Troubleshooting Password Sync Agent Issues

The ADSelfService Plus Password Sync Agent syncs native password changes (password change using the Ctrl+Alt+Del screen and password resets using the Active Directory Users and Computers portal) with enterprise applications integrated for password synchronization.

This article provides instructions on how to troubleshoot issues that you may encounter while using the Password Sync Agent. These issues are categorized into three:

• Errors that may appear when installing the Password Sync Agent.
• Errors that might occur while editing settings from the Password Sync Agent Tray App icon.
• Other causes.

Errors that may appear when installing the Password Sync Agent

• Please install the Password Sync Agent with administrative privileges.
• The domain controller is not authorized by ADSelfService Plus.
• Replay attack, or earlier request, or invalid time setting in the agent.
• Unable to contact the server or an internal error occurred.
• Access key verification failed.

1. Please install the Password Sync Agent with administrative privileges.

Possible cause: The user attempting to install the Password Sync Agent does not have the required privileges.

Solution: Run the ManageEnginePasswordSyncAgent.msi as an Administrator, i.e., right-click the file and select Run as administrator.

2. The domain controller is not authorized by ADSelfService Plus.

Possible cause: The domain controller on which the Password Sync Agent needs to be installed is not included in the list of configured domains in ADSelfService Plus.

Solution: Ensure that the domain controller on which you are trying to install the Password Sync Agent is added to the ADSelfService Plus DC list. For information regarding domain configuration, click here.

3. Replay attack, or earlier request, or invalid time setting in the agent.

Possible cause: The time on the domain controller on which the Password Sync Agent is installed and the ADSelfService Plus server are mismatched.

Solution: Please ensure that the time on the domain controller on which you are trying to install the Password Sync agent and the ADSelfService Plus server are in sync with each other.

4. Unable to contact the server or an internal error occurred.

Possible cause: The values entered for the protocol, hostname, and port number during the Password Sync Agent installation are incorrect or have become invalid.

Solution:

1. Check the accessibility of the ADSelfService Plus portal from the machine where this error is received. If it is not accessible, check the network connection between ADSelfService Plus server and this machine.
• To check ADSelfService Plus' server reachability, ping the server using the ADSelfService Plus server name/IP address from the domain controller on which the agent is installed.
• To check for connectivity, verify if the ADSelfService Plus port connection is open. One way to check for port connectivity is to open the command prompt on the domain controller on which the agent is installed and execute the following command: telnet <adssp-server-name> <adssp-port-number>. If the command returns a "connection failed" error message, check the port connectivity in the ADSelfService Plus server.
2. Install the Password Sync Agent by providing the correct or latest values of the ADSelfService server. Refer to these steps to install the agent.

5. Access key verification failed.

Possible cause: An invalid access key was entered or the access key was regenerated.

Solution: Ensure that the access key provided during installation is valid.

Errors that might occur while editing settings from the Password Sync Agent Tray App icon

Below is the list of errors that may appear when editing the settings by clicking on the Password Sync Agent tray app icon.

• The domain controller is not authorized by ADSelfService Plus.
• Replay attack, or earlier request, or invalid time setting in the agent.
• Cannot contact server. Please try again later.
• Access key verification failed.
• Access denied. Administrator privilege required for this operation.

1. The domain controller is not authorized by ADSelfService Plus.

Possible cause: The domain controller where the Password Sync Agent needs to be installed is not included in the list of configured domains in ADSelfService Plus.

Solution: Ensure that the domain controller on which you are trying to install the Password Sync Agent is added to the ADSelfService Plus DC list. For information regarding domain configuration, click here.

2. Replay attack, or earlier request, or invalid time setting in the agent.

Possible cause: The time settings in the domain controller on which the Password Sync Agent is installed, and the ADSelfService Plus server, is inconsistent.

Solution: Please ensure that the time settings in the domain controller where you are trying to install the sync agent and the ADSelfService Plus server are in sync with each other.

3. Cannot contact server. Please try again later.

Possible cause: The values entered for the protocol, hostname and port number are incorrect or have become invalid.

Solution:

• Check the accessibility of the ADSelfService Plus portal from the machine on which this error has been received. If it is not accessible, check the network connection between ADSelfService Plus server and this machine. For information regarding the steps to follow to check the accessibility of the ADSelfService Plus server, click here.
• Provide the correct or latest values of the ADSelfService server in the Edit Settings pop-up.

4. Access key verification failed.

Possible cause: An invalid access key was entered or the access key was regenerated.

Solution: Ensure that the access key provided during installation is valid.

5. Access denied. Administrator privilege required for this operation.

Possible cause: This error occurs when attempting to edit the settings with no administrative privileges.

By default, only admins have the privilege to edit the settings. However, if any other user wishes to modify the settings, the user can do so by following the steps mentioned below:

• Open cmd prompt as an administrator and navigate to C:\Program files(x86)\ZOHO Corp\Password Sync Agent folder.
• Execute the command: SQLiteHandler.exe <servername> <portnumber> <protocol> <accessKey>

eg : SQLiteHandler.exe adssp-dc1 8888 http dsgjhjhsaYYTv6FUF7VUCtufuy.

