, remediation steps, and what to collect if you escalate to Support.
Why this happens? π€
API account is SSO-enabled: N-Central SSO (single sign-on) accounts are not usable for API integrations. If the account that created the API key was converted to SSO, calls may fail with a prompt to βlogin using your SSO credentials.β
Account lockout/expired password: The system/service account used for the API may be locked, disabled, have an expired password, or be blocked due to repeated failed logins.
MFA/2FA enforced: Multi-factor authentication on the API account prevents scripted/API access. API/service accounts require non-MFA credentials.
API key revoked/expired or misconfigured: The token or API key used by the inspector may have been revoked, rotated, or expired.
Endpoint or network issues: The N-Central API endpoint may be unreachable due to DNS, routing, firewall rules, reverse proxy, or server-side problems (resulting in SOAP 500 or other server errors).
Server-side application or upgrade problems: Recent server changes, upgrades, or misconfigurations on N-Central may cause 500 responses or changed endpoints.
Quick checklist π
Confirm whether the API account is a local/system account (required) or an SSO account (not supported).
Ensure the API account is
Active, not locked, and its password is current (not expired).Verify MFA/2FA is not enabled for the API/service account.
Re-run the Inspector in Clear Cache + Debug Mode to collect fresh logs.
Test API connectivity from the same host where the Liongard Agent runs (commands below).
Step-by-step resolution π¨βπ»
1οΈβ£ β Confirm account type & status
In N-Central, verify the account that was used to create the API key:
Is it a local/system account (yes β continue) or SSO-enabled (no β create/use a system account)?
Is the account Active and not locked?
If the account is SSO-enabled, create a dedicated system account for API access per N-Central docs (or contact N-Central support for guidance).
2οΈβ£ β Ensure no MFA/2FA
API/service accounts must not have multifactor authentication enabled. Disable MFA for this account or create a separate API account without MFA.
3οΈβ£ β Reset password and re-test interactive login
If the account might be expired or locked:
Reset the password for the account used to create the API key.
Login interactively to the N-Central web UI (or API via Postman/curl) using those credentials to confirm they work.
4οΈβ£ β Verify API Key / Credentials
Confirm the API key/token used by the inspector is present, not revoked, and matches the account.
If you rotated credentials, update the Inspector configuration with the new value.
5οΈβ£ β Test API endpoint & network from agent host
Run these tests from the same host where the Liongard Agent runs β this replicates the agentβs network context.
β Linux/macOS:
# DNS / reachability
nslookup domain.com
ping -c 4 domain.com
# Test HTTP(S) response
curl -I https://domain.com/dms2/services2/ServerEI2
# Test connection to specific port (443 or custom)
nc -vz domain.com 443
β Windows PowerShell:
Resolve-DnsName domain.com
Test-Connection domain.com -Count 4
Invoke-WebRequest -Uri "https://domain.com/dms2/services2/ServerEI2" -Method Head
Test-NetConnection -ComputerName domain.com -Port 443
Look for:
DNS resolving to correct IP(s).
200(or401/403) vs500/404responses.Connection refused or timeouts (network/firewall issues).
6οΈβ£ β Inspect logs for more clues
Run the inspector in Clear Cache + Debug Mode and review debug logs for:
Exact API URL called
HTTP response codes and server error messages
Authentication failure messages vs server-side errors
7οΈβ£ β If you see Please login using your SSO credentials
This confirms the account is SSO-enabled. Use a non-SSO system account for API access; update the inspector to use credentials for that account.
8οΈβ£ β If you see SOAP 500 or 5xx from server
Check N-Central server health and error logs (CPU, memory, Java/tomcat logs depending on N-Central). This is frequently a server-side issue; consult N-Central support if server logs show application errors.
9οΈβ£ β Re-run the Inspector
After making fixes (account change, password reset, credential update, or network fix), re-run inspector in Clear Cache + Debug Mode to confirm the problem is resolved.
Troubleshooting quick reference π
Symptom | Likely cause | How to check | Action |
| API account is SSO-enabled | Inspect account settings in N-Central | Create/use a dedicated system (non-SSO) API account |
| Server-side application error | Check inspector debug logs & N-Central server logs | Investigate N-Central app logs; contact N-Central if server error persists |
Authentication failures | Password expired, locked, or MFA enabled | Try interactive login with API account | Reset password, unlock account, ensure MFA disabled |
API key invalid/revoked | API key rotated or revoked | Inspect API key in N-Central & inspector config | Generate/restore valid API key and update inspector |
Connection timeouts/connection refused | Network/firewall or DNS issues |
| Fix DNS, firewall, proxy, or routing; update host allowlists |
Commands & examples to gather evidence π€©
Run from the Agent host (copy outputs into your support ticket if escalating).
Check DNS / connectivity :
nslookup domain.com
curl -I https://domain.com/dms2/services2/ServerEI2
Windows PowerShell
Resolve-DnsName domain.com
Invoke-WebRequest -Uri "https://domain.com/dms2/services2/ServerEI2" -Method Head
Test-NetConnection -ComputerName domain.com -Port 443
If you receive 500 responses, capture response body/header for Support:
curl -v https://domain.com/dms2/services2/ServerEI2 2>&1 | tee curl_response.txt
Best practices π§βπ«
Use a dedicated, documented, non-SSO, non-MFA system account for API integrations.
Store API credentials securely and rotate them following your change-control process; when rotated, update Inspector configuration immediately.
Keep a runbook that lists the API account, owner, and procedures to re-enable it (password policy, lockout policy).
When applying N-Central upgrades or enabling SSO org-wide, verify API accounts remain local and accessible.
Use Clear Cache + Debug Mode for troubleshooting to ensure logs reflect fresh state.
When to contact Support π¦
Open a Liongard Support ticket when:
You confirm account is non-SSO, credentials are valid, network checks succeed, but inspector still fails.
Logs show server-side 500 errors or unexpected API behavior (include logs).
You need help interpreting debug logs or the Inspector is still failing after following all steps above.
What to collect before contacting Support
Inspector debug logs from Clear Cache + Debug Mode.
Screenshot of the Inspector configuration (Instance URL, credentials used β do not paste passwords into tickets).
Results of connectivity checks from the Agent host (
nslookup,curl -I,Test-NetConnection).Confirmation whether the API account is SSO-enabled, locked, or has MFA enabled.
N-Central version and any recent changes (upgrades, SSO enforcement, password policy changes).
If server returned 5xx: the response body or server logs (if available).
Providing this accelerates triage.
References π
Third-Party Link Disclaimer βΌοΈ
We may reference external third-party resources solely as additional guidance.
Liongard does not own, control, or guarantee the accuracy, security, or reliability of third-party sites. Please use them at your own discretion and risk.