Troubleshooting tips

• Domain Settings
• Active Directory Self Update
• Active Directory Change Password
• Active Directory Reports
• GINA / Mac / Linux (Ctrl+Alt+Del)
• Push Notification
• SMS Server Settings
• SAML Authentication
• SAP Netweaver
• MFA for Endpoints
• FIDO Passkeys Authentication
• Just-in-Time Provisioning
• Other Errors

Domain settings

1. When I start ADSelfService Plus, none of my domains are discovered. It says "No Domain Configuration available." Why?
2. When I add my domains manually, the Domain Controllers are not resolved. Why?
3. When I add the Domain Controller, I get an error as "The Servers are not operational." What does it mean?
4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name." What does it mean?
5. The status column in the domain settings says that the user does not have Admin Privilege.

1. When I start ADSelfService Plus, none of my domains are discovered. It says "No Domain Configuration available." Why?

ADSelfService Plus, upon starting, discovers the domains from the DNS Server associated with the machine running the product. If no domain details are available in the DNS Server, it shows this message.

Questions

2. When I add my domains manually, the Domain Controllers are not resolved. Why?

When the DNS associated with the machine running ADSelfService Plus do not contain the necessary information. In such cases, you need to add the Domain Controllers manually.

Questions

3. When I add the Domain Controller, I get an error as "The Servers are not operational." What does it mean?

This means that either the specified Domain Controller is invalid or it could not be contacted due to network unavailability.

Questions

4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name." What does it mean?

This error could be due to any of the following reasons:

1. When the specified user name or the password is invalid.
2. Anonymous login (when no user name and password is provided).
3. When IP address of the Domain Controller is specified instead of its name.

Questions

5. The status column in the domain settings says that the user do not have Admin Privilege.

This is a warning message to indicate that the specified user do not have administrator privileges, i.e. the user is not a member of Domain Admins Group. Hence permissions applicable to Administrator may not be available to this user.

Questions

Back to Modules

Active Directory Self Update

1. Error Code - 80070005 / Error Code - 5: Error In Setting Attributes, Access is denied.
2. During user password reset, I get the following error: "Error in setting the Password. The network path not found - Error Code: 80070035."
3. During user password reset, I get the following error: "Error in setting the Password. There is a naming violation - Error Code: 80072037."
4. While updating the user information, I get the following error: "The server is unwilling to process the request - Error Code: 80072035."
5. While updating the user information, I get the following error: " Error In Setting Terminal service Properties. The specified user does not exist - Error Code: 525".
6. I have updated the exchange attributes using ADSelfService Plus, but the properties are not updated in the Exchange Server yet.
7. I am not able to set the Terminal Services properties for the user.
8. When I modify an user, I get the following error: "A device attached to the system is not functioning - Error Code: 8007001f."
9. Email address for user is not showing up or not set properly.
10. Error - The server is unwilling to process the request while resetting Password, which did not match password complexity.
11. Error code: 8007052e
12. Error code: 80070775
13. Error code: 800708c5
14. No such user matched. Verify the LDAP attribute in search query.

1. Error Code - 80070005 / Error Code - 5: Error In Setting Attributes, Access is denied.

Cause: User account does not have enough privilege over the object.

Solution:

• Log in to ADSelfService Plus with the admin credential.
• Click on the Domain Settings found at the right top corner.
• Click on the edit image to Edit Domain Details.
• Check the Authentication and provide the privileged Domain User Name and Domain Password.
• Click save and continue with the operations.

Questions

2. During user password reset, I get the following error: "Error in setting the Password. The network path not found - Error Code: 80070035."

While setting the password for the user if the target machine could not be contacted, this error is shown. This could happen when the DNS associated with the machine running ADSelfService Plus does not point to the Domain Controller where the user account is being created (possibly both are in different domains).

Questions

3. During user password reset, I get the following error: "Error in setting the Password. There is a naming violation - Error Code: 80072037."

One possible reason for this error could be that the password contains some special characters that are not allowed.

Questions

4. While updating the user information, I get the following error: "The server is unwilling to process the request - Error Code: 80072035."

One possible reason for this error could be:

1. The admin is modifying the sAMAccountName attribute while more than one user has the same sAMAccountName.

Questions

5. While updating the user information, I get the following error: "Error In Setting Terminal Service Properties. The specified user does not exist - Error Code: 525."

One possible reason could be that the user or the system account on which the product is run does not have an account in the target domain. Terminal Service Properties can only be set if the user account or the system account (applies when ADSelfService Plus is run as a service) that runs ADSelfService Plus has an account on the target domain.

Questions

6. I have updated the exchange attributes using ADSelfService Plus, but the properties are not updated in the Exchange Server yet.

ADSelfService Plus modifies the exchange properties in the Active Directory. The changes may not immediately reflect in the Exchange Server. It will get updated after some time.

Questions

7. I am not able to set the Terminal Services properties for the user.

One possible reason could be that the user or the system on which the product is run does not have an account in that domain.

Refer here for starting ADSelfService Plus in a user or system account.

Questions

8. When I modify an user, I get the following error: "A device attached to the system is not functioning - Error Code: 8007001f."

The possible reasons for this error could be:

1. When modifying a user, if an unacceptable format is chosen for the naming attributes. For example, if the format chosen for the Logon Name is LastName.FirstName.Initials and if the user does not have any one of these attributes specified, this error will occur.

Questions

9. Email address for user is not showing up or not set properly.

The possible reason could be:

1. Email may not be set as per Recipient Policy. Check whether all LDAP attributes in the recipient policy query are set to a specific value.
2. Check in the user account properties whether you entered the attribute for email. Ex: xyz@company.com. The company should be entered to the users.

Questions

10. Error: The server is unwilling to process the request while resetting passwords which do not match the password complexity rules.

