PROBLEM
After upgrading to or patching a 9.4 VSA server, some or all agents may report being offline.
CAUSE
API AppPool permissions are missing from certain folders in order for agents to authenticate successfully.
RESOLUTION
- On the VSA server, open command prompt as an administrator.
- Run the following commands:
ICACLS C:\Kaseya\api\v1.0 /grant "IIS AppPool\APIAppPool":F
ICACLS C:\Kaseya\EndpointDownloads /grant "IIS AppPool\APIAppPool":F
ICACLS C:\Kaseya\EndpointUploads /grant "IIS AppPool\APIAppPool":F
ICACLS C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys /grant "IIS AppPool\APIAppPool":F
Note: If the Kaseya directory is located on a drive other than C, change the drive letter in the command above. - Navigate to each directory through file explorer and apply full permissions for the APIAppPool user.
Note: If the EndpointUploads folder does not exist, create it manually and re-run the relevant command and apply permissions.
Note: We have seen cases where C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys would contain millions of obsolete files. Applying new permissions would be taxing and not advisable. Rename the MachineKeys folder (i.e., MachineKeysOld) and recreate the MachineKeys folder and re-run the relevant command and apply permissions.
4. Run Live Connect to the affected agent to verify that it is now online.
If you continue to have issues, please create a support ticket.
REFERENCE
#174688