Troubleshooting Tips

• Domain Settings
• Active Directory Self Update
• Active Directory Change Password
• Active Directory Reports
• GINA / Mac / Linux (Ctrl+Alt+Del)
• Push Notification
• SMS Server Settings
• SAML Authentication
• SAP Netweaver
• MFA for Endpoints

Domain Settings

1. When I start ADSelfService Plus, none of my domains are discovered. It says "No Domain Configuration available". Why?

2. When I add my domains manually, the Domain Controllers are not resolved. Why?

3. When I add the Domain Controller, I get an error as "The Servers are not operational". What does it mean?

4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name". What does it mean?

5. The status column in the domain settings says that the user do not have Admin Privilege?

1. When I start ADSelfService Plus, none of my domains are discovered. It says "No Domain Configuration available". Why?

ADSelfService Plus, upon starting, discovers the domains from the DNS Server associated with the machine running the product. If no domain details are available in the DNS Server, it shows this message.

Questions

2. When I add my domains manually, the Domain Controllers are not resolved. Why?

When the DNS associated with the machine running ADSelfService Plus do not contain the necessary information. In such cases, you need to add the Domain Controllers manually.

Questions

3. When I add the Domain Controller, I get an error as "The Servers are not operational". What does it mean?

This means that either the specified Domain Controller is invalid or it could not be contacted at present due to network unavailability.

Questions

4. When I add the Domain Controller, I get an error as "Unable to get domain DNS / FLAT name". What does it mean?

This error could be due to any of the following reasons:

1. When the specified user name or the password is invalid.

2. Anonymous login (when no user name and password is provided)

3. When IP Address of the Domain Controller is specified instead of its name.

Questions

5. The status column in the domain settings says that the user do not have Admin Privilege?

This is a warning message to indicate that the specified user do not have administrator privileges i.e, the user is not a member of Domain Admins Group. Hence permissions applicable to Administrator may not be available to this user.

Questions

Back to Modules

Active Directory Self Update

1. Error Code - 80070005 / Error Code - 5 : Error In Setting Attributes, Access is denied

2. While user password reset, I get the following error "Error in setting the Password. The network path not found - Error Code: 80070035"

3. While user password reset, I get the following error "Error in setting the Password. There is a naming violation - Error Code : 80072037"

4. While updating the user information, I get the following error "The server is unwilling to process the request - Error Code : 80072035"

5. While updating the user information, I get the following error " Error In Setting Terminal service Properties. The specified user does not exist - Error Code : 525"

6. I have updated the exchange attributes using ADSelfService Plus, but the properties are not updated in the Exchange Server yet.

7. I am not able to set the Terminal Services properties for the user?

8. When I modify an user, I get the following error "A device attached to the system is not functioning - Error Code : 8007001f "

9. Email address for user not showing up or not set properly?

10. Error - The server is unwilling to process the request while resetting Password, which did not match password complexity

11. Error code: 8007052e

12. Error code: 80070775

13. Error code: 800708c5

14. No such user matched. Verify the LDAP attribute in search query

1. Error Code - 80070005 / Error Code - 5 : Error In Setting Attributes, Access is denied

Cause : User account do not have enough privilege over the object.

Solution :

• Login to ADSelfService Plus with the "admin" credential.
• Click on the "Domain Settings" found at the right top corner.
• Click on the edit image to "Edit Domain Details".
• Check the "Authentication" and provide the privileged "Domain User Name" and "Domain Password".
• Save the Changes and continue with the operations.

Questions

2. While user password reset, I get the following error "Error in setting the Password. The network path not found - Error Code: 80070035"

While setting the password for the user if the target machine could not be contacted, this error is shown. This could happen when the DNS associated with the machine running ADSelfService Plus do not point to the Domain Controller where the user account is being created (possibly both are in different domains).

Questions

3. While user password reset, I get the following error "Error in setting the Password. There is a naming violation - Error Code : 80072037"

One possible reason for this error could be that the password contains some special characters that are not allowed.

