Troubleshooting Password Sync Agent Issues
The ADSelfService Plus Password Sync Agent syncs native password changes (password change using the Ctrl+Alt+Del screen and password reset using the Active Directory Users and Computers portal) with enterprise applications integrated for password synchronization. This article provides instructions on how to troubleshoot issues that you may encounter while using the Password Sync Agent.
Installation
Below is a list of errors that may appear when installing the Password Sync Agent.
1. Please install the Password Sync Agent with administrative privileges.
Possible cause: The user attempting to install the Password Sync Agent does not have the required privileges.
Solution: Run the ManageEnginePasswordSyncAgent.msi as an Administrator, i.e., right-click the file and select Run as administrator.
Note: The Default administrator can directly run the MSI file by double clicking on it. Only users who fall under the administrator group need to run the MSI as an administrator, i.e., Run as Administrator.
2. The domain controller is not authorized by ADSelfService Plus.
Possible cause: The domain controller in which the Password Sync Agent needs to be installed was not included in the list of configured domains in ADSelfService Plus.
Solution: Ensure that the domain controller where you are trying to install the Password Sync Agent is added to the ADSelfService Plus DC list. For information regarding domain configuration, click here.
3. Invalid request or the time is not in sync between the domain controller and ADSelfService Plus server.
Possible cause: The time settings in the domain controller in which the Password Sync Agent was installed and the ADSelfService Plus server is inconsistent.
Solution: Please ensure that the time settings in the domain controller where you are trying to install the sync agent and the ADSelfService Plus server are in sync with each other.
4. Unable to contact the server or an internal error occurred.
Possible cause: The values entered for the protocol, hostname, and port number during the Password Sync Agent installation are incorrect or have become invalid.
Solution:
- Check the accessibility of the ADSelfService Plus portal from the machine where this error is received. If it is not accessible, check the network connection between ADSelfService Plus server and this machine.
- To check ADSelfService Plus server reachability, ping the server using the ADSelfService Plus server name/IP address from the domain controller where the agent is installed.
- To check for connectivity, verify if the ADSelfService Plus port connection is open. One way to check for port connectivity is to open command prompt in the domain controller where the agent is installed and execute the following command: telnet <adssp-server-name> <adssp-port-number>. If the command returns a connection failed error message, check the port connectivity in the ADSelfService Plus server.
- Install the Password Sync Agent by providing the correct or latest values of the ADSelfService server. Refer to these steps to install the agent.
5. Access key verification failed.
Possible cause: An invalid access key was entered or the access key was regenerated.
Solution: Ensure that the access key provided during installation is valid.
Edit Settings option at ManageEngineTrayApp:
Below is the list of errors that may appear when editing the settings by clicking on the Password Sync Agent tray app icon.
1. The domain controller is not authorized by ADSelfService Plus.
Possible cause: The domain controller where the Password Sync Agent needs to be installed was not included in the list of configured domains in ADSelfService Plus.
Solution: Ensure that the domain controller where you are trying to install the Password Sync Agent is added to the ADSelfService Plus DC list. For information regarding domain configuration, click here.
2. Invalid request or the time is not in sync between the domain controller and ADSelfService Plus server.
Possible cause: The time settings in the domain controller in which the Password Sync Agent was installed and the ADSelfService Plus server was inconsistent.
Solution: Please ensure that the time settings in the domain controller where you are trying to install the sync agent and the ADSelfService Plus server are in sync with each other.
3. Cannot contact server. Please try again later.
Possible cause: The values entered for the protocol, hostname and port number were incorrect or have become invalid.
Solution:
- Check the accessibility of the ADSelfService Plus portal from the machine where this error is received. If it is not accessible, check the network connection between ADSelfService Plus server and this machine. For information regarding the steps to follow to check for accessibility of ADSelfService Plus server, click here.
- Provide the correct or latest values of the ADSelfService server details in the Edit Settings pop-up.
4. Access key verification failed.
Possible cause: An invalid access key was entered or the access key was regenerated.
Solution: Ensure that the access key provided during installation is valid.
5. Access denied. Administrator privilege required for this operation.
Possible cause: This error occurs when attempting to edit the settings with no administrative privileges.
By default, only admins have the privilege to edit the settings. However, if any other user wishes to modify the settings, the user can do so by following the steps mentioned below:
- Open cmd prompt as an administrator and navigate to C:\Program files(x86)\ZOHO Corp\Password Sync Agent folder.