The possible reason could be:

You may not have specified or opted for any options in Password Complexity while creating the user account.

Questions

11. Error code: 8007052e

The supplied credentials are invalid.

Questions

12. Error code: 80070775

Reason: The referenced account is currently locked out and may not be logged on.

Questions

13. Error code: 800708c5

Reason: The password does not meet the password policy requirements. Check the minimum password length, password complexity, and password history requirements.

Questions

14. No such user matched. Verify the LDAP attribute in search query.

Reason: No users in AD matches with the criteria provided.Try choosing the correct matching attributes by checking with the query provided in Match criteria for Users in AD. This is obtained by clicking on Update in AD t and expanding the Select Attributes box.

Questions

Back to Modules

Active Directory change password

When end users try to change password from the self-service portal, they get this error: Problem in changing password. Contact your administrator to troubleshoot.

Check if the following prerequisites are satisfied:

1. PowerShell version
2. Domain controller OS requirement
3. Port requirement
4. Domain account requirements

1. PowerShell Version

Check if PowerShell 2.0 or higher is present in the machine in which ADSelfService Plus is installed.

• Open PowerShell as the administrator.
• Check for its version number by running the command $PSVersionTable.
• If the version is below 2.0, install a higher version of PowerShell from here.

Checklist

2. Domain controller OS requirement

Ensure that you have at least one domain controller running Windows Server 2008 R2 or above, and make it the first configured domain controller.

• Navigate to Domain Settings in the ADSelfService Plus console.
• Click the edit domain icon.
• In the List of Domain Controller(s) box, select the domain controller that is running Windows Server 2008 R2 or above, and click the up arrow adjacent to make it the first domain controller in the list.
• Click Save.

Alternative Solution

If you do not have any domain controller running Windows Server 2008 R2 or above, you need to remove the Windows update that caused this issue from the machine where ADSelfService Plus is installed. You can identify the exact update that needs to be uninstalled based on the operating system by visiting this link.

Use these steps to uninstall the Windows update:

• Navigate to Control Panel → Programs, and then under Programs and Features, select View installed updates.
• Search for the specific updates, and then click Uninstall.
• Restart the server.

Checklist

3. Port requirement

Check if communications through port 5985 are enabled in the first domain controller configured with the product.

• Open command prompt as the administrator in the machine in which ADSelfService Plus is installed and enter the following command: telnet <DC-Name> 5985.
• If the command returns a connection failed error message, open port 5985 in the domain controller's firewall.

Checklist

4. Configured account privileges

Check if the account used to configure the domain settings account is a non-administrative account.

Steps to be executed in the first domain controller in the domain settings of ADSelfService Plus:

• Open services.msc and start the service Windows Remote Management.
• Open PowerShell as the administrator.
• Enter the following command: Set-PSSessionConfiguration Microsoft.Powershell ShowSecurityDescriptorUI
• Enter Y for the next two steps when prompted to confirm.
• Click Add.
• Search for the user account with which the domain settings has been configured and provide them with permission for Full Control (All Operations).
• Execute the following PowerShell cmdlets on the domain controller, preferably the first domain controller in the list, configured in the domain settings of ADSelfService Plus:
  Enable-PSRemoting -Force
  Set-Item wsman:/localhost/client/TrustedHosts "ADSelfServicePlus-Server-Name" -Force
  Restart-Service WinRM

The following teps are to be executed in the machine where ADSelfService Plus is installed.

• Execute the following PowerShell cmdlets on the machine where ADSelfService Plus is installed:
  Enable-PSRemoting Force
  Set-Item wsman:/localhost/client/TrustedHosts "DC-Name" Force
  Restart-Service WinRM

To check if the cmdlets were executed successfully, run the following command in the machine where ADSelfService Plus is installed:
Invoke-Command -ComputerName DC-Name -ScriptBlock { ipconfig } -credential $Cre

This command will print the IP details of the domain controller if the cmdlets were executed successfully.

Checklist

Back to Modules

Active Directory Reports

1. When I specify the details and generate the report, it says "No Result available" or "incomplete data"
2. AD Reports shows an object that does not exist in the Active Directory.

1. When I specify the details and generate the report, it says "No Result available" or "incomplete data"

It could be because of any of the following reasons:

• ADSelfService Plus could not contact the Domain Controller as it is not operational, or due to network unavailability.
• In case of multiple Domain Controllers, when the data is not replicated in all the Domain Controllers.
• The LastLogonTime that is used to determine the inactive users and computers is not replicated in all the Domain Controllers. Hence, you need to specify all the Domain Controllers in the Domain Settings to enable ADSelfService Plus to retrieve the data from all the Domain Controllers.
• When the password policy is not set (i.e., Max Password Age is set to zero), the Password Expired Users report and Soon to Password Expiry users report will not show any data.

Questions

2. AD Reports shows an object that does not exist in the Active Directory.

This mismatch could occur when the data is not synchronized with the Active Directory. The data synchronization with the Active Directory happens every day at 1.00 hrs. If ADSelfService Plus is not running at that time, you can initiate the data synchronization manually by clicking the refresh [ ] icon of that domain from the Domain Settings.

Questions

Back to Modules

Troubleshooting GINA

1. I receive the error message: "Initiating Connection to Remote Service. Failed." Why?
2. I received the error message: "Network path not found/Invalid Credential." Why?
3. I received the error message: "The network path was not found." Why?
4. Couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?
5. Couldn't connect to the Client Machine, ADMIN$. Access is denied.
6. Logon Failure: The target account name is incorrect.
7. Logon failure: Unknown user name or bad password.
8. Another installation is already in progress.
9. Couldn't start remote service. Overlapped I/O operation is in progress.
10. Operation Failed: Unsupported OS
11. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Couldn't copy PAExec to the machine."
12. When I try to install the login agent from the ADSelfService Plus console on to a remote server, I get the following error: "PAExec service could not be installed/started on remote server."
13. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Object not found" or "0x80041002 (WBEM_E_NOT_FOUND)."
14. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."
15. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Remote Procedure Call server is unavailable."

