Typical Errors and Fixes

IT Asset Management (Cloud)
When testing the integration between an inventory beacon and a CyberArk Vault, the following are the more common errors that may occur, and the kinds of fixes you might investigate.
Tip: If fetching a credential fails during production, an error is reported in the web interface of IT Asset Management, on the Status tab of the discovered device properties for the target device. The error report includes the entire error message received from CyberArk, as listed below.
Error Investigate

PDKTC006E Failed to connect to provider (Reason=[select timed out], Rc=[-1])

The Credential Provider installed on the inventory beacon could not connect with the CyberArk AIM installation. Check your network access.

APPAP004E Password object matching query [queryStringUsed] was not found (Diagnostic Info: 5). Please check that there is a password object that answers your query in the Vault and that both the Provider and the application user have the appropriate permissions needed in order to use the password.

No credential saved in CyberArk matches the query you issued. If this message is received during testing, check the value in the Enter test query string field in the Test CyberArk Integration dialog. Check this value against the matching properties of the test credential (which must already exist in CyberArk).

The upside of this error (and following ones) is that Password Manager on the inventory beacon is communicating successfully with the local Credential Provider, which in turn is communicating with the CyberArk Vault. When you fix the query value, it is likely that the result will be successful.

APPAP227E Too many password objects matching query [queryStringUsed] were found: (Safe=safeName;Folder=folderName;Object=accountName and Safe=safeName;Folder=folderName;Object=account2Name) (Diagnostic Info: 41)

The query you issued is not sufficiently specific, and could be answered by more than credential in CyberArk. It is mandatory that each query to CyberArk can be answered by exactly one credential. If this message is received during testing, improve the value in the Enter test query string field in the Test CyberArk Integration dialog (typically by adding another parameter, such as the Object value that specifically identifies the CyberArk account name).

APPAP133E Failed to verify application authentication data: OSUser "userName" is unauthorized

The requested credential is secured by the requesting application and the username running that application on the inventory beacon, and the current username does not match (any of) the one(s) registered in CyberArk. Either switch to the correct username running the BeaconEngine.exe file on the inventory beacon, or update the OSUser names listed in CyberArk.

APPAP133E Failed to verify application authentication data: Path "executablePath" is unauthorized

The requested credential is secured by the requesting application and the file path where the executable is running on the inventory beacon, and the current file path does not match (any of) the one(s) registered in CyberArk. Most commonly you need to update the file paths listed in CyberArk for the application (assuming that there are different installation paths on different inventory beacons).

APPAP133E Failed to verify application authentication data: Hash "executableHash" is unauthorized

The requested credential is secured by the requesting application and the hash of the executable on the inventory beacon, and the run-time hash of the current executable does not match (any of) the one(s) registered in CyberArk. Most commonly this happens after a version upgrade of the FlexNet Beacon code on the inventory beacon, and you need to record the new hash in CyberArk for the latest version of the executable.

IT Asset Management (Cloud)

Current