Troubleshooting tips
- IDSecurity agent
- Directory Sync
- Dynamic Groups
- Notification Templates
- Application Integration
- Connection
- Access Management
- Universal Directory management FAQs
- Microsoft Azure Active Directory
- Salesforce
- Session management
IDSecurity Agent
The following errors may arise with the IDSecurity Agent. Follow the solutions provided to resolve them:
1. IDSecurity Agent installed successfully, but MFA is not prompted
This error may occur due to various scenarios. Follow the steps outlined below to resolve the issue:
- Cause: Agent authorization failure. Check for the error codes IDS-4101, IDS-4102, and IDS-4103 in the installer log at C:\Program Files\ManageEngine\Identity360 Cloud IDSecurity Agent\logs to confirm the cause.
Solution: Reinstall the agent with the correct installation key. For Azure AD-joined devices, make sure that the Azure AD tenant is added to the Universal Directory.
- Cause: Missing or expired MFA license.
Solution: Please purchase the MFA and SSO license component in our store or renew the expired license by contacting sales@manageengine.com.
- Cause: MFA isn't enabled for Windows machines or in advanced settings.
Solution: Confirm that MFA is enabled for machines at Applications > Multi-factor Authentication > MFA for Endpoints > MFA for Windows machines, and for specific MFA scenarios in advanced settings located at Applications > Multi-factor Authentication > MFA for Endpoints > Advanced.
- Cause: The user lacks a valid Azure AD account within Identity360's Universal Directory.
Solution: Confirm that the user has a valid Azure AD account and is synced with the Universal Directory. You can do this by checking All Users in Identity360's admin portal under Universal Directory > All Users.
- Cause: Trust this device option enabled; user might have trusted the device.
Solution: To prevent users from trusting their device, either disable the option located at Applications > Multi-factor Authentication > Advanced > MFA Settings > Allow users to trust their machines or adjust the time for clearing trusted devices to enforce MFA.
- Cause: When you have enabled the Skip MFA for offline machines setting found at MFA for Endpoints > Advanced, users whose devices lack internet connectivity—and thus are unable to reach Identity360—will not be prompted for MFA.
Solution: Ensure a stable internet connection is available for user machines to reach Identity360.
2. Access is being denied for a user after installing IDSecurity Agent
This error may occur due to the following scenarios. Follow the steps outlined below to resolve the issue:
- Cause: Access is denied because the user either hasn't enrolled or is only partially enrolled to fulfill the configured MFA requirements, and the setting found at MFA for Endpoints > Advanced > Deny machine login for partially enrolled users is enabled.
Solution: Temporarily disabled the setting to allow users to enroll promptly during Windows login and various activities—such as UAC, RDP, or unlocking Windows machines instantly—and then disable it once enrollment is completed.
- Cause: When you have disabled the Skip MFA for offline machines setting found at MFA for Endpoints > Advanced, users whose devices lack internet connectivity and thus are unable to reach Identity360 will not be prompted for MFA.
Solution: Ensure a stable internet connection is available for user machines to reach the Identity360 portal.
3. A blank screen appears during the Windows MFA process
Cause:
- The Identity360 URL is not added as a trusted site in Internet Explorer.
- Cookies are not enabled in Internet Explorer on the user's system.
Solution:
- Follow the steps here to add the Identity360 URL to the list of trusted sites in Internet Explorer.
- Follow the steps here to enable cookies in Internet Explorer.
Listed below are the solutions for enabling cookies and adding the Identity360 URL to the trusted sites list in Internet Explorer.
Verify whether cookies are enabled in Internet Explorer on the user's system. If they are not, enable cookies by following the steps below:
- Download PsTools on the machine facing the issue.
- Open the Command Prompt and run the command psexec.exe -s -i "C:\Program Files (x86)\Internet Explorer\iexplore.exe.".
