Troubleshooting tips

Module list

• Domain settings
• Reports
• Password reset and account unlock
• Password sync for applications
• MFA
• Login errors
• Change Password
• Active directory self-update
• GINA (Windows)/macOS/Linux login agent
• Email, SMS, and push notification settings
• Just-in-Time (JIT) provisioning
• SSO

Domain settings

1. When I start ADSelfService Plus, none of my domains are discovered. It says "No Domain Configuration available." Why?

2. When I add my domains manually, the Domain Controllers are not resolved. Why?

3. When I add the Domain Controller, I get an error that reads, "The Servers are not operational". What does it mean?

4. When I add the Domain Controller, I get an error that reads, "Unable to get domain DNS/FLAT name." What does it mean?

5. The status column in the domain settings says that the user does not have Admin Privilege. What does it mean?

1. When I start ADSelfService Plus, none of my domains are discovered. It says "No Domain Configuration available." Why?

Cause: ADSelfService Plus, upon starting, discovers the domains from the DNS Server associated with the machine running the product. If no domain details are available in the DNS Server, it shows this message.

Solution: Add the domains manually using these steps.

Back to Domain Settings questions

2. When I add my domains manually, the Domain Controllers are not resolved. Why?

Cause: The DNS associated with the machine running ADSelfService Plus does not contain the necessary information. In such cases, you will need to add the Domain Controllers manually.

Solution: Add the Domain Controllers using these steps by specifying their DNS hostnames (specifying IP addresses will not work).

Back to Domain Settings questions

3. When I add the Domain Controller, I get an error that reads, "The Servers are not operational." What does it mean?

Cause: This error occurs when the specified Domain Controller is either invalid or not reachable due to network connectivity issues.

Solution: Ensure that your machine is connected to the network and try again.

Back to Domain Settings questions

4. When I add the Domain Controller, I get an error that reads, "Unable to get domain DNS/FLAT name." What does it mean?

Possible causes and solutions:

• Cause 1: The specified username or password is invalid.

Solution: Please ensure that the admin credentials are correct and try again.

• Cause 2: You are trying to add the DC anonymously (when no user name and password is provided).

Solution: Please enter valid admin credentials in the fields provided and try again.

• Cause 3: The IP address of the Domain Controller is specified instead of its name.

Solution: Please specify the DNS hostname of the Domain Controller and not its IP address, and try again.

Back to Domain Settings questions

5. The Status column in the domain settings says that the user does not have Admin Privileges. What does that mean?

Cause: This is a warning message to indicate that the specified user does not have administrator privileges i.e, the user is not a member of the Domain Admins group. Hence, permissions applicable to the administrator may not be available to this user.

Solution: Assign administrator privileges to the specified user or utilize an account with admin privileges.

Back to Domain Settings questions

Back to the Module list

Reports

1. When I specify the details and generate the report, it says "No result available" or "Incomplete data."
2. AD reports show an object that does not exist in Active Directory

1. When I specify the details and generate the report, it says "No result available" or "Incomplete data."

It could be because of either of these reasons:

• Cause 1: ADSelfService Plus could not contact the Domain Controller, as it is not operational or due to bad network connectivity.

Solution: Please ensure that your machine is connected to the network and try again.

• Cause 2: If your organization has multiple Domain Controllers, the data might not have been replicated in all the Domain Controllers.

Solution: The LastLogonTime attribute, which is used to determine the inactive users and computers, has not been replicated in all the Domain Controllers. You will need to specify all the Domain Controllers under Domain Settings to enable ADSelfService Plus to retrieve the data from all the Domain Controllers.

Note: When the password policy is not set (i.e., Max Password Age is set to zero), the Password Expired Users report and Soon to Expire Password report will not show any data.

Back to the Reports questions

2. AD reports show an object that does not exist in Active Directory.

Cause: This mismatch could occur when the data is not synchronized with Active Directory.

Solution: Data synchronization with Active Directory happens everyday at 01:00 hours. If ADSelfService Plus is not running at that time, you can initiate the data synchronization manually by clicking the refresh [ ] icon of that domain from the Domain Settings.

Back to the Reports questions

Back to the Module list

Password reset and account unlock

1. During the user password reset, I get the following error: "Error in setting the Password. The network path not found - Error Code: 80070035."
2. While user password reset, I get the following error: "Error in setting the Password. There is a naming violation - Error Code: 80072037."

1. During the user password reset, I get the following error: "Error in setting the Password. The network path not found - Error Code: 80070035."

Cause: The domain controller cannot be contacted while setting the user password. This situation may occur if:

• The DNS names linked to the machine running ADSelfService Plus do not correctly resolve to the respective Domain Controllers.
• The DNS names linked to the machine running ADSelfService Plus do not direct to the Domain Controller where the user account is being created (possibly due to both being in separate domains).

Solution: Please ensure that the DNS name linked to the machine running ADSelfService Plus points to the Domain Controller. If they are in separate domains, please link the DNS names and Domain Controllers manually by updating the hosts file.

Back to the Password Reset and Account Unlock questions

2. While user password reset, I get the following error: "Error in setting the Password. There is a naming violation - Error Code: 80072037."

Cause: The password contains some special characters that are not allowed.

Solution: Please ensure that the password follows the naming conventions enforced by your organization.

Back to the Password Reset and Account Unlock questions

Back to the Module list

Password sync for applications (errors arising during configuring or using synced applications)

• Error: The Oracle database's status is closed. Please open the database and try again.
• Troubleshooting SAP NetWeaver

Error: The Oracle Database's status is closed. Please open the database and try again.

Possible cause: This error occurs while configuring the Oracle Database or Oracle E-Business Suite. and is caused because the Oracle Database's status is closed, i.e., it is not visible to the resources that need to connect to it.

Solution: Open the Oracle Database using these steps:

1. Log into SQL Plus as a database administrator.
2. Run this command:
   • For multi-tenant architecture DB: alter pluggable database <db_name> open;
   • For non-multi-tenant architecture DB: alter database open;

Back to the Module list

Troubleshooting SAP NetWeaver

1. Incompatible API files. Please make sure you're using SAP Java Connector 3.0 version of the API files.
2. The destination system is unreachable.

1. Incompatible API files. Please make sure you're using SAP Java Connector 3.0 version of the API files.

Cause: The SAP Java Connector has not been placed under the<ADSelfService Installation Dir>/lib location.