Questions

4. While updating the user information, I get the following error "The server is unwilling to process the request - Error Code : 80072035"

One possible reasons for this error could be:

1. When modifying the sAMAccountName format for multiple users and when more than one user happen to have the same sAMAccountName.

Questions

5. While updating the user information, I get the following error " Error In Setting Terminal service Properties. The specified user does not exist - Error Code : 525"

One possible reason could be that the user or the system account as which the product is run do not have an account in the target domain. Terminal Service properties can only be set if the user account or the system account (applies when ADSelfService Plus is run as a service) that runs ADSelfService Plus has an account on the target domain.

Questions

6. I have updated the exchange attributes using ADSelfService Plus, but the properties are not updated in the Exchange Server yet.

ADSelfService Plus modifies the exchange properties in the Active Directory. The changes may not immediately reflect in the Exchange Server. It will get updated after some time.

Questions

7. I am not able to set the Terminal Services properties for the user?

One possible reason could be that the user or the system as which the product is run do not have an account in that domain.

Refer to here for starting ADSelfService Plus in User or System account.

Questions

8. When I modify an user, I get the following error " A device attached to the system is not functioning - Error Code : 8007001f "

The possible reasons for this error could be:

1. When modifying an user, if an unacceptable format is chosen for the naming attributes. For example, if the format chosen for the Logon Name is LastName.FirstName.Initials and if the user do not have any one of these attributes specified, this error will occur.

Questions

9. Email address for user not showing up or not set properly?

The possible reason could be:

1. Email may not be set as per Recipient Policy. check whether all ldap attributes in recipient ploicy query are set to specific value.

2. Check in the user account properties whether you entered the attribute for email. Ex: xyz@company.com. The company should be entered to the users.

Questions

10. Error-The server is unwilling to process the request while resetting Password which not maches to password complexity

The possible reason could be:

You may not have specified or opt for any options in 'Password Complexity' while creating user account.

Questions

11. Error code: 8007052e

The reason is, the Supplied credentials are invalid.

Questions

12. Error code: 80070775

Reason: The referenced account is currently locked out and may not be logged on.

Questions

13. Error code: 800708c5

Reason: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

Questions

14.No such user matched. Verify the LDAP attribute in search query

Reason: No Users in AD matches with the criteria provided by you.Try choosing the correct matching attributes by checking with the query provided in the "Match criteria for Users in AD",this is obtained by clicking on "Update in AD" button and expanding "Select Attributes" box.

Questions

Back to Modules

Active Directory Change Password

Active Directory Reports

1. When I specify the details and generate the report, it says "No Result available" or incomplete data

2. AD Reports shows an object that do not exist in the Active Directory?

1. When I specify the details and generate the report, it says "No Result available" or incomplete data

It could be because of any of the following reasons:

• When ADSelfService Plus could not contact the Domain Controller as it is not operational or due to network unavailability.
• In case of multiple Domain Controllers, when the data is not replicated in all the Domain Controllers.
• The LastLogonTime that is used to determine the inactive users and computers is not replicated in all the Domain Controllers. Hence, you need to specify all the Domain Controllers in the Domain Settings to enable ADSelfService Plus to retrieve the data from all the Domain Controllers.
• When the password policy is not set (i.e., Max Password Age is set to zero), the Password Expired Users report and Soon to Password Expiry users report will not show any data.

Questions

2. AD Reports shows an object that do not exist in the Active Directory?

This mismatch could occur when the data is not synchronized with the Active Directory. The data synchronization with the Active Directory happens everyday at 1.00 hrs. If ADSelfService Plus is not running at that time, you can initiate the data synchronization manually by clicking the refresh [ ] icon of that domain from the Domain Settings.