- Internet Explorer will open. (Note: Internet Explorer is the only browser that supports the following troubleshooting, regardless of any other browsers installed on the user's system.)
- Go to Settings and select Internet options.
- In the Internet Options window, go to the Privacy tab. Under Settings, select the Advanced button.
- In the Advanced Privacy Settings window, select the Accept radio button under both First-party Cookies and Third-party Cookies.
- Select OK and close the Advanced Privacy Settings window.
- Click Sites under Settings in the Internet Options window.
- In the Per Site Privacy Actions window that opens, enter Identity360's URL (https://id360.manageengine.com/) in the Address of website field and click Allow.
- Press OK to close the Per Site Privacy Actions and Internet Options windows.
Solution:
Adding the Identity360 URL to intranet/trusted sites.
- Download PsTools on the machine facing the issue.
- Open the Command Prompt and run the command psexec.exe -s -i "C:\Program Files (x86)\Internet Explorer\iexplore.exe.".
- The browser will open. Now go to Settings and select Internet options.
- In the Internet Options window, go to the Security tab and select Trusted sites in the Select a zone to view or change security settings field.
- Click Sites below the Select a zone to view or change security settings field to open the Trusted sites window.
- In the Trusted sites window, type in the URL of the Identity360 application in the Add this website to the zone field, then click Add.
These steps should ensure that there are no further issues in displaying the MFA prompt.
4. Troubleshooting error codes
The error codes listed below can be found within the log files located at C:\Program Files\ManageEngine\Identity360 Cloud IDSecurity Agent\logs. For logs related to agent installation, please refer to Installerlog.log, while for other logs, refer to IdsAgent-Common.log. If you require additional assistance with different error codes, kindly reach out to our support team.
Error code |
Description |
Resolution |
IDS-4000 |
The user machine cannot reach the Identity360 portal. This code is logged when the IDSecurity Agent encounters an unexpected error. |
Kindly reach out to the support team at identity360-support@manageengine.com, providing the IDSecurity Agent's logs located at C:\Program Files\ManageEngine\Identity360 Cloud IDSecurity Agent\logs, along with the timestamp of the error occurrence and any relevant screenshots. |
IDS-4101 |
The user machine cannot reach the Identity360 portal. This code is logged when IDSecurity Agent authorization fails due to an invalid or old installation key being used after generating a new one. |
Get the valid or updated installation key from the Identity360 portal at Applications > Multi-factor Authentication > Install IDSecurity Agent > Step 2, and attempt to reinstall the agent. |
IDS-4102 |
The user machine cannot reach the Identity360 portal. This code is logged when MFA is bypassed due to an unexpected failure in API authorization with Identity360. |
Please attempt to reinstall the agent. If the problem persists, please contact the support team at identity360-support@manageengine.com. Provide the IDSecurity Agent's logs located at C:\Program Files\ManageEngine\Identity360 Cloud IDSecurity Agent\logs, along with the timestamp of the error. |
IDS-4103 |
The user machine cannot reach the Identity360 portal. You can locate this code in instances where the MFA is skipped due to a failure in agent authorization caused by the absence of the Azure AD Tenant from the directory list in Identity360. |
Add the respective Azure AD Tenant in Identity360 under Universal Directory > Manage Directory > Add Directory, and try reinstalling the agent. |
IDS-4104 |
The user machine cannot reach the Identity360 portal. This code may occur when MFA is bypassed due to an unexpected failure in verifying the user password through Windows APIs. |
Kindly reach out to the support team at identity360-support@manageengine.com, providing the IDSecurity Agent's logs located at C:\Program Files\ManageEngine\Identity360 Cloud IDSecurity Agent\logs, along with the timestamp of the error. |
IDS-4105 |
The user machine cannot reach the Identity360 portal. This code appears when the access token expires and authentication is bypassed. |
Please reach out to the support team at identity360-support@manageengine.com, providing the IDSecurity Agent's logs located at
C:\Program Files\ManageEngine\Identity360 Cloud IDSecurity Agent\logs |
IDS-4106 |
The user machine cannot reach the Identity360 portal. In such cases, user access would either be denied, or MFA would be bypassed depending on
whether the setting found at MFA for Endpoints > Advanced > Skip MFA for offline machines is enabled or disabled. |
Ensure a stable internet connection is available for user machines to reach the Identity360 portal. |
IDS-4107 |
The user machine cannot reach the Identity360 portal. This code is logged when an attempt to establish a secure HTTPS connection with the Identity360 portal fails due to an SSL certificate issue.