Cause 2: An older version of the connector (older than version 3.0) is being used.

Solution:

• Make sure that the SAP Java connector (sapjco3.dll,sapjco3.jar) is placed in the <ADSelfService Installation Dir>/lib location.
• Make sure that the SAP Java connection version is greater than 3.0.
• If Java Connector 3.1 is being used, make sure that Visual Studio 2013 C/C++ runtime libraries have been installed in the machine where ADSelfService Plus is being installed.
• If Java Connector 3.0 is being used, make sure that Microsoft Visual Studio 2005 C/C++ runtime libraries have been installed in the machine where ADSelfService Plus is being installed.

Back to the SAP error list

2. The destination system is unreachable.

Cause: The SAP server is not reachable due to network issues.

Solution:

• Make sure that the SAP server host address is reachable from the ADSelfService Plus server.
• Make sure that the SAP server port is allowed in the firewall.

Back to the SAP error list

Back to the Module list

MFA

• SAML authentication
• Duo Security authentication
• MFA for endpoints
• FIDO Passkeys Authentication

SAML authentication

Error: Invalid Certificate

Cause: This error may appear when you have configured SAML Authentication in ADSelfService Plus with an invalid X.509 certificate from the identity provider. The certificate is deemed invalid due to one of the following reasons:

• The certificate has expired.
• The certificate's start-of-validity date is yet to come.
• You've chosen a different certificate such as an SSL root certificate.
• The certificate content is not in PEM format.

Solution: Please download the current X.509 certificate from your identity provider again and upload it in ADSelfService Plus.

Back to MFA questions

Duo Security authentication

1. Unable to connect/communicate with Duo Security. Please reach out to your administrator.
2. {"error: invalid grant", error description: "Invalid Redirect URI 'https://172.24.123.12:443/DuoCallback'"}

1. Unable to connect/communicate with Duo Security. Please reach your administrator.

Description: Duo Security is inaccessible from ADSelfService Plus due to a failed health check, which can occur due to any of the following reasons:

• Duo Security cannot be reached.
• The Client ID, Client Secret, and API Hostname values configured in ADSelfService Plus are not valid or up to date with the values in the Duo Admin Panel.

Solution: Please make sure that you can reach the Duo Security Service from ADSelfService Plus via HTTPS Port (443) and that the Client ID, Client Secret, and API Hostname values are accurate and up to date.

Back to the Duo Security error list

2. {"error: invalid grant", error description: "Invalid Redirect URI 'https://172.24.123.12:443/DuoCallback'"}

(This error is encountered on Duo Security's side)

Description:

The URL used to access ADSelfService Plus may contain an IP address when the user is trying to connect to the product.

Solution:

The administrator must ensure that the Access URL used to access ADSelfService Plus does not contain an IP address. Duo Security recommends the URL to be well-formed and contain a hostname or domain name, and a port number. It should also not exceed 1,024 characters in length.

Please update the access URL settings in ADSelfService Plus by navigating to Admin > Product Settings > Connection, and click Configure Access URL.

Back to the Duo Security error list

Back to MFA questions

MFA for endpoints

1. Description of error codes encountered when Machine-based MFA is enforced.
2. Issues with MFA for VPN logins

1. Description of error codes encountered when machine-based MFA is enforced

Error code	Description
MFA-011	This code is displayed when the license consumption exceeds the number of users for which the product license has been purchased. To resolve this issue, update the license to include more domain users.
MFA-012	This code is displayed when the user is not part of any self-service policy for which MFA for machine login is configured.
MFA-013	This code is displayed when the user account has been restricted in the product. To resolve this issue, de-restrict the user. Learn more.
MFA-021	This code is displayed when your ADSelfService Plus license does not include Endpoint MFA. Visit our store to purchase Endpoint MFA.
MFA-022	This code is displayed when the communication could not be established between the domain controller configured in ADSelfService Plus and the ADSelfService Plus server. Please make sure the configured server is operational and can be contacted from the ADSelfService Plus server.
MFA-041	This code is displayed when the API authorization fails and the ADSelfService Plus server is unable to authorize the logon agent during MFA. Possible causes: Cause 1: The system time on the machine where the login agent has been installed has a mismatch with the time on the server running ADSelfService Plus (i.e., the time differs by 90 seconds). Solution: Synchronize the time on both machines. Cause 2: An invalid installation key was entered during the manual installation of the Login Agent. Solution: Uninstall the Login Agent and reinstall it with the latest installation key available in the product UI. Learn more.

Back to the MFA for endpoints questions

2. Issues with MFA for VPN logins

1. If MFA for VPN logins is not working, check the NPS extension logs in the RADIUS server on which NPS has been installed. By default, they can be found at C:\Program Files\ManageEngine\ADSelfService Plus NPS Extension\NpsExtension.log. Based on the error, try the solutions given below:
• Connectivity issues
  • Make sure that ADSelfService Plus is reachable from the NPS (RADIUS) server.
  • If you are using an untrusted certificate in ADSelfService Plus, add it to the Trusted Root Certification Authorities list in the NPS server.
• API Authorization failed
  • Make sure that the time on both the ADSelfService Plus and NPS servers are correct as per their time zones.

If you can’t find any issues from the NPS extension logs, check the NPS server’s event logs using the Event Viewer for RADIUS authentication-related logs.

2. If VPN MFA is not working as expected after setting up the NPS extension, you should:
   • Analyze the NPS extensions logs (default location: C:\Program Files\ManageEngine\ADSelfService Plus NPS Extension\NpsExtension.log) for the following possible error messages:
   • httpErrorCode: XXXX
     • httpErrorCode: 12002: The ADSelfService Plus server is not reachable from the NPS server.

       Solution: Check if the ADSelfService Plus server is reachable from the NPS server. If the ADSelfService Plus server is unreachable, ensure that the server has been correctly configured in the registry at HKLM:\SOFTWARE\ZOHO Corp\ADSelfService Plus NPS Extension. Ensure that the following values are configured correctly:

       • ServerName: The HostName or IP address of the ADSelfService Plus server.
       • ServerPortNo: The TCP port number for the ADSelfService Plus server.
       • ServerContextPath: The ADSelfService Plus server context (if changed).
     • httpErrorCode: 12175: ADSelfService Plus server's certificate is not trusted by the NPS server. ADSelfService Plus server's certificate is not trusted by the NPS server.