1. I received the error message: "Initiating Connection to Remote Service. Failed." Why?

This error could occur if the target computer could not be contacted.

• Ensure that such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.
• Make sure Remote Registry service is running on the client machine.

Questions

2. I received the error message: "Network path not found/Invalid Credential." Why?

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

3. I received the error message: "The network path was not found." Why?

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

4. Couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?

Possible reason: Insufficient privileges to access the client machine.

Solution: Update the credentials provided in ADSelfService plus' Domain Settings if it is running as an application. If it is running as service, update the service account's credential from the Logon tab by editing Services.msc.

Questions

5. Couldn't connect to the Client Machine, ADMIN$. Access is denied.

Possible reason: Admin share might not be enabled.

Solution: Enable Admin share in the client computer and configure ADSelfService Plus domain settings using user credentials that has necessary permission to access the Admin share.

Step1: Enable Admin share

1. From the client computer, go to Start → Run and type gpedit.msc and hit enter
2. Expand the Administrative Templates → Network → Network Connections → Windows Firewall.
3. Click Domain Profile and double click Windows Firewall: Allow inbound remote administration exception.
4. Select Enabled and click OK.

Step2: Update the domain settings in ADSelfService Plus with a user account that has permission to access the Admin share.

1. When ADSelfService Plus is running in console mode, update the credential provided under the Domain Settings of ADSelfService Plus.
2. When ADSelfService Plus is running as a service, update service account's credentials from the Logon tab by editing the properties of Services.msc.

Questions

6. Logon Failure: The target account name is incorrect.

This error could occur if two computers have the same computer name. One computer is located in the child domain; the other computer is located in the parent domain.

Questions

7. Logon failure: unknown user name or bad password.

Reason: Admin share might not be enabled.

Solution: Configure Domain Settings (when run as a console) / Logon Tab (when run as a service) by providing an account with the appropriate administrative credentials

Questions

8. Another installation is already in progress.

Solution: Try to install after a few minutes.

Questions

9. Couldn't start remote service. Overlapped I/O operation is in progress.

Solution: Try enabling Remote registry and Server service on the client machine.

Questions

10. Operation Failed: Unsupported OS

Cause: Machine's OS is not supported for remote installation.

Questions

11. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Couldn't copy PAExec to the machine."

Cause: User account does not have sufficient privilege over the object.

Solution:

• Log in to ADSelfService Plus with the admin credentials.
• Click on the Domain Settings found at the right-top corner of the webpage.
• Under the Actions section, click on the Edit Domain Details button.
• Select Authentication, and provide the Domain Username and Domain Password of an account that has domain admin privileges.
• Click Save.

Questions

12. When I try to install the login agent from the ADSelfService Plus console on to a remote server, I get the following error: "PAExec service could not be installed/started on remote server."

Cause: PAExec is being blocked by the firewall or antivirus software.

Solution: Change your antivirus and firewall settings to allow the PAExec service.

Questions

13. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Object not found" or "0x80041002 (WBEM_E_NOT_FOUND)."

Cause: The WMI repository may be corrupted.

Solution: To resolve the corruption of WMI repository, follow the steps in this link.

Work around:

1. Log in to the Windows Server machine using an administrator account.
2. Open Group Policy Management Console (GPMC) and right-click on the default domain policy within your domain.
3. In the Group Policy Management Editor window that opens, go to Computer Configuration → Policies → Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer → System → Group Policy. On the right pane, select Turn off Resultant Set of Policy logging.
4. Enable the Turn off Resultant Set of Policy logging to disable the Resultant Set of Policy (RSoP).

Questions

14. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."

Cause 1: The login name or password provided for scanning is invalid in the workstation.

Solution: Check if the login name and password are entered correctly.

Cause 2: The user does not have remote access to the computer through the Distributed Component Object Model (DCOM).

Solution:

1. Log in to your system with admin credentials.
2. Go to Control Panel → Administrative Tools → Component Services, or type in DCOMCnfg.exe from the search bar, and click Enter to open the Component Services dialog box.
3. Expand Component Services in the Component Services dialog box. Then expand Computers, and right-click on My Computer. Click Properties.
4. Go to the COM Security tab in the My Computer Properties dialog box.
5. Select Edit Limits under Launch and Activation Permissions.
6. In the Launch and Activation Permission dialog box that opens, if your name or the group that you belong to does not appear in the groups or usernames list, click Add.
7. In the Select Users, Computers, or Groups dialog box that pops up, add your name and the group in the Enter the object names to select field. Click OK.
8. In the Launch and Activation Permission dialog box, select your user and group in the Group or user names box. Under the Permissions for user field, in the Allow column, select Remote Launch and Remote Activation. Click OK.

The user should now have remote access to the computer through DCOM.

Cause 3: DCOM may not be configured to allow a WMI connection.

Solution: If the DCOM in the machine is not configured to allow a WMI connection, then follow the below steps in the machine that needs to accept WMI connection.

1. Log in to your system with admin credentials.
2. Go to Control Panel → Administrative Tools → Component Services, or type in DCOMCnfg.exe from the search bar to open the Component Services dialog box.
3. Expand Component Services in the Component Services dialog box. Then expand Computers, and right-click My Computer. Click Properties.
4. Click the COM Security tab in the My Computer Properties dialog box.
5. Click Edit Limits, under the Access Permissions section.
6. The Access Permissions dialog box pops up. Under the Group or user names section, select Anonymous Logon. In the Permissions for user section, select Remote Access. Click OK.