Other possible error cases

1. If the Password Sync Agent is not working.
2. If the Password Policy Enforcer/Have I Been Pwned is not working.
3. The ADSelfService Plus server could not be contacted or is unreachable, but ADSelfService Plus is accessible via the web browser in the specific domain controller.
4. Native password resets are not being audited in the Reset Password Audit Report.
5. What to do when the Password Sync Agent triggers a lot of old reset/change password requests when the ManageEnginePasswordSyncAgent service is started
6. Sync Agent services fail to start after server reboot even after the services type is set to Automatic or Automatic Delayed Start, however manual start works.

Case 1: If the Password Sync Agent is not working,

• Check if the ManageEngine - Password Sync Agent and Message Queuing services are running. You can do this by following the steps listed below,
  • Open Services Manager (Start > Run > Services.msc).
  • In the Services window that opens, check if the ManageEngine – Password Sync Agent and Message Queuing services are running.
• Check the ADSelfService Plus server reachability from the domain controller on which the agent is installed. You can find the steps here.

Case 2: If the Password Policy Enforcer/Have I Been Pwned is not working,

• Check whether the ManageEngine - Password Sync Agent and Message Queuing services are running. You can do this by following the steps listed below,
• Open Services Manager (Start > Run > Services.msc)
• In the Services window that opens, check if the ManageEngine – Password Sync Agent and Message Queuing services are running.
• Check the accessibility of the ADSelfService Plus server from the DC on which the agent is installed. For information regarding the steps to follow to check for accessibility of ADSelfService Plus server, click here.
• If Password Policy Enforcer and Have I Been Pwned settings at the ADSelfService Plus portal are configured for an existing installation of the sync agent, the ADSelfService Plus server details need to be updated at the sync agent using the Edit settings option.

Case 3: The ADSelfService Plus server could not be contacted or is unreachable, but ADSelfService Plus is accessible via the web browser in the specific domain controller.

Solution 1:

• Stop the ADSelfService Plus service.
• Open the server.xml file (<installation directory>/conf) and navigate to the following section:
  <Connector SSLEnabled="true"
• TLS 1.2 should be the TLS version configured. To ensure this, check whether the following parameter is specified. If not, add it at the end of the section:
  <Connector SSLEnabled="true" acceptCount="100" compression="off"........ ...... ...... ............. SSLEnabledProtocols="TLSv1.2"/>
• Once TLS 1.2 is configured, confirm that the version 1.3.0 of the Password Sync Agent has been installed by opening the Control Panel, navigating to the Password Sync Agent icon and checking the version in the Version Column. Only Password Sync Agent versions 1.3.0 and higher support TLS v.1.2.
• Start ADSelfService Plus.

Solution 2:

Check if any proxy server is being employed to access the ADSelfService Plus server. If yes, configure the settings of that proxy server in Internet Explorer since the Password Sync Agent uses the proxy server configured in Internet Explorer.

Case 4: Native password resets are not being audited in the Reset Password Audit Report.

Solution 1:

• Check if the Sending data to log has been entered in the service log for the native password reset performed.

  Location of service log:
  • In 64-bit systems - C:\Program Files (x86)\ZOHO Corp\Password Sync Agent
  • In 32-bit systems - C:\Program Files\ZOHO Corp\Password Sync Agent
• Then check whether an error has been logged in the serverout log (<installation folder>\logs) for the preset action.

• If the No encryption key error is found in the serverout log, reconfigure the Password Sync Agent with the server name or IP address, port number, and protocol (HTTPS/HTTP) used by ADSelfService Plus. This can be done by following the steps below:

  • Right-click the Password Sync Agent icon on the system tray and select Edit Settings.
  • The Edit Settings dialog box will open.
  • Enter the Server Name/IP Address, Port Number, Protocol (HTTPS/HTTP), and Access Key.
  • Click Save.

Solution 2: Reinstall the Password Sync Agent.

• In the domain controller on which the Password Sync Agent is installed, go to Control Panel, click on the Password Sync Agent icon, and click Uninstall.
• Now, go to the folder where the Password Sync Agent MSI file (ManageEnginePasswordSyncAgent.msi) is present.
• Here, open Command Prompt as administrator, specify the Password Sync Agent's MSI filename (ManageEnginePasswordSyncAgent.msi), and press Enter.

Case 5: What to do when the Password Sync Agent triggers a lot of old reset/change password requests when the ManageEnginePasswordSyncAgent service is started.

Possible cause: This scenario will occur if there are pending queue messages for password resets that happened when the ManageEngine Password Sync Agent service was down.

Solution: The queue messages can be cleared before restarting the Password Sync Agent service in the domain controllers. Click Purge to clear the old pending reset requests in the message queue. Once completed, start the ManageEngine Password Sync Agent service.

Case 6: Sync Agent services fail to start after server reboot even after the services type is set to Automatic or Automatic Delayed Start, however manual start works.

Possible cause: This occurs when the service initiation takes more than 30 seconds.

Solution: Please follow the steps below to manually increase the timeout value in the registry for the Service Control Manager (SCM):

1. Go to Start > Run and type regedit.
2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
3. With the control folder selected, right-click in the pane on the right and select a new DWORD Value.
4. Name the new DWORD ServicesPipeTimeout. Right-click ServicesPipeTimeout, and then click Modify.
5. Click Decimal, type 180000, and then click OK.
6. Restart the computer.