       Solution: If ADSelfService Plus' server certificate is not trusted by the NPS server, open certmgr.exe and add the CA certificate that is used to sign the ADSelfService Plus server's domain certificate to the Trusted Root Certification Authorities for the local machine, and not only the current user.

   • Access denied due to MFA API authorization failure
     • Issue: ADSelfService Plus server fails to authorize the NPS extension during MFA.

       Possible causes:

       Cause 1: The system time of the the NPS server or the ADSelfService Plus server is not valid or the servers' times differ by more than two minutes and are therefore not in sync.

       Solution: Update the correct time.

       Cause 2: The secret key shared for authorizing the NPS extension might be invalid. To make sure of this, retrieve the actual secret key and compare it with the key in the registry.

       Solution: Download the NPS extension again, extract it, open the .PS1 script and retrieve the secret, key.

       Manually update the secret key in the registry or update it using the following command: <...\AdsspNpsExtension> .\setupNpsExtension.ps1 update

   • Denying access to the user by the MFA server
     • Issue: ADSelfService Plus server denies access to the user and hence the user cannot log into the VPN provider.

       Cause: The user is invalid or is not enrolled for MFA in ADSelfService Plus.

       Solution:

       • Ensure that the username is valid and present in one of the domains configured in ADSelfService Plus.
       • Ensure that the user is enrolled for the VPN MFA factors configured.
       • If logins without MFA have to be permitted for first time users or not enrolled users, enable the Skip MFA when the user is not enrolled for the required authenticators under Advanced MFA settings
   • preValidate - result: 0
     • Issue: The pre-validation condition for invoking MFA is false and hence the NPS extension does not invoke MFA.
     • Possible reasons
       • The Registry property MfaStatus is set to false. An Admin might have downloaded the NPS extension from ADSelfService Plus before enabling VPN MFA.
         • Solution: Update the MfaStatus to True in the registry.
       • The admin might have configured CRPolicies or NetworkPolicies whose conditions may not have been met.
         • Solution: Change the CRPolicies or NetworkPolicies to ones that include the necessary users
   • Empty or no challenge from user
     • Issue: The NPS extension is unable to read the OTP/TOTP from the RADIUS request.
     • Cause: RADIUS authentication protocol used between RADIUS client (VPN, Netscaler server, or other) and the NPS server might be MS-CHAPv2, EAP, or other unsupported protocols
     • Solution:
       • Change RADIUS authentication protocol to PAP as only this protocol supports challenge-based authenticators.
       • Ensure that the RADIUS client sets the OTP or TOTP in the User-Password attribute of the RADIUS request.
3. If the NPS extension logs do not show any errors, check if any of the following issues are present:
   • Issue: RADIUS or NPS configuration issue.
     • Solution: Check the Event viewer (Custom views > Network policy and access server role) for RADIUS-authentication-related logs.
   • Issue: The RADIUS client (VPN or other endpoint server) halts the MFA before it begins.
     • Solution:
       • Make sure the RADIUS authentication timeout settings, if any, at the RADIUS client (VPN server or any RADIUS clients) and the RADIUS server (NPS) are greater than the VPN MFA session time value configured in ADSelfService Plus.
       • Refer to this document for enabling the Keep the VPN MFA session valid for __ minutes option under VPN Login MFA.

Every RADIUS client (VPN server or other) will have specific timeout settings which must be configured properly for MFA (especially challenge-based authenticators) to work. Set the correct time value in the RADIUS client. For example, when Fortinet is used, the set remoteauthtimeout <num_of_secs>s command will keep a RADIUS request valid for the seconds mentioned.

Back to the MFA for endpoints questions

Back to MFA questions

Back to the Module list

FIDO Passkeys Authentication

1. Authentication failed. Please try again. Contact your administrator if the issue persists.
2. The passkey doesn't meet the user verification requirements. Please contact your administrator.
3. Unsecured connection. Please reach your administrator.
4. Passkey enrollment failed with error code MFA-201. Please contact your administrator.
5. This URL does not match the RP ID. Please contact your administrator.
6. Passkey enrollment failed with error code MFA-202. Please contact your administrator.
7. Unsupported passkey type. Please contact your administrator. (OR) An unexpected error occurred; please try again later. Contact your administrator if the issue persists.

1. Error: Authentication failed. Please try again. Contact your administrator if the issue persists.

Causes: This error message could be displayed due to any of the following:

• a. The device verification method (such as the Windows Hello PIN, or Android Biometrics) was unsuccessful, the user deliberately closed or canceled the box, or the session expired.
• b. The platform authenticator's configuration in the OS has been reset or deleted.
• c. Users have registered their smartphone as a Security Key but are attempting to use it as a built-in authenticator.

a. The device authentication method (such as the Windows Hello PIN, or Android Biometrics) was unsuccessful, the user deliberately closed or canceled the box, or the session expired.

Solution: The user must attempt verification again.

b. The authenticator configuration has been reset or deleted.

If the device's built-in authenticator has been reset (for instance, if the YubiKey is reset or the Windows Hello PIN is changed) or deleted, the passkey information will be removed from the device.

Solution: Users will need to log into the ADSelfservice Plus end user portal using other MFA methods or a backup code, delete the redundant passkey information, and re-enroll their device as a new passkey.

c. Users have registered their smartphone as a Security Key but are attempting to use it as a device's built-in Authenticator.

Cause: Users might access the ADSelfService Portal from a smartphone registered as a Security Key but are trying to authenticate using the device's built-in authenticator.

Solution: If users are accessing the ADSelfService Plus end-user portal on a smartphone that has already been registered as a Security Key (roaming authenticator), they need to select 'Security Key' as the passkey type to authenticate and confirm their identity on the same smartphone. They cannot select Device's Built-in Authentication.

2. Error: The passkey doesn't meet the user verification requirements. Please contact your administrator.

This error might be displayed during any of these scenarios:

• a. The admin changes User Verification from Discouraged or Preferred to Required
• b. The initial FIDO passkey configuration in ADSelfService Plus is set up with User Verification being set to Required
• c. Users are attempting authentication from an Android phone that does not support additional user verification for security keys.

a. The User Verification is set to Required but additional user verification has not been configured on users' devices.

Cause: When User Verification is set to Required, users will be prompted to provide additional verification, such as a PIN or biometrics, after inserting their device. If the users have not set up additional verification on their devices, they will be unable to complete the verification process and will be locked out.