Questions

Back to Modules

Troubleshooting GINA

1. I receive the error message: "Initiating Connection to Remote Service. Failed". Why?

2. I receive the error message: "Network path not found/Invalid Credential". Why?

3. I receive the error message: "The network path was not found". Why?.

4. Couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?

5. Couldn't connect to the Client Machine, ADMIN$. Access is denied.

6. Logon Failure: The target account name is incorrect.

7. Logon failure: unknown user name or bad password.

8. Another installation is already in progress.

9. Couldn't start remote service. Overlapped I/O operation is in progress.

10. Operation Failed: Unsupported OS

11. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Couldn't copy PAExec to the machine."

12. When I try to install the login agent from the ADSelfService Plus console on to a remote server, I get the following error: "PAExec service could not be installed/started on remote server."

13. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Object not found" or "0x80041002 (WBEM_E_NOT_FOUND)."

14. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."

15. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Remote Procedure Call server is unavailable."

1. I receive the error message: "Initiating Connection to Remote Service. Failed". Why?

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.
• Make sure Remote Registry service is running in the client machine.

Questions

2. I receive the error message: "Network path not found/Invalid Credential". Why?

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

3. I receive the error message: "The network path was not found". Why?.

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

4. Couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?

Possible reason : Insufficient privileges to access the client machine.

Solution : Update the credentials provided in ADSelfService plus' "Domain Settings", if it is running as an application. If it is running as service, update the service account's credential from the "Logon" Tab by editing "Services.msc".

Questions

5. Couldn't connect to the Client Machine, ADMIN$. Access is denied.

Possible reason :Admin share might not be enabled.

Solution : Enable Admin share in the client computer and configure ADSelfService Plus domain settings using user credentials that has necessary permission to access the Admin share.

Step1 : Enable Admin Share

1. From the client computer, go to Start → Run and type gpedit.msc and hit enter
2. Expand the Administrative Templates → Network → Network Connections → Windows Firewall.
3. Click Domain Profile and double click Windows Firewall: Allow inbound remote administration exception.
4. Select Enabled and click OK.

Step2 : Update the domain settings in ADSelfService Plus with a user account that has permission to access the Admin share.

1. When ADSelfService Plus is running in console mode, update the credential provided under the "Domain Settings" of ADSelfService Plus.
2. When ADSelfService Plus is running as a service, update service account's credentials from the "Logon" Tab editing the properties of "Services.msc".

Questions

6. Logon Failure: The target account name is incorrect.

This error could occur if two computers have the same computer name. One computer is located in the child domain; the other computer is located in the parent domain.

Questions

7. Logon failure: unknown user name or bad password.

Reason : Admin share might not be enabled.

Solution : Configure Domain Settings (when run as a console) / Logon Tab (when run as a service) by providing an account with the appropriate administrative credentials

Questions

8. Another installation is already in progress.

Solution : Try to install after a few minutes.

Questions

9. Couldn't start remote service. Overlapped I/O operation is in progress.

Solution : Try enabling "Remote registry" and "Server" service on the client machine.

Questions

10. Operation Failed: Unsupported OS

Machine's OS is not supported for remote installation.

Questions

11. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Couldn't copy PAExec to the machine."

Cause: User account does not have sufficient privilege over the object.

Solution:

• Log in to ADSelfService Plus with the admin credentials.
• Click on the Domain Settings found at the right-top corner of the webpage.
• Under the Actions section, click on the Edit Domain Details button.
• Select Authentication, and provide the Domain Username and Domain Password of an account that has domain admin privileges.
• Click Save.

12. When I try to install the login agent from the ADSelfService Plus console on to a remote server, I get the following error: "PAExec service could not be installed/started on remote server."

Cause: PAExec is being blocked by the firewall or antivirus software.

Solution: Change your antivirus and firewall settings to allow the PAExec service.

When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Object not found" or "0x80041002 (WBEM_E_NOT_FOUND)."

Cause: The WMI repository may be corrupted.

Solution: To resolve the corruption of WMI repository, follow the steps in this link.

Work around:

1. Log in to the Windows Server machine using an administrator account.
2. Open Group Policy Management Console (GPMC) and right-click on the default domain policy within your domain.
3. In the Group Policy Management Editor window that opens, go to Computer Configuration → Policies → Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer → System → Group Policy. On the right pane, select Turn off Resultant Set of Policy logging.
4. Enable the Turn off Resultant Set of Policy logging to disable the Resultant Set of Policy (RSoP).

13. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."

Cause 1: The login name or password provided for scanning is invalid in the workstation.

Solution: Check if the login name and password are entered correctly.

Cause 2: The user does not have remote access to the computer through the Distributed Component Object Model (DCOM).

Solution:

1. Log in to your system with admin credentials.
2. Go to Control Panel → Administrative Tools → Component Services, or type in DCOMCnfg.exe from the search bar, and click Enter to open the Component Services dialog box.
3. Expand Component Services in the Component Services dialog box. Then expand Computers, and right-click on My Computer. Click Properties.
4. Go to the COM Security tab in the My Computer Properties dialog box.
5. Select Edit Limits under Launch and Activation Permissions.
6. In the Launch and Activation Permission dialog box that opens, if your name or the group that you belong to does not appear in the groups or usernames list, click Add.
7. In the Select Users, Computers, or Groups dialog box that pops up, add your name and the group in the Enter the object names to select field. Click OK.
8. In the Launch and Activation Permission dialog box, select your user and group in the Group or user names box. Under the Permissions for user field, in the Allow column, select Remote Launch and Remote Activation. Click OK.

The user should now have remote access to the computer through DCOM.

Cause 3: DCOM may not be configured to allow a WMI connection.

Solution: If the DCOM in the machine is not configured to allow a WMI connection, then follow the below steps in the machine that needs to accept WMI connection.

1. Log in to your system with admin credentials.
2. Go to Control Panel → Administrative Tools → Component Services, or type in DCOMCnfg.exe from the search bar to open the Component Services dialog box.
3. Expand Component Services in the Component Services dialog box. Then expand Computers, and right-click My Computer. Click Properties.
4. Click the COM Security tab in the My Computer Properties dialog box.
5. Click Edit Limits, under the Access Permissions section.
6. The Access Permissions dialog box pops up. Under the Group or user names section, select Anonymous Logon. In the Permissions for user section, select Remote Access. Click OK.

Cause 4: The Remote DCOM option is disabled in the remote workstation.

Solution: Check if Remote DCOM is enabled in the remote workstation. If not, follow the steps below to enable it:

1. Select Start > Run.
2. Type DCOMCnfg.exe in the text box, and click OK.
3. Click on Component Services > Computers > My Computer.
4. Right-click and select Properties.
5. Select the Default Properties tab.
6. Check the box next to Enable Distributed COM in this machine.
7. Click OK.

Cause 5: The user account is invalid in the target machine.

Solution: Check if the user account is valid in the target machine by opening Command Prompt, and execute the following commands:

net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"

net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

If these commands show any errors, the provided user account is not valid on the target machine.

Cause 6: The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the administrator group for this device machine.

Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a domain administrator) account.

Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a domain administrator) account.

Cause 7:A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2) when the default Windows firewall is enabled.

Solution: Disable the default Firewall in the Windows XP machine:

1. Select Start → Run
2. Type Firewall.cpl and click OK
3. In the General tab, click Off
4. Click OK

If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command in Command Prompt:

netsh firewall set service RemoteAdmin

After scanning, you can disable Remote Administration using the following command:

netsh firewall set service RemoteAdmin disable

Cause 8: WMI is not available in the remote Windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI components are not registered properly.

Solution: Install WMI in the remote workstation. Refer to these steps for help.

If the WMI Components are not registered, register the WMI DLL files by executing the following command in the command prompt: winmgmt /RegServer

Cause 9: There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI Repository in that workstation could have failed.

Solution:

Restart the WMI service in the remote workstation:

1. Select Start → Run
2. Type Services.msc and click OK
3. In the Services window that opens, select Windows Management Instrumentation service.
4. Right-click and select Restart

14. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Remote Procedure Call server is unavailable."

Cause: The Remote Procedure Call (RPC) port of the machine is blocked by the firewall.

