Troubleshooting Password Sync Agent Issues

The ADSelfService Plus Password Sync Agent syncs native password changes (password change using the Ctrl+Alt+Del screen and password reset using the Active Directory Users and Computers portal) with enterprise applications integrated for password synchronization. This article provides instructions on how to troubleshoot issues that you may encounter while using the Password Sync Agent.

Installation

Below is a list of errors that may appear when installing the Password Sync Agent.

1. Please install the Password Sync Agent with administrative privileges.

Possible cause: The user attempting to install the Password Sync Agent does not have the required privileges.

Solution: Run the ManageEnginePasswordSyncAgent.msi as an Administrator, i.e., right-click the file and select Run as administrator.

Note: The Default administrator can directly run the MSI file by double clicking on it. Only users who fall under the administrator group need to run the MSI as an administrator, i.e., Run as Administrator.

2. The domain controller is not authorized by ADSelfService Plus.

Possible cause: The domain controller in which the Password Sync Agent needs to be installed was not included in the list of configured domains in ADSelfService Plus.

Solution: Ensure that the domain controller where you are trying to install the Password Sync Agent is added to the ADSelfService Plus DC list. For information regarding domain configuration, click here.

3. Invalid request or the time is not in sync between the domain controller and ADSelfService Plus server.

Possible cause: The time settings in the domain controller in which the Password Sync Agent was installed and the ADSelfService Plus server is inconsistent.

Solution: Please ensure that the time settings in the domain controller where you are trying to install the sync agent and the ADSelfService Plus server are in sync with each other.

4. Unable to contact the server or an internal error occurred.

Possible cause: The values entered for the protocol, hostname, and port number during the Password Sync Agent installation are incorrect or have become invalid.

Solution:

  1. Check the accessibility of the ADSelfService Plus portal from the machine where this error is received. If it is not accessible, check the network connection between ADSelfService Plus server and this machine.
    • To check ADSelfService Plus server reachability, ping the server using the ADSelfService Plus server name/IP address from the domain controller where the agent is installed.
    • To check for connectivity, verify if the ADSelfService Plus port connection is open. One way to check for port connectivity is to open command prompt in the domain controller where the agent is installed and execute the following command: telnet <adssp-server-name> <adssp-port-number>. If the command returns a connection failed error message, check the port connectivity in the ADSelfService Plus server.
  2. Install the Password Sync Agent by providing the correct or latest values of the ADSelfService server. Refer to these steps to install the agent.

5. Access key verification failed.

Possible cause: An invalid access key was entered or the access key was regenerated.

Solution: Ensure that the access key provided during installation is valid.

Edit Settings option at ManageEngineTrayApp:

Below is the list of errors that may appear when editing the settings by clicking on the Password Sync Agent tray app icon.

1. The domain controller is not authorized by ADSelfService Plus.

Possible cause: The domain controller where the Password Sync Agent needs to be installed was not included in the list of configured domains in ADSelfService Plus.

Solution: Ensure that the domain controller where you are trying to install the Password Sync Agent is added to the ADSelfService Plus DC list. For information regarding domain configuration, click here.

2. Invalid request or the time is not in sync between the domain controller and ADSelfService Plus server.

Possible cause: The time settings in the domain controller in which the Password Sync Agent was installed and the ADSelfService Plus server was inconsistent.

Solution: Please ensure that the time settings in the domain controller where you are trying to install the sync agent and the ADSelfService Plus server are in sync with each other.

3. Cannot contact server. Please try again later.

Possible cause: The values entered for the protocol, hostname and port number were incorrect or have become invalid.

Solution:

4. Access key verification failed.

Possible cause: An invalid access key was entered or the access key was regenerated.

Solution: Ensure that the access key provided during installation is valid.

5. Access denied. Administrator privilege required for this operation.

Possible cause: This error occurs when attempting to edit the settings with no administrative privileges.

By default, only admins have the privilege to edit the settings. However, if any other user wishes to modify the settings, the user can do so by following the steps mentioned below:

Other major cases

Case 1: If the Password Sync Agent is not working,

Case 2: If the Password Policy Enforcer/Have I Been Pwned is not working,

Case 3: The ADSelfService Plus server could not be contacted or is unreachable, but ADSelfService Plus is accessible via the web browser in the specific domain controller.

Solution 1:

Solution 2:

Check if any proxy server is being employed to access the ADSelfService Plus server. If yes, configure the settings of that proxy server in the Internet Explorer since the Password Sync Agent uses the proxy server configured in the Internet Explorer.

Case 4: Native password resets are not being audited in the Reset Password Audit Report.

Solution 1:

Solution 2: Reinstall the Password Sync Agent.

Case 5: What to do when the Password Sync Agent triggers a lot of old reset/change password requests when the ManageEnginePasswordSyncAgent service is started.

Possible cause: This scenario will occur if there are pending queue messages for password resets that happened when the ManageEngine Password Sync Agent service was down.

Note: The following solution is not recommended unless it is a critical situation since this might result in the loss of request information.

Solution: The queue messages can be cleared before restarting the Password Sync Agent service in the domain controllers. Click Purge to clear the old pending reset requests in the message queue. Once completed, start the ManageEngine Password Sync Agent service.

password-sync-agent-troubleshooting-guide

Case 6: Sync Agent services fail to start after server reboot even after the services type is set to Automatic or Automatic Delayed Start, however manual start works.

Possible cause: This occurs when the service initiation takes more than 30 seconds.

Solution: Please follow the steps below to manually increase the timeout value in the registry for the Service Control Manager (SCM):

  1. Go to Start > Run and type regedit.
  2. Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control.
  3. With the control folder selected, right-click in the pane on the right and select a new DWORD Value.
  4. Name the new DWORD ServicesPipeTimeout. Right-click ServicesPipeTimeout, and then click Modify.
  5. Click Decimal, type 180000, and then click OK.
  6. Restart the computer.
Go to Top

Copyright © 2024, ZOHO Corp. All Rights Reserved.