Solution: The user must configure the additional verification (like a PIN or biometrics) required by their device and attempt authentication again.

b. The User Verification is set to Required but users' devices do not support additional verification.

Cause: The user might have devices (like U2F devices) that do not support additional user verification.

Solution: The admin must either set User Verification to Discouraged or Preferred, or users must enroll devices that support additional user verification.

c. Users are attempting authentication from an Android phone that does not support additional user verification for security keys.

Cause: The Android phone might not support additional user verification.

The additional verification support update for phones was released by Google in September 2023; so phones which have not updated to that version or later might not support additional verification.

Solution: Users must download and install the latest Android System Update to enable additional verification support on their phones.

3. Error: Unsecured connection. Please contact your administrator.

Probable causes:

• FIDO Passkey authentication is attempted from an integrated AD360 deployment that is using HTTP (Or)
• FIDO Passkeys authentication is being attempted for an OWA site that uses the HTTP protocol.

FIDO Passkeys will not work if AD360 and OWA sites are using the HTTP protocol. The FIDO authenticator needs HTTPS to be enabled on the sites to which it authenticates.

Solution: Please enable HTTPS on the OWA or AD360 site for FIDO passkeys to work.

4. Error: Passkey verification failed with error code MFA-201. Please contact your administrator.

Cause: FIDO Passkeys enrollment is not supported via AD360's Apps Pane.

Solution: Users will need to directly access ADSelfService Plus via the access URL to enroll for FIDO Passkeys. Authentication using FIDO Passkeys can be done via AD360.

5. Error: This URL does not match the RP ID. Please contact your administrator.

Cause: The URL that users are using to access ADSelfService Plus might have a mismatch with the RP ID configuration.

Solution: The access URL and the RP ID must match for FIDO authentication to work. Learn how.

6. Error: Passkey enrollment failed with error code MFA-202. Please contact your administrator.

Cause: The public key cryptographic algorithms that ADSelfService Plus' web app uses are not supported by the FIDO passkey.

Solution: Please contact ADSelfService Plus Support at support@adselfserviceplus.com.

7. Error: Unsupported passkey type. Please contact your administrator. (Or) An unexpected error occurred; please try again later. Contact your administrator if the issue persists.

Cause: An unexpected error might occur during enrollment or authentication.

Solution: Please contact ADSelfService Plus Support at support@adselfserviceplus.com.

Back to FIDO Passkeys questions

Back to MFA questions

Back to the Module list

Login errors

1. SSO login failure from the AD360 Apps Pane.

Cause: Integrations of ADSelfService Plus with AD360 will work seamlessly as long as they have been deployed on the same host. If ADSelfService Plus and AD360 are integrated but have been installed on separate host machines in your organization, you may encounter issues with SSO logins from AD360's Apps Pane.

Solution: To resolve this, you should implement a reverse proxy for both AD360 and ADSelfService Plus, giving them the same hostname, which will help SSO from AD360 work seamlessly.

Back to the Module list

Change password

Active directory self-update

1. Error Code - 80070005 / Error Code - 5: Error In Setting Attributes, Access is denied.

2. While updating the user information, I get the following error: "The server is unwilling to process the request - Error Code: 80072035."

3. While updating the user information, I get the following error: " Error In Setting Terminal service Properties. The specified user does not exist - Error Code: 525."

4. I have updated the Exchange attributes using ADSelfService Plus, but the properties are not updated in the Exchange Server yet.

5. I am not able to set the Terminal Services properties for the user.

6. When I modify a user, I get the following error "A device attached to the system is not functioning - Error Code: 8007001f."

7. The Email address for the user is not showing up or not set properly.

8. Error - The server is unwilling to process the request while resetting Password, which did not match password complexity

9. Error code: 8007052e

10. Error code: 80070775

11. Error code: 800708c5

12. No such user matched. Verify the LDAP attribute in search query

1. Error Code - 80070005 / Error Code - 5: Error In Setting Attributes, Access is denied

Cause: The User account does not have enough privilege over the object.

Solution:

1. Log in to the ADSelfService Plus portal with administrator credentials.
2. Click the "Domain Settings" found in the top-right corner. All the domains that have been configured will be displayed.
3. Click the edit icon [ ] of the domain to which the particular user belongs
4. Select Authentication and provide the privileged Domain Username and Domain Password
5. Click Save.

Back to the Active Directory self-update questions

2. While updating the user information, I get the following error: "The server is unwilling to process the request - Error Code: 80072035."

Cause: This error may occur when attempting to modify the format of the sAMAccountName for multiple users, and there happens to be more than one user with the same sAMAccountName.

Solution: Please ensure that every user has unique sAMAccountName values.

Back to the Active Directory self-update questions

3. While updating the user information, I get the following error: " Error In Setting Terminal service Properties. The specified user does not exist - Error Code: 525."

Cause: The user or the system account running the product lacks an account in the target domain.

Solution: Terminal Service properties can be configured only if the user account or the system account (relevant when ADSelfService Plus operates as a service) running ADSelfService Plus possesses an account within the target domain.

Back to the Active Directory self-update questions

4. I have updated the Exchange attributes using ADSelfService Plus, but the properties are not updated in the Exchange Server yet.

Cause: ADSelfService Plus modifies the Exchange properties in Active Directory. The changes may not immediately reflect in Exchange Server. It will get updated after some time.

Solution: The changes will get updated after some time, so please check again later.

Back to the Active Directory self-update questions

5. I am not able to set the Terminal Services properties for the user?

Cause: The user or the system on which the product is run does not have an account in that domain.

Solution: Follow these steps to start ADSelfService Plus in a user or system account.

Back to the Active Directory self-update questions

6. When I modify a user, I get the following error: " A device attached to the system is not functioning - Error Code: 8007001f."

Cause: This error may occur due to choosing an inappropriate format for naming attributes when making modifications to a user. For instance, if the selected format for the Logon Name is LastName.FirstName.Initials, but the user lacks any one of these specified attributes, this error will be triggered.

Solution: Please ensure that the user possesses valid attribute values for all the attributes specified in the naming formats.

Back to the Active Directory self-update questions

7. The email address for the user is not showing up or not set properly.

Cause 1: The email may not be configured according to the recipient policy.

Solution: Please verify if all LDAP attributes in the recipient policy query are set to the specific value.

Cause 2: The email attribute and company information values for the user might be empty.