Solution: Change the setting in your firewall to allow RPC ports.

15. When I try to install the login agent from ADSelfService Plus console, I get the following error with code 80041010 in Windows Server 2003, "Fatal error occurred."

Cause: The Win32_Product class is not installed in Windows 2003 Server by default.

Solution: To add the Win32_Product class, follow the steps below:

1. In Add or Remove Programs, select Add/Remove Windows Components.
2. In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
3. In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and click OK.
4. Click Next.

Back to Modules

When I try to install the login agent from ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."

Troubleshooting Mac Login Agent

1. Connection timed out.

2. Connection refused.

3. The network path was not found.

4. Logon failure: Unknown user name or bad password.

5. Permission denied

6. Invalid service account credentials

7. Insufficient privileges to the service account.

8. No authentication details found for the domain

1. Connection timed out.

Possible cause : The macOS client, in which you are trying to install the login agent, is shut down or not connected to the domain network.

Solution :

• Start the client and make sure that it is connected to the domain network. Check the connection by pinging the macOS client from the ADSelfService Plus server. Once you're sure there is a connection, try installing the login agent again.
• If connection to the mac client is fine, then check the mac's integration with AD.

Questions

2. Connection refused.

• Open the Mac client. Go to Preferences → Sharing and check if Remote Login is enabled.
• Check if the user account provided in the "Domain Settings" has Remote Login access enabled.

Questions

3. The network path was not found.

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

4. Logon Failure: Unknown user name or bad password.

• Incorrect user name or password for the service account.
• Also, go to Directory Editor in the Directory Utility and check if the Active Directory node can be connected using the user credentials provided in the "Domain Settings".

Questions

5. Permission denied

Possible reason :Service account does not have the required administrative privileges over the targeted macOS client.

Solution : Provide admin privilege to the service account by following the steps below :

1. In the targeted macOS client, go to System Preferences → Users & Groups → Login Options → Edit → Open Directory Utility.
2. In the Service tab, click the Adminstrative section.
3. Select the Allow Administration by checkbox, and include the service account used to run the ADSelfService Plus server.
4. OK.
5. Verify the macOS client's integration with AD.
   • Go to Directory Utility → Directory Editor → <Your Active Directory node>.If the connection is successful, you will be able to see the AD objects.
   • If the connection to the AD node fails, try pinging the Domain Controller (DC) from the macOS client.
   • If the DC is reachable and the problem persists, unbind it and try re-binding the macOS client with AD.

Questions

6. Invalid service account credentials

Possible cause : Invalid or expired service account credentials in the Domain Settings.

Solution : Update the correct service account credentials. Also, verify the macOS client's integration with AD.

Questions

7. Insufficient privileges to the service account.

Possible cause : Service account does not have the required root privilege to perform remote installation of package over the targeted macOS client.

Solution : Provide root privilege to the service account by following the steps below:

• Go to the Terminal window → execute the command sudo visudo and navigate to #User privilege specification section.
• Make sure the targeted account has root privileges, i.e., <username> ALL=(ALL) ALL.

Questions

8. No authentication details found for the domain.

Possible cause : Insufficient privileges for the service account in the Domain Settings of ADSelfService Plus.

Solution : Provide the domain user credentials with admin privileges.

Questions

Back to Modules

Troubleshooting Linux login agent

1. Connection timed out.

2. Connection refused.

3. The network path was not found.

4. Permission denied / Insufficient privileges to the service account.

5. Invalid service account credentials

6. No authentication details found for the domain

7. Operation failed while setting up dependencies.

1. Connection timed out.

Possible cause : The Linux machine, in which you are trying to install the login agent, is shut down or not connected to the domain network.

Solution :

• Start the client and make sure that it is connected to the domain network. Check the connection by pinging the linux machine from the ADSelfService Plus server. Once you're sure there is a connection, try installing the login agent again.
• If connection to the linux machine is fine, then check the linux's integration with AD.

Questions

2. Connection refused.

Possible cause : SSH server software is not active in the Linux client.