Cause 4: The Remote DCOM option is disabled in the remote workstation.

Solution: Check if Remote DCOM is enabled in the remote workstation. If not, follow the steps below to enable it:

1. Select Start > Run.
2. Type DCOMCnfg.exe in the text box, and click OK.
3. Click on Component Services > Computers > My Computer.
4. Right-click and select Properties.
5. Select the Default Properties tab.
6. Check the box next to Enable Distributed COM in this machine.
7. Click OK.

Cause 5: The user account is invalid in the target machine.

Solution: Check if the user account is valid in the target machine by opening Command Prompt, and execute the following commands:

net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"

net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

If these commands show any errors, the provided user account is not valid on the target machine.

Cause 6: The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the administrator group for this device machine.

Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a domain administrator) account.

Cause 7: A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2) when the default Windows firewall is enabled.

Solution: Disable the default firewall in the Windows XP machine:

1. Select Start → Run
2. Type Firewall.cpl and click OK
3. In the General tab, click Off
4. Click OK

If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command in Command Prompt:

netsh firewall set service RemoteAdmin

After scanning, you can disable Remote Administration using the following command:

netsh firewall set service RemoteAdmin disable

Cause 8: WMI is not available in the remote Windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI components are not registered properly.

Solution: Install WMI in the remote workstation. Refer to these steps for help.

If the WMI Components are not registered, register the WMI DLL files by executing the following command in the command prompt: winmgmt /RegServer

Cause 9: There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI Repository in that workstation could have failed.

Solution:

Restart the WMI service in the remote workstation:

1. Select Start → Run
2. Type Services.msc and click OK
3. In the Services window that opens, select Windows Management Instrumentation service.
4. Right-click and select Restart

Questions

14. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Remote Procedure Call server is unavailable."

Cause: The Remote Procedure Call (RPC) port of the machine is blocked by the firewall.

Solution: Change the setting in your firewall to allow RPC ports.

Questions

15. When I try to install the login agent from ADSelfService Plus console, I get the following error with code 80041010 in Windows Server 2003, "Fatal error occurred."

Cause: The Win32_Product class is not installed in Windows 2003 Server by default.

Solution: To add the Win32_Product class, follow the steps below:

1. In Add or Remove Programs, select Add/Remove Windows Components.
2. In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
3. In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and click OK.
4. Click Next.

Back to Modules

When I try to install the login agent from ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."

Troubleshooting Mac login agent

1. Connection timed out.
2. Connection refused.
3. The network path was not found.
4. Logon failure: Unknown user name or bad password.
5. Permission denied.
6. Invalid service account credentials.
7. Insufficient privileges to the service account.
8. No authentication details found for the domain.

1. Connection timed out.

Possible cause: The macOS client, in which you are trying to install the login agent, is shut down or not connected to the domain network.

Solution:

• Start the client and make sure that it is connected to the domain network. Check the connection by pinging the macOS client from the ADSelfService Plus server. Once you're sure there is a connection, try installing the login agent again.
• If connection to the Mac client is fine, then check the Mac's integration with AD.

Questions

2. Connection refused.

• Open the Mac client. Go to Preferences → Sharing and check if Remote Login is enabled.
• Check if the user account provided in the Domain Settings has Remote Login access enabled.

Questions

3. The network path was not found.

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

4. Logon failure: Unknown user name or bad password.

• Incorrect user name or password for the service account.
• Also, go to Directory Editor in the Directory Utility and check if the Active Directory node can be connected using the user credentials provided in the Domain Settings.

Questions

5. Permission denied

Possible reason: Service account does not have the required administrative privileges over the targeted macOS client.

Solution: Provide admin privilege to the service account by following the steps below:

1. In the targeted macOS client, go to System Preferences → Users & Groups → Login Options → Edit → Open Directory Utility.
2. In the Service tab, click the Administrative section.
3. Select the Allow Administration checkbox, and include the service account used to run the ADSelfService Plus server.
4. Click OK.
5. Verify the macOS client's integration with AD.
   • Go to Directory Utility → Directory Editor → <Your Active Directory node>. If the connection is successful, you will be able to see the AD objects.
   • If the connection to the AD node fails, try pinging the Domain Controller (DC) from the macOS client.
   • If the DC is reachable and the problem persists, unbind it and try re-binding the macOS client with AD.

Questions

6. Invalid service account credentials

Possible cause: Invalid or expired service account credentials in the Domain Settings.

Solution: Update the correct service account credentials. Also, verify the macOS client's integration with AD.

Questions

7. Insufficient privileges to the service account.

Possible cause: Service account does not have the required root privilege to perform remote installation of package over the targeted macOS client.

Solution: Provide root privilege to the service account by following the steps below:

• Go to the Terminal window → execute the command sudo visudo and navigate to User privilege specification.
• Make sure the targeted account has root privileges, i.e. <username> ALL=(ALL) ALL.

Questions

8. No authentication details found for the domain.

Possible cause: Insufficient privileges for the service account in the Domain Settings of ADSelfService Plus.

Solution: Provide the domain user credentials with admin privileges.

Questions

Back to Modules

Troubleshooting Linux login agent

1. Connection timed out.
2. Connection refused.
3. The network path was not found.
4. Permission denied / Insufficient privileges to the service account.
5. Invalid service account credentials.
6. No authentication details found for the domain.
7. Operation failed while setting up dependencies.

1. Connection timed out.

Possible cause: The Linux machine, in which you are trying to install the login agent, is shut down or not connected to the domain network.

Solution:

• Start the client and make sure that it is connected to the domain network. Check the connection by pinging the Linux machine from the ADSelfService Plus server. Once you're sure there is a connection, try reinstalling the login agent.
• If connection to the Linux machine is fine, then check the Linux machine's integration with AD.