Solution: Please review the user account properties to ensure that you have provided the email attribute, such as xyz@company.com. The company information should be entered for each user.

Back to the Active Directory self-update questions

8. Error: The server is unwilling to process the request while resetting Password which not match to password complexity

Cause: One potential reason could be that you may not have specified or chosen any options in the Password Complexity section when creating the user account.

Solution: Options for password complexity, such as password length, permissible characters, or the allowed number of failed login attempts, are available for configuration. It is essential to choose a level of complexity; neglecting to do so will result in the mentioned error.

Back to the Active Directory self-update questions

9. Error code: 8007052e

Cause: The credentials entered are invalid.

Solution: Please enter valid credentials that have been assigned all the necessary privileges.

Back to the Active Directory self-update questions

10. Error code: 80070775

Cause: The referenced account is currently locked out and may not be logged on.

Solution: Please unlock the account, log in, and try again.

Back to the Active Directory self-update questions

11. Error code: 800708c5

Cause: The password does not meet the password policy requirements.

Solution: Check the minimum password length, password complexity and password history requirements.

Back to the Active Directory self-update questions

12.No such user matched. Verify the LDAP attribute in search query

Cause: No users in Active Directory match the criteria you have specified.

Solution: Please select the appropriate matching attributes by examining the query provided in the Match criteria for Users section in AD. You can configure this by clicking the Update in AD button and expanding the Select Attributes box.

Back to the Active Directory self-update questions

Back to the Module list

Troubleshooting the GINA (Windows) login agent

1. I get the following error message: "Initiating Connection to Remote Service. Failed." Why?

2. I get the following error message: "Network path not found/Invalid Credential." Why?

3. I get the following error message: "The network path was not found." Why?

4. I couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?

5. I couldn't connect to the Client Machine, ADMIN$. Access is denied.

6. Logon failure: The target account name is incorrect.

7. Logon failure: Unknown user name or bad password.

8. Another installation is already in progress.

9. I couldn't start the remote service.An Overlapped I/O operation is in progress.

10. Operation failed: Unsupported OS

11. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Couldn't copy PAExec to the machine."

12. When I try to install the login agent from the ADSelfService Plus console on to a remote server, I get the following error: "PAExec service could not be installed/started on remote server."

13. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Object not found" or "0x80041002 (WBEM_E_NOT_FOUND)."

14. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."

15. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Remote Procedure Call server is unavailable."

16. When I try to install the login agent from the ADSelfService Plus console, I get the following error with code 80041010 in Windows Server 2003, "Fatal error occurred."

1. I get the following error message: "Initiating Connection to Remote Service. Failed." Why?

Cause: This error could occur if the target computer could not be contacted.

Solution:

• Ensure that the computer really exists. If it does, ensure that it is connected to the network.
• To check for connectivity, ping the target computer from the server on which ADSelfService Plus has been installed.
• Make sure that the Remote Registry service is running on the client machine.

Back to the Windows agent troubleshooting questions

2. I get the following error message: "Network path not found/Invalid Credential." Why?

Cause This error can occur if the target computer cannot be contacted.

Solution:

• Ensure that the a computer really exists. If it does, ensure that it is connected to the network.
• To check for connectivity, ping the target computer from the server on which ADSelfService Plus has been installed.

Back to the Windows agent troubleshooting questions

3. I get the following error message: "The network path was not found." Why?.

Cause: This error can occur if the target computer cannot be contacted.

Solution:

• Ensure that the computer really exists. If it does, ensure that it is connected to the network
• To check for connectivity, ping the target computer from the server on which ADSelfService Plus has been installed.

Back to the Windows agent troubleshooting questions

4. I couldn't copy the MSI file "ADSelfServicePlusClientSoftware.msi" to the client machine. Why?

Cause: Insufficient privileges to access the client machine.

Solution: Update the credentials provided in ADSelfService plus' "Domain Settings", if it is running as an application. If it is running as service, follow these steps to update the service account's credentials from the "Logon" Tab by editing "Services.msc".

Back to the Windows agent troubleshooting questions

5. I couldn't connect to the Client Machine, ADMIN$. Access is denied.

Cause:Admin share might not be enabled.

Solution: Enable Admin share in the client computer and configure ADSelfService Plus Domain Settings using user credentials (when run as a console) or the Login Tab (when run as a service) with the necessary permission to access the Admin share.

Step1: Enable Admin Share

1. From the client computer, go to Start → Run and type gpedit.msc and press Enter.
2. Navigate to Administrative Templates → Network → Network Connections → Windows Firewall.
3. Click Domain Profile and double-click Windows Firewall: Allow inbound remote administration exception.
4. Select Enabled and click OK.

Step2: Update the domain settings in ADSelfService Plus with a user account that has permission to access the Admin share.

Update the credentials provided in ADSelfService Plus' Domain Settings, if it is running as an application. If it is running as service, update the service account's credential from the Logon Tab by editing the services.msc file.

Back to the Windows agent troubleshooting questions

6. Logon failure: The target account name is incorrect.

Cause: This error can occur if two computers have the same computer name, with one computer located in the child domain and the other computer in the parent domain.

Solution: Ensure that every computer name is unique.

Back to the Windows agent troubleshooting questions

7. Logon failure: Unknown user name or bad password.

Cause: Admin share might not be enabled.

Solution: Update the credentials provided in ADSelfService Plus' Domain Settings, if it is running as an application. If it is running as service, follow these steps to update the service account's credential from the Log On tab by editing the services.msc file.

Back to the Windows agent troubleshooting questions

8. Another installation is already in progress.

Cause: ADSelfService Plus is already being installed.

Solution: Please wait for a few minutes and try again.

Back to the Windows agent troubleshooting questions

9. I couldn't start the remote service. An Overlapped I/O operation is in progress.

Cause: The Remote Registry and Server services are disabled on the client machine.

Solution: Enable the Remote registry and Server services on the client machine.

Back to the Windows agent troubleshooting questions

10. Operation failed: Unsupported OS.

Cause: The machine's OS does not support remote installation of the login agent.

Back to the Windows agent troubleshooting questions

11. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Couldn't copy PAExec to the machine."

Cause: User account does not have sufficient privilege over the object.

Solution:

• Log in to ADSelfService Plus with the admin credentials.
• Click Domain Settings at the right-top corner of the webpage.
• Under the Actions section, click the Edit Domain Details button.
• Select Authentication, and provide the Domain Username and Domain Password of an account that has domain admin privileges.
• Click Save.