Solution : Make sure SSHD service is installed and active in the Linux client.

Questions

3. The network path was not found.

This error could occur if the target computer could not be contacted.

• Ensure if such a computer really exists. If so, ensure whether it is connected to the network.
• To check for connectivity, ping this computer from the server where ADSelfService Plus has been installed.

Questions

4. Permission denied / Insufficient privileges to the service account.

Possible cause : Service account configured in ADSelfService Plus does not have the required root privilege over the targeted Linux client.

Solution : Provide root privilege to the service account by following the steps below :

• Go to the Terminal window → execute the command sudo visudo and navigate to #User privilege specification section.
• Make sure the targeted account has root privileges, i.e., <username> ALL=(ALL) ALL.

Questions

5. Invalid service account credentials

Possible cause : Invalid or expired service account credentials in the Domain Settings.

Solution : Update the correct service account credentials in the Domain Settings.

Questions

6. No authentication details found for the domain.

Possible cause : Insufficient privileges for the service account in the Domain Settings of ADSelfService Plus.

Solution : Provide the domain user credentials with admin privileges.

Questions

7. Operation failed while setting up dependencies.

Possible cause :

• Poor network connection.
• Insufficient download permission.

Solution : Provide the domain user credentials with admin privileges.

• Check network connectivity in the Linux client. If the network connection is good, check if the Linux package manager can contact the repository. If you can contact the repository, you can re-install the Linux login agent from the ADSelfService Plus admin console.
• The lightdm-webkit2-greeter package might not be installed due to insufficient file download permission from opensuse.org.

Questions

Back to Modules

Troubleshooting Push Notification

1. ERROR_CODE:70050A, ERROR_CODE:70060AA, ERROR_CODE:70060AI, ERROR_CODE:70050CF, ERROR_CODE:70050ACF, ERROR_CODE:70050ICF
2. ERROR_CODE:70050PF, ERROR_CODE:70050APF, ERROR_CODE:70050IPF

1. ERROR_CODE:70050A, ERROR_CODE:70060AA, ERROR_CODE:70060AI, ERROR_CODE:70050CF, ERROR_CODE:70050ACF, ERROR_CODE:70050ICF.

These errors occur due to an invalid push notification certificate or problems in the push server side. Please contact ADSelfService Plus support team at support@adselfserviceplus.com for resolution.

2. ERROR_CODE:70050PF, ERROR_CODE:70050APF, ERROR_CODE:70050IPF.

This error will appear if you don't have the necessary ports and IP/Host addresses opened in your Firewall setup.

• Open the following ports in your firewall setup so that ADSelfService Plus web server can communicate with the push servers of Apple and Google:
  • For Apple Server : 5223, 2195, 2196, 443
  • For Google Server : 5228, 5229, and 5230 , 80/443
• Additionally, you must grant access to the following IP/Host addresses:
  • For Apple Server : gateway.push.apple.com and feedback.push.apple.com
  • For Google Server : All outbound IPs with port 80/443 or simply open the Google ASN IPs.
  Note : If your organization's policy does not allow unblocking the above IPs, route the requests to these IPs through a proxy server subject as per your organization policy. When you use a proxy server, do not forget to configure the Proxy Settings in the product.

Error codes

Back to Modules

Troubleshooting SMS Server Settings and SSLHandshakeException

Description : This exception occurs when you configure a SMTP mail server or a web server with SSL in ADSelfService Plus, and the server uses a self-signed certificate. The Java Runtime Environment used in ADSelfService Plus will not trust self-signed certificates unless it is explicitly imported.