Questions

2. Connection refused.

Possible cause: SSH server software is not active in the Linux client.

Solution: Make sure SSHD service is installed and active in the Linux client.

Questions

3. The network path was not found.

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

4. Permission denied / Insufficient privileges to the service account.

Possible cause: Service account configured in ADSelfService Plus does not have the required root privilege over the targeted Linux client.

Solution: Provide root privilege to the service account by following the steps below:

• Go to the Terminal window → execute the command sudo visudo and navigate to User privilege specification section.
• Make sure the targeted account has root privileges, i.e., <username> ALL=(ALL) ALL.

Questions

5. Invalid service account credentials

Possible cause: Invalid or expired service account credentials in the Domain Settings.

Solution: Update the correct service account credentials in the Domain Settings.

Questions

6. No authentication details found for the domain.

Possible cause: Insufficient privileges for the service account in the Domain Settings of ADSelfService Plus.

Solution: Provide the service account credentials with domain admin privileges.

Questions

7. Operation failed while setting up dependencies.

Possible cause: Poor network connection. The Linux distribution's package manager is unable to contact the software repository or the ADSelfService Plus' web portal.

Solution:

• The Linux distribution's package manager needs to contact the respective software repository while setting up dependencies. Check network connectivity in the Linux machine. If the network connection is good, check and ensure that the package manager can contact the respective software repository (For instance, YUM for Fedora/CentOS).
• The lightdm-webkit2-greeter package needs to be installed from the ADSelfService Plus web portal. Please check if the Linux client machine is able to contact it.

Questions

Back to Modules

Troubleshooting Push Notification

1. ERROR_CODE:70050A, ERROR_CODE:70060AA, ERROR_CODE:70060AI, ERROR_CODE:70050CF, ERROR_CODE:70050ACF, ERROR_CODE:70050ICF
2. ERROR_CODE:70050PF, ERROR_CODE:70050APF, ERROR_CODE:70050IPF

1. ERROR_CODE:70050A, ERROR_CODE:70060AA, ERROR_CODE:70060AI, ERROR_CODE:70050CF, ERROR_CODE:70050ACF, ERROR_CODE:70050ICF.

These errors occur due to an invalid push notification certificate or problems in the push server side. Please contact the ADSelfService Plus support team at support@adselfserviceplus.com for resolution.

2. ERROR_CODE:70050PF, ERROR_CODE:70050APF, ERROR_CODE:70050IPF.

This error will appear if you don't have the necessary ports and IP/Host addresses opened in your firewall setup.

• Open the following ports in your firewall setup so that ADSelfService Plus web server can communicate with the push servers of Apple and Google:
  • For Apple Server: 5223, 2195, 2196, 443
  • For Google Server: 5228, 5229, and 5230, 80/443
• Additionally, you must grant access to the following IP/Host addresses:
  • For Apple Server: gateway.push.apple.com and feedback.push.apple.com
  • For Google Server: All outbound IPs with port 80/443 or simply open the Google ASN IPs.

Error codes

Back to Modules

Troubleshooting SMS Server Settings and SSLHandshakeException

Description: This exception occurs when you configure a SMTP mail server or a web server with SSL in ADSelfService Plus, and the server uses a self-signed certificate. The Java Runtime Environment used in ADSelfService Plus will not trust self-signed certificates unless it is explicitly imported.

Solution: You need to import the self-signed certificates used by the server in the JRE package used by ADSelfService Plus. Follow the steps given below:

Step 1: Download the certificate

• For SMTP servers:
  Note: To download the certificate used by SMTP server, you must have OpenSSL installed. You can download it from here.
  • Open the command prompt and change to the bin folder in the OpenSSL installed location.
  • Now run the following command:
    penssl.exe s_client -connect SMTPServer:Portno -starttls smtp > certificatename.cer
  • For example, openssl.exe s_client -connect smtp.gmail.com:587 -starttls smtp > gmailcert.cer
• For web servers:
  • Open the web URL in a browser.
  • Click the padlock icon on the address bar.
  • Click More Information. This opens the Certificate Viewer window showing the certificate used by that web server.
  • Click View Certificate.
  • When the Certificate window showing Certificate Information Authority opens, click the Details tab.
  • Click Copy to File.
  • In the Certificate Export Wizard that opens, click Next.
  • Select the format as DRE encoded binary X.509 (.CER) and click Next.
  • Enter the path where you wish to save the file and click Finish.

Step 2: Import the certificates in JRE package of ADSelfService Plus

• Open a command prompt and change to the \jre\bin folder. For example: C:\Program Files\ManageEngine\ADSelfService Plus\jre\bin
• Run the following command:
  Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file
• For example: Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\smtpcert.cer
• Enter changeit when prompted for a password.
• Enter y when prompted Yes or No.
• Close the command prompt and restart ADSelfService Plus.

Back to Modules

SAML Authentication - Invalid Certificate

Description: This error may appear when you have configured SAML Authentication in ADSelfService Plus with an invalid X.509 certificate from the identity provider. The certificate is deemed invalid due to one of the following reasons:

• Certificate has expired.
• Certificate's start of validity date is yet to come.
• You've chosen a different certificate such as a SSL root certificate.
• The certificate content is not in PEM format.

Solution: Please download the current X.509 certificate from your identity provider again and upload it in ADSelfService Plus.