Back to the Windows agent troubleshooting questions

12. When I try to install the login agent from the ADSelfService Plus console on to a remote server, I get the following error: "PAExec service could not be installed/started on remote server."

Cause: PAExec is being blocked by the firewall or antivirus software.

Solution: Change your antivirus and firewall settings to allow the PAExec service.

Back to the Windows agent troubleshooting questions

13. When I try to install the login agent from the ADSelfService Plus console, I get the following error: "Object not found" or "0x80041002 (WBEM_E_NOT_FOUND)."

Cause: The WMI repository may be corrupted.

Solution: To resolve the corruption of WMI repository, follow the steps in this link.

Work around:

1. Log in to the Windows Server machine using an administrator account.
2. Open Group Policy Management Console (GPMC) and right-click on the default domain policy within your domain.
3. In the Group Policy Management Editor window that opens, go to Computer Configuration → Policies → Administrative Templates: Policy definitions (ADMX files) retrieved from the local computer → System → Group Policy. On the right pane, select Turn off Resultant Set of Policy logging.
4. Enable the Turn off Resultant Set of Policy logging to disable the Resultant Set of Policy (RSoP).

Back to the Windows agent troubleshooting questions

14. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Access denied by DCOM Security. The user does not have remote access to the computer through DCOM."

There can be several causes for this error:

1. The login name or password provided for scanning is invalid in the workstation.
2. The user does not have remote access to the computer through the Distributed Component Object Model (DCOM).
3. DCOM may not be configured to allow a WMI connection.
4. The Remote DCOM option is disabled in the remote workstation.
5. The user account is invalid in the target machine.
6. The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the administrator group for this device machine.
7. A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2) when the default Windows Firewall is enabled.
8. WMI is not available in the remote Windows workstation. This happens in Windows NT. Such error codes might also occur in higher versions of Windows if the WMI components are not registered properly.
9. There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI repository in that workstation could have failed.

Cause 1: The login name or password provided for scanning is invalid in the workstation.

Solution: Check if the login name and password are entered correctly.

Back to the error List

Cause 2: The user does not have remote access to the computer through the Distributed Component Object Model (DCOM).

Solution:

1. Log in to your system with admin credentials.
2. Go to Control Panel → Administrative Tools → Component Services, or type in DCOMCnfg.exe from the search bar, and click Enter to open the Component Services dialog box.
3. Expand Component Services in the Component Services dialog box. Then expand Computers, and right-click on My Computer. Click Properties.
4. Go to the COM Security tab in the My Computer Properties dialog box.
5. Select Edit Limits under Launch and Activation Permissions.
6. In the Launch and Activation Permission dialog box that opens, if your name or the group that you belong to does not appear in the groups or usernames list, click Add.
7. In the Select Users, Computers, or Groups dialog box that pops up, add your name and the group in the Enter the object names to select field. Click OK.
8. In the Launch and Activation Permission dialog box, select your user and group in the Group or user names box. Under the Permissions for user field, in the Allow column, select Remote Launch and Remote Activation. Click OK.

The user should now have remote access to the computer through DCOM.

Back to the error List

Cause 3: DCOM may not be configured to allow a WMI connection.

Solution: If the DCOM in the machine is not configured to allow a WMI connection, then follow the below steps in the machine that needs to accept WMI connection.

1. Log in to your system with admin credentials.
2. Go to Control Panel → Administrative Tools → Component Services, or type in DCOMCnfg.exe from the search bar to open the Component Services dialog box.
3. Expand Component Services in the Component Services dialog box. Then expand Computers, and right-click My Computer. Click Properties.
4. Click the COM Security tab in the My Computer Properties dialog box.
5. Click Edit Limits, under the Access Permissions section.
6. The Access Permissions dialog box will pop up. Under the Group or user names section, select Anonymous Logon. In the Permissions for user section, select Remote Access. Click OK.

Back to the error List

Cause 4: The Remote DCOM option is disabled in the remote workstation.

Solution: Check if Remote DCOM is enabled in the remote workstation. If not, follow the steps below to enable it:

1. Select Start > Run.
2. Type DCOMCnfg.exe in the text box, and click OK.
3. Click Component Services > Computers > My Computer.
4. Right-click and select Properties.
5. Select the Default Properties tab.
6. Check the Enable Distributed COM in this machine box.
7. Click OK.

Back to the error List

Cause 5: The user account is invalid in the target machine.

Solution: Check if the user account is valid in the target machine by opening the Command Prompt, and execute the following commands:

net use \<RemoteComputerName>C$ /u:<DomainNameUserName> "<password>"

net use \<RemoteComputerName>ADMIN$ /u:<DomainNameUserName> "<password>"

If these commands show any errors, the provided user account is not valid on the target machine.

Back to the error List

Cause 6: The user name provided for scanning does not have sufficient access privileges to perform the scanning operation. This user may not belong to the administrator group for this device machine.

Solution: Move the user to the Administrator Group of the workstation or scan the machine using an administrator (preferably a domain administrator) account.

Back to the error List

Cause 7: A firewall is configured on the remote computer. Such exceptions mostly occur in Windows XP (SP 2) when the default Windows Firewall is enabled.

Solution: Disable the default Firewall in the Windows XP machine:

1. Select Start → Run
2. Type Firewall.cpl and click OK
3. In the General tab, click Off
4. Click OK

If the firewall cannot be disabled, launch Remote Administration for administrators on the remote machine by executing the following command in the Command Prompt:

netsh firewall set service RemoteAdmin

After scanning, you can disable Remote Administration using the following command:

netsh firewall set service RemoteAdmin disable

Back to the error List

Cause 8: This error may occur if the WMI service is not running or if the WMI repository is corrupt.

Solution: Please re-check the WMI service and re-register the WMI components.

You can register the WMI DLL files by executing the following command in the Command Prompt: winmgmt /RegServer

Back to the error list

Cause 9: There is some internal execution failure in the WMI service (winmgmt.exe) running in the device machine. The last update of the WMI Repository in that workstation could have failed.

Solution:

Restart the WMI service in the remote workstation:

1. Select Start → Run
2. Type Services.msc and click OK
3. In the Services window that opens, select Windows Management Instrumentation service.
4. Right-click and select Restart

Back to the error list

Back to the Windows agent troubleshooting questions

15. When I try to install the login agent from ADSelfService Plus console, I get the following error: "Remote Procedure Call server is unavailable."