Or
This error code is triggered during agent installation if the device setup information is incorrect.
|
Please reach out to the support team at identity360-support@manageengine.com.
Or
Please ensure that you install the agent on machines that run only the operating systems supported by the IDSecurity Agent as per this list.
|
Directory Sync
1. The Next Sync Time column (Universal Directory > Manage Directory > Applications) shows Fetching Data or Processing Data for an extended duration.
- Cause: This could be due a large number of objects (i.e., Users, Groups, or Group Members) in the organization.
- Solution: The issue should resolve itself. If this persists for more than six hours, please contact support.
2. When you click the View History icon (Universal Directory > Manage Directory > Applications), the Sync Status column in the pop-up that appears shows a Failed status.
- Solution: Retry the sync. If it repeatedly fails, please contact support.
3. The user appears in the Other Directory Report section but does not show up in the All Users tab.
- Cause: The Enable importing of users to the Universal Directory and Automatically create a new user in the Universal Directory when it is found in your <App> domain options are not checked under Advanced > Sync Settings (To find the Advanced option, navigate to Directory Sync Settings > Settings icon > Sync Settings > User tab).
- Solution: Enable the above-mentioned options.
4. The Directory Sync is not triggered automatically and must be initiated manually each time.
- Cause: The Enable Scheduler option under Advanced > Sync Settings (Directory Sync Settings > Settings icon > Sync Settings) is not enabled.
- Solution: Enable the scheduler and set up the interval for the sync to run automatically in the background.
5. Users that have been deleted from your Azure account (or any specific application) are still visible in the All Users tab.
- Cause: The Automatically delete/disable the Universal Directory user if the user is deleted in your Azure Active Directory Domain option under Advanced > Sync Settings (Directory Sync Settings > Settings icon > User tab) is not enabled. (We've used Azure AD as an example. This can change according to the application you select.)
- Solution: Enable the above option and select the desired behavior (i.e., whether to delete or disable the Universal Directory user).
6. The All Users tab shows only a limited number of users.
- Cause: There are users that need review under the Directory Sync Settings > Review tab. Users are filtered under Directory Sync Settings > Settings icon > Sync Settings > User tab > Enable Advanced Filter to restrict the directory synchronizer based on specific criteria.
- Solution: If there are users that need review, choose the actions to be executed and proceed with the execution. If users are filtered using the Enable Advanced Filter to restrict the directory synchronizer based on specific criteria filter, those users meeting the criteria will be excluded from syncing to the Universal Directory. Disable this option to view all users.
7. Users are listed under Duplication Review under the Directory Sync Settings > Review section.
- Cause: More than one user might have the same value for the configured linking attribute.
- Solution: Review the linking attribute (located under Directory Sync Settings > Settings icon > Account Linking) to identify potential duplicate values. Ensure that each user has a unique value for this attribute, and resolve any instances where multiple users share a value.
8. Incorrect values are appearing in the Universal Directory tab > All Users section, such as the Last Name from the Azure account (or any specific application) being displayed as the First Name for the user.
- Cause: The mapping configuration (located under Directory Sync Settings > Settings icon > Attribute Mapping) is not mapped to your desired attribute.
- Solution: Review the mapping configuration to ensure that the attribute, such as First Name, is mapped to your desired attribute.