SAML authentication error codes and description

Error code	Description
SAML_ERR_001	This code is displayed when the SAML authentication fails due to an invalid SAML response or assertion.
SAML_ERR_002	This code is displayed when the SAML authentication fails due to an invalid "InResponseTo" attribute in the SAML response.
SAML_ERR_003	This code is displayed when the SAML authentication fails due to an IdP-initiated SAML request during MFA.
SAML_ERR_004	This code is displayed when the SAML authentication fails due to an invalid SAML signature.
SAML_ERR_005	This code is displayed when the SAML authentication fails due to an invalid SAML signature algorithm.
SAML_ERR_006	This code is displayed when the SAML authentication fails due to an invalid SAML subject.
SAML_ERR_007	This code is displayed when the SAML authentication fails due to an invalid issuer URL.
SAML_ERR_008	This code is displayed when the SAML authentication fails due to a SAML configuration mismatch.
SAML_ERR_009	This code is displayed when the SAML authentication fails with the "NotBefore" condition due to a time stamp mismatch in the SAML assertion.
SAML_ERR_010	This code is displayed when the SAML authentication fails with the "NotOnOrAfter" condition due to a time stamp mismatch in the SAML assertion.
SAML_ERR_011	This code is displayed when the SAML authentication fails because the SAML assertion received was not encrypted.
SAML_ERR_012	This code is displayed when the SAML authentication fails because an error occurred while decrypting the SAML assertion.
SAML_ERR_013	This code is displayed when the SAML authentication fails because the status of the SAML response was not "success".
SAML_ERR_014	This code is displayed when the SAML authentication fails because no SAML assertion is found.
SAML_ERR_015	This code is displayed when the SAML authentication fails because no signature is found in the SAML assertion.
SAML_ERR_016	This code is displayed when the SAML authentication fails because no signature is found in the SAML response.
SAML_ERR_017	This code is displayed when the SAML authentication fails because the subject name ID was not found in the SAML response.
SAML_ERR_018	This code is displayed when the SAML authentication fails due to an invalid SAML configuration.
SAML_ERR_019	This code is displayed when the SAML authentication fails due to an invalid SAML response having more than one assertion.

Back to Modules

Troubleshooting SAP NetWeaver

1. Incompatible API files. Please make sure you're using SAP Java Connector 3.0 version of the API files.
2. The destination system is unreachable.

1. Incompatible API files. Please make sure you're using SAP Java Connector 3.0 version of the API files.

Possible cause: SAP Java Connector missed to place under <ADSelfService Installation Dir>/lib location or connector version is not satisfied.

Solution:

• Make sure SAP Java connector [sapjco3.dll,sapjco3.jar] placed under <ADSelfService Installation Dir>/lib location.
• Make sure SAP Java connection version is greater than 3.0.
• If Java Connector 3.1 is being used, make sure Visual Studio 2013 C/C++ runtime libraries are installed in the machine where ADSelfService Plus is being installed.
• If Java Connector 3.0 is being used, make sure Microsoft Visual Studio 2005 C/C++ runtime libraries are installed in the machine where ADSelfService Plus is being installed.

2. The destination system is unreachable.

Possible cause: SAP Server is not reachable due to a network issue.

Solution:

• Make sure SAP Server host address is reachable from the ADSelfService Plus server-installed machine.
• Make sure SAP Server port is allowed in the firewall.

Back to Modules

MFA for Endpoints

1. Description of error codes encountered when Machine-based MFA is enforced.
2. Issue in MFA for VPN login.
3. If VPN MFA is not working as expected after setting up the NPS extension, you should...

1. Description of error codes encountered when Machine-based MFA is enforced.

Error code	Description
MFA-011	This code is displayed when the license consumption exceeds the number of users for which the product license has been purchased. To resolve this issue, update the license to include more domain users.
MFA-012	This code is displayed when the user is not part of any self-service policy for which MFA for Machine login is configured.
MFA-013	This code is displayed when the user account has been restricted in the product. To resolve this issue, de-restrict the user. Learn more.
MFA-021	This code is displayed when the purchased license does not include the Endpoint MFA-add on. Visit our store to purchase the add-on.
MFA-022	This code is displayed when the communication could not be established between the domain controller configured in ADSelfService Plus and the ADSelfService Plus server. Please make sure the configured server is operational and can be contacted from the ADSelfService Plus server.
MFA-041	This code is displayed when the API Authorization fails and the ADSelfService Plus server is unable to authorize the logon agent during MFA. Possible Causes: Cause 1: The system time on the machine where the Login Agent has been installed has a mismatch with the time on the server running ADSelfService Plus (i.e., the time differs by 90 seconds). Fix: Synchronize the time on both machines. Cause 2: An invalid installation key was entered during the manual installation of the Login Agent. Fix: Uninstall the Login Agent and reinstall it with the latest installation key available in the product UI. Learn More.

2. Issue in MFA for VPN login

If MFA for VPN login is not working, do the following:

• Check the NPS extension logs in the RADIUS server where you have installed it. By default, they can be found at C:\Program Files\ManageEngine\ADSelfService Plus NPS Extension\NpsExtension.log. Based on the error, try the solutions given below:
  • Connectivity issues
    • Make sure the ADSelfService Plus is reachable from the NPS (RADIUS) server.
    • If you are using an untrusted certificate in ADSelfService Plus, add it to the Trusted Root Certification Authorities list in the NPS server.
  • API Authorization failed
    • Make sure the time in both the ADSelfService Plus server and the NPS server are correct as per their time zone.
• If you can’t find any issues from the NPS extension logs, check the NPS server’s event logs using the Event Viewer for RADIUS authentication-related logs.