Cause: The Remote Procedure Call (RPC) port of the machine is blocked by the firewall.

Solution: Change the setting in your firewall to allow RPC ports.

16. When I try to install the login agent from ADSelfService Plus console, I get the following error with code 80041010 in Windows Server 2003, "Fatal error occurred."

Cause: The Win32_Product class is not installed in Windows 2003 Server by default.

Solution: To add the Win32_Product class, follow the steps below:

1. In Add or Remove Programs, select Add/Remove Windows Components.
2. In the Windows Components Wizard, select Management and Monitoring Tools, then click Details.
3. In the Management and Monitoring Tools dialog box, select WMI Windows Installer Provider and click OK.
4. Click Next.

Back to the Module list

Troubleshooting the macOS login agentt

1. Connection timed out.

2. Connection refused.

3. The network path was not found.

4. Logon failure: Unknown user name or bad password.

5. Permission denied

6. Invalid service account credentials

7. Insufficient privileges to the service account.

8. No authentication details found for the domain

1. Connection timed out.

Cause: The macOS client, in which you are trying to install the login agent, is shut down or not connected to the domain network.

Solution:

• Start the client and make sure that it is connected to the domain network. Check the connection by pinging the macOS client from the ADSelfService Plus server. Once you're sure there is a connection, try installing the login agent again.
• If connection to the Mac client is fine, then check the Mac's integration with AD.

Back to the macOS agent troubleshooting questions

2. Connection refused.

Cause: Remote Login might be disabled on the client or in ADSelfService Plus' Domain Settings.

Solution:

• Open the macOS client. Go to Preferences → Sharing and check if Remote Login is enabled.
• Check if the user account provided in ADSelfService Plus' Domain Settings has Remote Login access enabled.

Back to the macOS agent troubleshooting questions

3. The network path was not found.

Cause: This error can occur if the target computer cannot be contacted.

Solution:

• Ensure that the computer really exists. If it does, ensure that it is connected to the network.
• To check for connectivity, ping the target computer from the server on which ADSelfService Plus has been installed.

Back to the macOS agent troubleshooting questions

4. Logon failure: Unknown user name or bad password.

Cause: Incorrect user name or password for the service account.

Solution: Go to Directory Editor in the Directory Utility and check if the Active Directory node can be connected using the user credentials provided in ADSelfService Plus' Domain Settings.

Back to the macOS agent troubleshooting questions

5. Permission denied

Cause: The Service account does not have the required administrative privileges over the targeted macOS client.

Solution: Provide admin privileges to the service account by following the steps below:

1. In the target macOS client, go to System Preferences > Users & Groups > Login Options > Edit > Open Directory Utility.
2. In the Service tab, click the Administrative section.
3. Check the Allow Administration by box, and include the service account used to run the ADSelfService Plus server.
4. Click OK.
5. To verify the macOS client's integration with AD:
   • Go to Directory Utility → Directory Editor → <Your Active Directory node>.If the connection is successful, you will be able to see the AD objects.
   • If the connection to the AD node fails, try pinging the Domain Controller (DC) from the macOS client.
   • If the DC is reachable and the problem persists, unbind it and try re-binding the macOS client with AD.

Back to the macOS agent troubleshooting questions

6. Invalid service account credentials

Cause: Invalid or expired service account credentials in the Domain Settings.

Solution: Update the correct service account credentials. Also, verify the macOS client's integration with AD.

Back to the macOS agent troubleshooting questions

7. Insufficient privileges to the service account.

Cause: The Service account does not have the required root privilege to perform remote installation of packages on the targeted macOS client.

Solution: Provide root privileges to the service account by following the steps below:

• Open the Terminal and execute the command sudo visudo. Go to the User Privilege Specification section.
• Make sure the targeted account has root privileges, i.e., <username> ALL=(ALL) ALL.

Back to the macOS agent troubleshooting questions

8. No authentication details found for the domain.

Cause: Insufficient privileges for the service account in ADSelfService Plus' Domain Settings.

Solution: Provide the domain user credentials with admin privileges.

Back to the macOS agent troubleshooting questions

Back to the Module list

Troubleshooting the Linux login agent

1. Connection timed out.

2. Connection refused.

3. The network path was not found.

4. Permission denied / Insufficient privileges to the service account.

5. Invalid service account credentials

6. No authentication details found for the domain

7. Operation failed while setting up dependencies.

1. Connection timed out.

Cause: The Linux machine on which you are trying to install the login agent is shut down or not connected to the domain network.

Solution:

• Start the client and make sure that it is connected to the domain network. Check the connection by pinging the target Linux machine from the ADSelfService Plus server. Once you're sure there is a connection, try installing the login agent again.
• If connection to the Linux machine is fine, then check the machine's integration with AD.

Back to the Linux agent troubleshooting questions

2. Connection refused.

Cause: SSH server software has not been installed in the Linux client.

Solution: Make sure SSHD service is installed and active in the Linux client.

Back to the Linux agent troubleshooting questions

3. The network path was not found.

Cause: This error can occur if the target computer cannot be contacted.

• Ensure that the computer really exists. If it does, ensure that it is connected to the network.
• To check for connectivity, ping the target computer from the server on which ADSelfService Plus has been installed.

Back to the Linux agent troubleshooting questions

4. Permission denied/Insufficient privileges to the service account.

Cause: The service account configured in ADSelfService Plus does not have the required root privileges over the target Linux client.

Solution: Provide root privilege to the service account by following the steps below:

• Open the Terminal and execute the command sudo visudo. Navigate to the User Privilege Specification section.
• Make sure the targeted account has root privileges, i.e., <username> ALL=(ALL) ALL.

Back to the Linux agent troubleshooting questions

5. Invalid service account credentials.

Cause: Invalid or expired service account credentials in the Domain Settings.

Solution: Update the correct service account credentials in the Domain Settings.

Back to the Linux agent troubleshooting questions

6. No authentication details found for the domain.

Cause: Insufficient privileges for the service account in the Domain Settings of ADSelfService Plus.

Solution: Provide the service account credentials with domain admin privileges.

Back to the Linux agent troubleshooting questions

7. Operation failed while setting up dependencies.

Cause: Poor network connection. The Linux distribution's package manager is unable to contact the software repository or ADSelfService Plus' web portal.