9. All users listed in the All Users tab are assigned to a single primary source.
- Cause: The primary source order or the primary source rules might have all users assigned to a single primary source.
- Solution: Verify the Directory Sync Settings > Primary Source Settings. Users are assigned a primary source either based on the primary source order or the primary source rules configured here.
10. The sync cannot be initiated automatically, and an error message appears when clicking the Sync Now button.
Dynamic Groups
1. Cannot delete a directory when it is configured in a dynamic group. <or> Unable to delete the directory while it is configured in a dynamic group.
- Cause: This directory is used in a criteria field in one of the Dynamic Groups.
- Solution: Remove the criteria from the corresponding dynamic group.
Notification Templates
1. Unable to delete the assigned templates
- Cause: The template you are trying to delete is used in an Orchestration Profile.
- Solution: Remove the template from the respective Orchestration Profile.
2. Module category cannot be modified as this template is currently in use.
- Cause: The template you are changing the Module field for is used in one or more Orchestration Profiles.
- Solution: Remove the template from the respective Orchestration Profile.
Application integration
1. Invalid file format.
- Cause: The selected file is not in XML format.
- Solution: Provide a valid file from the service provider.
2. Invalid or empty metadata configuration file.
- Cause: The Uploaded Metadata file is not a valid service provider metadata file.
- Solution: Provide a valid metadata file from the service provider.
3. JWKS possible error cases:
3.1. JWKS URL is not reachable. Please provide a valid URL.
3.2. Invalid JSON Web Key Set. Please provide a valid URL.
3.3. No keys were found in the JSON Web Key Set. Please provide a valid URL.
- Cause: The provided JWKS URL is invalid and when Identity360 attempts to reach it, an error occurs.
- Solution: Verify that the provided URL is a valid JWKS URL and is accessible.
4. Refresh token has expired. Please re-authenticate.
- Cause: The Connection provided might have been invalidated or could not be renewed.
- Solution: Either re-authenticate the same connection or a create a new one to use.
Connection
1. Connection expired or invalid connection configuration.
- Cause: The connection has either expired or become invalid.
- Solution: Re-authenticate to resolve this issue.
2. OAuth application is blocked by Admin. Please unblock the application and try again.
- Cause: Connection failure occurs when the application blocks usage for Identity360.
- Solution: Ensure that the OAuth application used for connection is enabled for use by Identity360.
3. Authorization failed. Access permission request is denied by the user.
- Cause: When redirected to the target application, if the user is asked for authorization and denies the request, this error can result.
- Solution: Retry the action to resolve this issue.
4. Invalid API key.
- Cause: The provided API key is invalid.
- Solution: Ensure that a valid API key is provided.
Access Management
1. Unable to process the request.
2. Failed due to an internal server problem; please try again.
3. Unable to process the request; please try again.
- Cause: All the above cases occur due to internal server issues.
- Solution: Retry the action to resolve the issue.
Universal Directory management FAQs
1. Error during group creation: You cannot create a group since your account is not verified. Please complete the email verification process and try again.
- After registering and clicking Get Started in Identity360, a new organization is created with the current user as Org Admin. If the current user's email address is not verified through email verification or OTP verification in Zoho accounts (accounts.zoho.com), the user will not be able to create a group.
2. Error during user creation: The creation of user <display_name> has been completed successfully. However, this user will be categorized as an unlicensed user due to insufficient licenses. Please upgrade your plan to get more licenses.
- This means that the user creation in Universal Directory was successful, but you cannot perform any management actions on the newly created user because you have run out of licenses. Please consider purchasing more licenses.
3. Error during user creation: User creation failed.
- This indicates that an internal server error occurred on the Zoho Accounts (accounts.zoho.com) side. Please try again later. If the issue persists, contact support.
4. Error while performing a management action: Something went wrong. Please contact our support team to resolve the issue.
- This indicates that an internal server error occurred while processing the request, preventing the management action from being completed. Please try again later. If the issue persists, contact support.