If VPN MFA is not working as expected after setting up the NPS extension, you should:

• Analyze the NPS extensions logs (Default location: C:\Program Files\ManageEngine\ADSelfService Plus NPS Extension\NpsExtension.log) for the following possible error messages:
  • httpErrCode: XXXX
    • httpErrorCode: 12002: The ADSelfService Plus server is not reachable from the NPS server.
      • Fix: Check if the ADSelfService Plus server is reachable from NPS server. If the ADSelfService Plus server is unreachable, ensure that the server has been correctly configured in the registry at HKLM:\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension. Ensure the following values are configured correctly:
        1. ServerName: The HostName or IP address of the ADSelfService Plus server.
        2. ServerPortNo: TCP Port number for the ADSelfService Plus server.
        3. ServerContextPath: The ADSelfService Plus server context (if changed).
    • httpErrorCode: 12175: ADSelfService Plus server's certificate is not trusted by the NPS server.
      • Fix: If ADSelfService Plus's server certificate is not trusted by the NPS server, open certmgr.exe and add the CA certificate that is used to sign ADSelfService Plus server's domain certificate to the Trusted Root Certification Authorities for the local machine and not only the current user.
  • Access denied due to MFA API authorization failure
    • Issue: ADSelfService Plus server fails to authorize the NPS extension during MFA.
    • Possible causes:
      • Cause 1: The system time of the the NPS server or the ADSelfService Plus server is not valid or servers' times differ by more than two minutes and therefore not in sync.
        1. Fix: Update the correct time.
      • Cause 2: The secret key shared for authorizing the NPS extension might be invalid. To make sure of this, retrieve the actual secret key and compare it with the key in the registry.
        1. Fix: Download the NPS extension again, extract it and open the .PS1 script and retrieve the secret key.
        2. Manually update the secret key in the registry or update it using the command
           <...\AdsspNpsExtension> .\setupNpsExtension.ps1 update
  • Denying access for user as per MFA server
    • Issue: ADSelfService Plus server denies access to the user and hence the user cannot log into the VPN provider.
    • Possible cause: The user is invalid or is not enrolled for MFA in ADSelfService Plus.
    • Fix:
      • Ensure that the user is a valid user in one of the domains configured at ADSSP.
      • Ensure that the user is enrolled for the VPN MFA factors configured.
      • If logins without MFA has to be permitted for first time users or not enrolled users, enable the Skip MFA when the user is not enrolled for the required authenticators under Advanced MFA settings.
  • preValidate - result: 0
    • Issue: The pre-validation condition for invoking MFA is false and hence the NPS extension does not invoke MFA.
    • Possible reasons:
      • The Registry property MfaStatus is set to false. Admin might have downloaded the NPS extension from ADSelfService Plus before enabling VPN MFA.
        1. Fix: Update the MfaStatus to true at registry.
      • The admin might have configured CRPolicies or NetworkPolicies whose conditions may not have been met.
        1. Fix: Change the CRPolicies or NetworkPolicies to ones that include the necessary users.
  • Empty or No challenge from user
    • Issue: The NPS extension is unable to read the OTP/TOTP from the RADIUS request.
    • Possible cause: RADIUS authentication protocol used between RADIUS client (VPN, Netscaler server, or other) and the NPS server might be MS-CHAPv2 or EAP or other unsupported protocols.
    • Fix:
      • Change RADIUS authentication protocol to PAP as only this protocol supports challenge-based authenticators.
      • Ensure that the RADIUS client sets the OTP or TOTP in the User-Password attribute of the RADIUS request.
• If NPS extension logs do not show any errors, check if any of the following issues are present:
  • Issue: RADIUS or NPS configuration issue.
    • Fix: Check Event viewer (Custom views → Network policy and access server role) for RADIUS authentication related logs.
  • Issue: The RADIUS client (VPN or other endpoint server) halts the MFA before it begins.
    • Fix:
      • Make sure the RADIUS authentication timeout settings, if any, at the RADIUS client (VPN server, or any RADIUS clients) and the RADIUS server (NPS) is greater than VPN MFA session time value configure in ADSelfService Plus.
      • Refer this document for enabling Keep the VPN MFA session valid for __ minutes option under VPN Login MFA.
      • Every RADIUS client (VPN server or other) will have specific timeout settings which must be configured properly for MFA (especially challenge based authenticators) to work. Set the correct time value in the RADIUS client. For example, when Fortinet is used, the set remoteauthtimeout <num_of_secs>s command will keep a RADIUS request valid for the seconds mentioned.

Back to Modules

FIDO Passkeys Authentication

1. Authentication failed. Please try again. Contact your administrator if the issue persists.
2. The passkey doesn't meet the user verification requirements. Please contact your administrator.
3. Unsecured connection. Please reach your administrator.
4. Passkey enrollment failed with error code MFA-201. Please contact your administrator.
5. This URL does not match the RP ID. Please contact your administrator.
6. Passkey enrollment failed with error code MFA-202. Please contact your administrator.
7. Unsupported passkey type. Please contact your administrator. (OR) An unexpected error occurred; please try again later. Contact your administrator if the issue persists.

1. Error: Authentication failed. Please try again. Contact your administrator if the issue persists.

Causes: This error message could be displayed due to any of the following:

• a. The device verification method (such as the Windows Hello PIN, or Android Biometrics) was unsuccessful, or the user deliberately closed or canceled the box, or the session expired.
• b. The platform authenticator's configuration in the OS has been reset or deleted
• c. Users have registered their smartphone as a Security Key but are attempting to use it as a Built-in authenticator.

a. The device authentication method (such as the Windows Hello PIN, or Android Biometrics) was unsuccessful, or the user deliberately closed or canceled the box, or the session expired.

Solution: The user must attempt verification again.

b. The authenticator configuration has been reset or deleted

If the device's built-in authenticator has been reset (for instance, if the Yubikey is reset or the Windows Hello PIN is changed) or deleted, the passkey information will removed from the device.

Solution: Users will need to log into the ADSelfservice Plus end user portal using other MFA methods or a backup code, delete the redundant passkey information, and re-enroll their device as a new passkey.

c. Users have registered their smartphone as a Security Key but are attempting to use it as a Device's Built-in Authenticator.