Solution:

• The Linux distribution's package manager needs to contact the respective software repository while setting up dependencies. Check network connectivity in the Linux machine. If the network connection is good, check and ensure that the package manager can contact the respective software repository (for instance, YUM for Fedora/CentOS).
• The lightdm-webkit2-greeter package needs to be installed from the ADSelfService Plus web portal. Please check if the Linux client machine is able to contact it.

Back to the Linux agent troubleshooting questions

Back to the Module list

Email, SMS, and push notification settings

1. SMS server settings and SSLHandshakeException
2. Push notification settings

Troubleshooting SMS server settings and SSLHandshakeException

Cause: This exception occurs when you configure a SMTP mail server or a web server with SSL in ADSelfService Plus, and the server uses a self-signed certificate. The Java Runtime Environment used in ADSelfService Plus will not trust self-signed certificates unless it is explicitly imported.

Solution: You need to import the self-signed certificates used by the server in the JRE package used by ADSelfService Plus. Follow the steps given below:

Step 1: Download the certificate.

• For SMTP servers:

  Note: To download the certificate used by SMTP server, you must have OpenSSL installed. You can download it here.

  • Open the Command Prompt and navigate to the bin folder in the location where OpenSSL is installed.
  • Now run the following command:

    openssl.exe s_client -connect SMTPServer:Portno -starttls smtp > certificatename.cer

    For example: openssl.exe s_client -connect smtp.gmail.com:587 -starttls smtp > gmailcert.cer

• For web servers:
  • Open the web URL in a browser.
  • Click the padlock icon on the address bar.
  • Click More Information. This opens the Certificate Viewer window showing the certificate used by that web server.
  • Click View Certificate.
  • When the Certificate window showing Certificate Information Authority opens, click the Details tab.
  • Click Copy to File.
  • In the Certificate Export Wizard that opens, click Next.
  • Select the format as DRE encoded binary X.509 (.CER) and click Next.
  • Enter the path where you wish to save the file and click Finish.

Step 2: Import the certificates in JRE package of ADSelfService Plus

1. Open the Command Prompt and navigate to the \jre\bin folder. For example: C:\Program Files\ManageEngine\ADSelfService Plus\jre\bin
2. Run the following command

Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file

For example: Keytool -importcert -alias myprivateroot -keystore ..\lib\security\cacerts -file C:\smtpcert.cer

3. Enter changeit when prompted for a password
4. Enter y when prompted Yes or No
5. Close the Command Prompt and restart ADSelfService Plus.

Back to the Module list

Troubleshooting push notification settings

1. ERROR_CODE:70050A, ERROR_CODE:70060AA, ERROR_CODE:70060AI, ERROR_CODE:70050CF, ERROR_CODE:70050ACF, ERROR_CODE:70050ICF
2. ERROR_CODE:70050PF, ERROR_CODE:70050APF, ERROR_CODE:70050IPF

1. ERROR_CODE:70050A, ERROR_CODE:70060AA, ERROR_CODE:70060AI, ERROR_CODE:70050CF, ERROR_CODE:70050ACF, ERROR_CODE:70050ICF.

These errors occur due to an invalid push notification certificate or problems with the push server. Please contact the ADSelfService Plus support team at support@adselfserviceplus.com to resolve this.

Back to the push notification error codes

2. ERROR_CODE:70050PF, ERROR_CODE:70050APF, ERROR_CODE:70050IPF.

This error will appear if you don't have the necessary ports and IP/host addresses opened in your firewall setup.

• Open the following ports in your firewall setup so that the ADSelfService Plus web server can communicate with the push servers of Apple and Google:
  • For Apple Server: 5223, 2195, 2196, 443
  • For Google Server: 5228, 5229, and 5230 , 80/443
• Additionally, you must grant access to the following IP/host addresses:
  • For Apple Server: gateway.push.apple.com and feedback.push.apple.com
  • For Google Server: All outbound IPs with port 80/443 or simply open the Google ASN IPs.

  Note: If your organization's policy does not allow unblocking the above IPs, route the requests to these IPs through a proxy server subject as per your organization policy. When you use a proxy server, do not forget to configure the Proxy Settings in the product.

Back to the push notification error codes

Back to the Module list

Troubleshooting Just-in-Time (JIT) provisioning

In the JIT Provisioning Audit Report, what do the following status messages mean and how can they be remediated?

1. Failed due to network connectivity issues to the target application.
2. Failed due to invalid email address or username.
3. Failed due to exceeding the rate limit.
4. Failed due to exceeding the retry limit.
5. User account creation process has failed.

1. Failed due to network connectivity issues to the target application.

Solution: Please try connecting to the target application from the ADSelfService Plus server through the browser or check for any firewall restrictions on the server. If the issue persists, please contact your network operations center (NOC) team, or the ADSelfService Plus support team at support@adselfserviceplus.com.

2. Failed due to invalid email address or username.

Solution: Please verify if the correct attribute has been mapped for user account linking in the target application.

3. Failed due to exceeding the rate limit.

Cause: This issue occurs when the API threshold in the target application has reached the limit over a specific period.

4. Failed due to exceeding the retry limit.

Cause: If the user account creation attempt has failed more than three times in an hour, the retry limit is exceeded, and this error is logged in the JIT Provisioning Report. For further details, please contact the ADSelfService Plus support team at support@adselfserviceplus.com.

5. User account creation process has failed.

Possible cause	Recommended solution
License of the target application has expired.	Please renew the license of the target application.
The target application's license consumption has exceeded the purchased license count.	Please ensure to purchase and maintain the required licenses.
The maximum length of the email address or username exceeds the limit specified in the target application.	Please verify if the correct attribute has been mapped for user account linking in the target application.
Account linking attributes are not in the format specified in the target application.	Please verify if the attribute and attribute values mapped for user account linking in the target application are in the required format.

Back to the Just-in-Time Provisioning

Back to the module list

SSO

1. Login issue while accessing custom applications through OAuth/OIDC SSO

Cause: The CORS preflight request might not have been configured for the target application. A CORS preflight request is typically sent from the user's browser to ADSelfService Plus to check the origin of the target application during token generation or retrieval. ADSelfService Plus rejects such requests when the target application origin value is not configured.

Solution: To configure the preflight request, copy the origin from the target application. Paste it in the Login Redirect URL(s) field on the Create Custom Application page (Configuration > Self-Service > Password Sync/Single Sign-On > Add Application > Custom Application) in the ADSelfService Plus portal.