Solution : You need to import the self-signed certificates used by the server in the JRE package used by ADSelfService Plus. Follow the steps given below:

Step 1: Download the certificate

• For SMTP servers :
  
  Note : To download the certificate used by SMTP server, you must have OpenSSL installed. You can download it from here .
  • Open the command prompt and change to the bin folder in the OpenSSL installed location.
  • Now run the following command
  • openssl.exe s_client -connect SMTPServer:Portno -starttls smtp > certificatename.cer
  • For example, openssl.exe s_client -connect smtp.gmail.com:587 -starttls smtp > gmailcert.cer
• For Web Servers :
  • Open the web URL in a browser.
  • Click the padlock icon on the address bar.
  • Click More Information. This opens the Certificate Viewer window showing the certificate used by that web server.
  • Click View Certificate.
  • When the Certificate window showing Certificate Information Authority opens, click the Details tab.
  • Click Copy to File.
  • In the Certificate Export Wizard that opens, click Next.
  • Select the format as DRE encoded binary X.509 (.CER) and click Next.
  • Enter the path where you wish to save the file and click Finish.

Step 2: Import the certificates in JRE package of ADSelfService Plus

• Open a command prompt and change to the \jre\bin folder. For example: C:\ManageEngine\ADSelfService Plus\jre\bin
• Run the following command
• Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file
• For example: Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\smtpcert.cer
• Enter changeit when prompted for a password
• Enter y when prompted Yes or No
• Close the command prompt and restart ADSelfService Plus.

Back to Modules

SAML Authentication - Invalid Certificate

Description : This error may appear when you have configured SAML Authentication in ADSelfService Plus with an invalid X.509 certificate from the identity provider. The certificate is deemed invalid due to one of the following reasons:

• Certificate has expired.
• Certificate's start of validity date is yet to come.
• You've chosen a different certificate such as a SSL root certificate.
• The certificate content is not in PEM format.

Solution : Please download the current X.509 certificate from your identity provider again and upload it in ADSelfService Plus.

Back to Modules

Troubleshooting SAP Netweaver

1. Incompatible API files. Please make sure you're using SAP Java Connector 3.0 version of the API files.

2. The destination system is unreachable.

1. Incompatible API files. Please make sure you're using SAP Java Connector 3.0 version of the API files.

Possible cause : SAP Java Connector missed to place under <ADSelfService Installation Dir>/lib location or connector version is not satisfied.

Solution :

• Make sure SAP Java connector [sapjco3.dll,sapjco3.jar] placed under <ADSelfService Installation Dir>/lib location.
• Make sure SAP Java connection version is greater than 3.0.
• If Java Connector 3.1 is being used, Make sure Visual Studio 2013 C/C++ runtime libraries installed in the machine where ADSelfService Plus is being installed.
• If Java Connector 3.0 is being used, Make sure Microsoft Visual Studio 2005 C/C++ runtime libraries installed in the machine where ADSelfService Plus is being installed.

2. The destination system is unreachable.

Possible cause : SAP Server is not reachable due to network issue.

Solution :

• Make sure SAP Server host address is reachable from the ADSelfService Plus server installed machine.
• Make sure SAP Server port is allowed in the firewall.

Back to Modules

MFA for Endpoints

1. Issue in MFA for VPN login

If MFA for VPN login is not working, do the following:

• Check the NPS extension logs in the RADIUS server where you have installed it. By default, they can be found at C:\Program Files\ManageEngine\ADSelfService Plus NPS Extension\NpsExtension.log. Based on the error, try the solutions given below:
• Connectivity issues
• Make sure the ADSelfService Plus is reachable from the NPS (RADIUS) server.
• If you are using an untrusted certificate in ADSelfService Plus, add it to the Trusted Root Certification Authorities list in the NPS server.
• API Authorization failed
• Make sure the time in both the ADSelfService Plus server and the NPS server are correct as per their time zone.
• If you can’t find any issues from the NPS extension logs, check the NPS server’s event logs using the Event Viewer for RADIUS authentication-related logs.