- Execute the command: SQLiteHandler.exe →servername> →portnumber> →protocol> →accessKey> eg : SQLiteHandler.exe adssp-dc1 8888 http dsgjhjhsaYYTv6FUF7VUCtufuy.
Other major cases
Case 1: If the Password Sync Agent is not working,
- Check if the ManageEngine - Password Sync Agent and Message Queuing services are running. You can do this by following the steps listed below,
- Open Services Manager (Start → Run → Services.msc).
- In the Services window that opens, check if the ManageEngine – Password Sync Agent and Message Queuing services are running.
- Check the ADSelfService Plus server reachability from the domain controller where the agent is installed. For information regarding the steps to follow to check for accessibility of ADSelfService Plus server, click here.
Case 2: If the Password Policy Enforcer/Have I Been Pwned is not working,
- Check whether the ManageEngine - Password Sync Agent and Message Queuing services are running. You can do this by following the steps listed below,
- Open Services Manager (Start → Run → Services.msc)
- In the Services window that opens, check if the ManageEngine – Password Sync Agent and Message Queuing services are running.
- Check the accessibility of the ADSelfService Plus server from the DC where the agent is installed. For information regarding the steps to follow to check for accessibility of ADSelfService Plus server, click here.
- If Password Policy Enforcer and Have I Been Pwned settings at the ADSelfService Plus portal are configured for sync agent after agent installation, the ADSelfService Plus server details need to be updated at the sync agent using the Edit settings option.
Case 3: The ADSelfService Plus server could not be contacted or is unreachable, but ADSelfService Plus is accessible via the web browser in the specific domain controller.
Solution 1:
Solution 2:
Check if any proxy server is being employed to access the ADSelfService Plus server. If yes, configure the settings of that proxy server in the Internet Explorer since the Password Sync Agent uses the proxy server configured in the Internet Explorer.
Case 4: Native password resets are not being audited in the Reset Password Audit Report.
Solution 1:
-
Check if the Sending data to log has been entered in the service log for the native password reset performed.
Location of service log:
- In 64-bit systems - C:\Program Files (x86)\ZOHO Corp\Password Sync Agent
- In 32-bit systems - C:\Program Files\ZOHO Corp\Password Sync Agent
- Then check whether an error has been logged in the serverout log (<installation folder>\logs) for the preset action.
-
If the No encryption key error is found in the serverout log, reconfigure the Password Sync Agent with the server name or IP address, port number, and protocol (HTTPS/HTTP) used by ADSelfService Plus. This can be done by following the steps below:
- Right-click the Password Sync Agent icon on the system tray and select Edit Settings.
- The Edit Settings dialog box will open.
- Enter the Server Name/IP Address, Port Number, Protocol (HTTPS/HTTP), and Access Key.
- Click Save.
Solution 2: Reinstall the Password Sync Agent.
- In the domain controller where the Password Sync Agent is installed, go to Control Panel, click on the Password Sync Agent icon, and click Uninstall.
- Now, go to the folder where the Password Sync Agent MSI file (ManageEnginePasswordSyncAgent.msi) is present.
- Here, open Command Prompt as administrator, specify the Password Sync Agent's MSI filename (ManageEnginePasswordSyncAgent.msi), and press Enter.
Case 5: What to do when the Password Sync Agent triggers a lot of old reset/change password requests when the ManageEnginePasswordSyncAgent service is started.
Possible cause: This scenario will occur if there are pending queue messages for password resets that happened when the ManageEngine Password Sync Agent service was down.
Note: The following solution is not recommended unless it is a critical situation since this might result in the loss of request information.
Solution: The queue messages can be cleared before restarting the Password Sync Agent service in the domain controllers. Click Purge to clear the old pending reset requests in the message queue. Once completed, start the ManageEngine Password Sync Agent service.
Case 6: Sync Agent services fail to start after server reboot even after the services type is set to Automatic or Automatic Delayed Start, however manual start works.
Possible cause: This occurs when the service initiation takes more than 30 seconds.
Solution: Please follow the steps below to manually increase the timeout value in the registry for the Service Control Manager (SCM):
- Go to Start > Run and type regedit.
- Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
- With the control folder selected, right-click in the pane on the right and select a new DWORD Value.
- Name the new DWORD ServicesPipeTimeout. Right-click ServicesPipeTimeout, and then click Modify.
- Click Decimal, type 180000, and then click OK.
- Restart the computer.