5. Error while performing a management action: Action is yet to be executed
- This indicates that an internal server error occurred before processing the management action. Please try again later. If the issue persists, contact support.
6. Error while performing an update operation: Modifying Super Admin details is prohibited by technicians.
- This indicates that you are currently logged in as an admin and attempting to modify the user details of the Super Admin, which is not allowed. Please contact your Super Admin for assistance.
7. Error while performing an enable/disable operation: Super Admin is not allowed to perform this action on their user account.
- This indicates that when you are logged in as the Super Admin, you are not allowed to perform enable, disable, or delete operations on your own account.
8. Error while performing an enable/disable/delete operation: Admin is not allowed to perform this action on their user account.
- This indicates that when you are logged in as an Admin, you are not allowed to perform enable, disable, or delete operations on your own account. Please contact your Super Admin to perform these operations on your behalf.
9. Error when trying to update email address through update user: Super Admin's email cannot be updated.
- When logged in as the Super Admin and attempting to update your own email address, it is currently restricted to be done through Identity360. Please go to the Zoho Accounts page (https://accounts.zoho.com) and click the Add Email Address button in the My Email Addresses section.
10. I have verified my account on the accounts page. But my account status is still displayed as unverified on the All Users page. Why?
- If you are an Admin or Org Admin, please wait for the sync process to trigger at regular intervals in Identity360 automatically. Alternatively, you can manually trigger Universal Directory Sync from the Manage Directory tab. Once the sync is completed, check the All Users tab for the updated User Invitation Status.
11. What happens to the other associated accounts when I perform management actions like enabling, disabling, or deleting by selecting users from the All Users tab?
- When performing management action like enabling, disabling, or deleting from the All Users tab, the selected action will be initially performed on the user's primary source. Subsequently, the same action will be reflected in the Universal Directory if the user's primary source is not already the Universal Directory.
12. What happens when I perform actions like enabling, disabling, or deleting a user by selecting a directory other than the Universal Directory on the All User Details page?
- When executing an action within a directory other than Universal Directory, the action will first be executed within that directory. If the directory where the action is performed happens to be the user's primary source, the same action will be automatically triggered in the Universal Directory, thereby reflecting the change in both directories.
13. If the user creation operation is moved to the Jobs tab or if I navigate to another page, where should I look for the password for the newly created user?
- In this scenario, to access the password for the newly created user, can click Jobs located in the top-right corner of the product. Then, select View Job Details for the respective job to view the user details, including the password.
Microsoft Azure Active Directory
1. The Application Client Secret has expired.
2. Connection expired or invalid connection configuration.
- Cause: The secret value of the application is wrongly configured or the secret key has expired.
- Solution:
- Select Manage Directory found at Universal Directory > Directory Integration.
- Under the Action column, click the edit icon beside the application for which you want to update the secret key.
- Fill in the value for the Application Secret Key and click Update to update the details.
Salesforce
1. Expired refresh token. Please re-authenticate
- Cause: The application connection has expired.
- Solution:
- Navigate to the Application tab and select Application Connection.
- Find the appropriate Salesforce Application Connection and click the refresh button.
- The connection will now be renewed.
- If the connection isn't renewed, you can re-authenticate by clicking the edit icon next to the respective Application Connection. Enter the Sub Domain value and click Authorize.
Session management
1. Maximum concurrent session limit has been reached.
Cause: The maximum concurrent sessions limit has been reached for a user, and they are prompted to terminate active sessions. If the user has logged in directly via the Identity360 portal, the following error message appears:
Solution: To resolve this error, the user should terminate the active sessions, and they can manually choose the sessions they want to close rather than terminating all of their sessions. To select the sessions that will be terminated, follow the below steps:
- Go to https://accounts.zoho.com/home#sessions/useractivesessions.
- Hover over the session that you want to close and click Terminate (refer the below image).