2. If VPN MFA is not working as expected after setting up the NPS extension, you should:

• Analyze the NPS extensions logs (Default location: C:\Program Files\ManageEngine\ADSelfService Plus NPS Extension\NpsExtension.log) for the following possible error messages:
• httpErrCode: XXXX
• httpErrorCode: 12002: The ADSelfService Plus server is not reachable from the NPS server.
• Fix: Check if the ADSelfService Plus server is reachable from NPS server. If the ADSelfService Plus server is unreachable, ensure that the server has been correctly configured in the registry at HKLM:\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension. Ensure the following values are configured correctly:
1. ServerName: The HostName or IP address of the ADSelfService Plus server.
2. ServerPortNo: TCP Port number for the ADSelfService Plus server.
3. ServerContextPath: The ADSelfService Plus server context (if changed).
• httpErrorCode: 12175: ADSelfService Plus server's certificate is not trusted by the NPS server.
• Fix: If ADSelfService Plus's server certificate is not trusted by the NPS server, open certmgr.exe and add the CA certificate that is used to sign ADSelfService Plus server's domain certificate to the Trusted Root Certification Authorities for the local machine and not only the current user.
• Access denied due to MFA API authorization failure
• Issue: ADSelfService Plus server fails to authorize the NPS extension during MFA.
• Possible causes:
• Cause 1: The system time of the the NPS server or the ADSelfService Plus server is not valid or servers' times differ by more than two minutes and therefore not in sync.
1. Fix: Update the correct time.
• Cause 2: The secret key shared for authorizing the NPS extension might be invalid. To make sure of this, retrieve the actual secret key and compare it with the key in the registry.
1. Fix: Download the NPS extension again, extract it and open the .PS1 script and retrieve the secret key.
2. Manually update the secret key in the registry or update it using the command <...\AdsspNpsExtension> .\setupNpsExtension.ps1 update
• Denying access for user as per MFA server
• Issue: ADSelfService Plus server denies access to the user and hence the user cannot log into the VPN provider.
• Possible cause: The user is invalid or is not enrolled for MFA in ADSelfService Plus .
• Fix:
• Ensure that the user is a valid user in one of the domains configured at ADSSP.
• Ensure that the user is enrolled for the VPN MFA factors configured.
• If logins without MFA has to be permitted for first time users or not enrolled users, enable the Skip MFA when the user is not enrolled for the required authenticators under Advance MFA settings
• preValidate - result: 0
• Issue: The pre-validation condition for invoking MFA is false and hence the NPS extension does not invoke MFA.
• Possible reasons:
• The Registry property MfaStatus is set to false. Admin might have downloaded the NPS extension from ADSelfService Plus before enabling VPN MFA.
1. Fix: Update the MfaStatus to true at registry.
• The admin might have configured CRPolicies or NetworkPolicies whose conditions may not have been met.
1. Fix: Change the CRPolicies or NetworkPolicies to ones that include the necessary users.
• Empty or No challenge from user
• Issue: The NPS extension is unable to read the OTP/TOTP from the RADIUS request.
• Possible cause: RADIUS authentication protocol used between RADIUS client (VPN, Netscaler server, or other) and the NPS server might be MS-CHAPv2 or EAP or other unsupported protocols.
• Fix:
• Change RADIUS authentication protocol to PAP as only this protocol supports challenge-based authenticators.
• Ensure that the RADIUS client sets the OTP or TOTP in the User-Password attribute of the RADIUS request.

• If NPS extension logs do not show any errors, check if any of the following issues are present:
• Issue: RADIUS or NPS configuration issue.
• Fix: Check Event viewer (Custom views → Network policy and access server role) for RADIUS authentication related logs.
• Issue: The RADIUS client (VPN or other endpoint server) halts the MFA before it begins.
• Fix:
• Make sure the RADIUS authentication timeout settings, if any, at the RADIUS client (VPN server, or any RADIUS clients) and the RADIUS server (NPS) is greater than VPN MFA session time value configure in ADSelfService Plus.
• Refer this document for enabling Keep the VPN MFA session valid for __ minutes option under VPN Login MFA.
• Every RADIUS client (VPN server or other) will have specific timeout settings which must be configured properly for MFA (especially challenge based authenticators) to work. Set the correct time value in the RADIUS client. For example, when Fortinet is used the set remoteauthtimeout <num_of_secs>s command will keep a RADIUS request valid for the seconds mentioned.

Back to Modules