Cause: Users might access the ADSelfService Portal from a smartphone registered as a Security Key, but may be trying to authenticate using Device's Built-in Authenticator.

Solution: If users are accessing the ADSelfService Plus end-user portal on a smartphone that has already been registered as a Security Key (roaming authenticator), they need to select 'Security Key' as the passkey type to authenticate and confirm their identity on the same smartphone. They cannot select Device's Built-in Authentication.

2. Error: The passkey doesn't meet the user verification requirements. Please contact your administrator.

This error might be displayed during any of these scenarios:

• a. The admin changes User Verification from Discouraged or Preferred to Required
• b. The initial FIDO Passkeys configuration in ADSelfService Plus is set up with User Verification being set to Required
• c. Users are attempting authentication from an Android phone that does not support additional user verification for security keys.

a. The User Verification is set to Required but additional user verification has not been configured on users' devices.

Cause: When User Verification is set to Required, users will be prompted to provide additional verification, such as a PIN or biometrics, after inserting their device. If the users have not set up additional verification on their devices, they will be unable to complete the verification process and will be locked out.

Solution: The user must configure the additional verification (like a PIN or Biometrics) required by their device and attempt authentication again.

b. The User Verification is set to Required but users' devices do not support additional verification.

Cause: The user might have devices (like U2F devices) that do not support additional user verification.

Solution: The admin must either set User Verification to Discouraged or Preferred, or users must enroll devices that support additional user verification.

c. Users are attempting authentication from an Android phone that does not support additional user verification for security keys.

Cause: The Android phone might not support additional user verification.

The additional verification support update for phones was released by Google in September 2023; so phones which have not updated to that version or later might not support additional verification.

Solution: Users must download and install the latest Android System Update to enable additional verification support on their phones.

3. Error: Unsecured connection. Please contact your administrator.

Probable causes:

• FIDO Passkey authentication is attempted from an integrated AD360 deployment that is using HTTP (or)
• FIDO Passkeys authentication is being attempted to an OWA site that uses the HTTP protocol.

FIDO Passkeys will not work if AD360 and OWA sites are using the HTTP protocol. The FIDO authenticator needs HTTPS to be enabled on the sites it authenticates to.

Solution: Please enable HTTPS on the OWA or AD360 site for FIDO passkeys to work.

4. Error: Passkey verification failed with error code MFA-201. Please contact your administrator.

Cause: FIDO Passkeys enrollment is not supported via AD360's Apps Pane.

Solution: Users will need to directly access ADSelfService Plus via the access URL to enroll for FIDO Passkeys. Authentication using FIDO Passkeys can be done via AD360.

5. Error: This URL does not match the RP ID. Please contact your administrator.

Cause: The URL that users are using to access ADSelfService Plus might have a mismatch with the RP ID configuration.

Solution: The access URL and the RP ID must match for FIDO authentication to work. Learn how.

6. Error: Passkey enrollment failed with error code MFA-202. Please contact your administrator.

Cause: The public key cryptographic algorithms that ADSelfService Plus' web app uses are not supported by the FIDO passkey.

Solution: Please contact ADSelfService Plus Support at support@adselfserviceplus.com.

7. Error: Unsupported passkey type. Please contact your administrator. (OR) An unexpected error occurred; please try again later. Contact your administrator if the issue persists.

Cause: An unexpected error might occur during enrollment or authentication.

Solution: Please contact ADSelfService Plus Support at support@adselfserviceplus.com.

Back to the FIDO Passkeys questions

Back to Modules

Troubleshooting Just-in-Time Provisioning

In the JIT Provisioning Audit Report, what do the following Status messages mean and how can they be remediated?

1. Failed due to network connectivity issues to the target application.
2. Failed due to invalid email address or username.
3. Failed due to exceeding the rate limit.
4. Failed due to exceeding the retry limit.
5. User account creation process has failed.

1. Failed due to network connectivity issues to the target application.

Solution: Please try connecting to the target application from the ADSelfService Plus server through the browser or check for any firewall restrictions on the server. If the issue persists, please contact your Network Operations Center (NOC) team/network team or the ADSelfService Plus support team at support@adselfserviceplus.com.

2. Failed due to invalid email address or username.

Solution: Please verify if the correct attribute has been mapped for user account linking in the target application.

3. Failed due to exceeding the rate limit.

Cause: This issue occurs when the API threshold in the target application has reached the limit over a specific period

4. Failed due to exceeding the retry limit.

Cause: If the user account creation attempt has failed more than three times in an hour, the retry limit is exceeded, and this error is logged in the JIT Provisioning Report. For further details, please contact the ADSelfService Plus support team at support@adselfserviceplus.com.

5. User account creation process has failed.

Possible Cause	Recommended Solution
License of the target application might have expired.	Please renew the license of the target application.
The target application's license consumption might have exceeded the purchased license count.	Please ensure to purchase and maintain the required licenses..
The maximum length of the email address or username might exceed the limit specified in the target application.	Please verify if the correct attribute has been mapped for user account linking in the target application.
Account linking attributes might not be in the format specified in the target application.	Please verify if the attribute and attribute values mapped for user account linking in the target application are in the required format.

Back to Modules

Other Errors

Login Errors

1. SSO login failure from the AD360 Apps Pane.

Cause: Integrations of ADSelfService Plus with AD360 will work seamlessly as long as they have been deployed on the same host. If ADSelfService Plus and AD360 are integrated but have been installed on separate host machines in your organization, you may encounter issues with SSO logins from AD360's Apps Pane.

Solution: To resolve this, you should implement a reverse proxy for both AD360 and ADSelfService Plus, giving them the same hostname, which will help SSO from AD360 work seamlessly.

Back to Modules