Knowledge Base

Our dedicated Product Specialist team is always ready to help you when you need it the most. Contact Support

Error Saving Identity Service Configuration

When configuring third party identity services (e.g. Duo, Okta, Verify, PingID, Symantec VIP) you may encounter an error after saving the configuration in the Identity Services section of the Specops Authentication Admin Web

That shouldn’t happen
Something went wrong, an unexpected error occurred on your organization’s server.

If you check the Specops event log under Applications and Services in the Windows event viewer, you will also find the following error:

 Log Name:      Specops
Source:        Authentication Gatekeeper (Specops)
Event ID:      2005
Level:         Error
Keywords:      Classic
User:          N/A
Description:
An error occurred during invocation of Specops.Authentication.CommunicationBackendToGatekeeper.ISystemDataController.Save.

Specops.ActiveDirectory.SpecopsAccessDeniedActiveDirectoryException: 'An Active Directory operation (ModifyRequest) on 'CN=SystemData,CN=SpecopsAuthentication,CN=Specops,CN=System,DC=contoso,DC=local' running as user 'CONTOSO\SGkSRV1$' against domain controller 'DC1.contoso.local' failed (50): '00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
' 00002098: SecErr: DSID-03150F93, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
'

This can occur because of incorrect permissions on the SystemData container in your active directory. To correct this:

  • Launch Active Directory Users and Computers as a user with domain admin permissions
  • Select the View menu and ensure Advanced Features is checked
  • Navigate to the SystemData container in the path specified in the event log message (domain/System/Specops/SpecopsAuthentication/SystemData)
  • Right click system data and select properties
  • Go to the security tab and click ‘advanced’
  • Click disable inheritance and then remove all inherited permissions
  • The permissions entries should now be blank. Add three new entries, granting each full control of this object and all descendant objects
    • Domain Admins
    • Specops Authentication Gatekeepers
    • SYSTEM

  • Press Apply/OK to save. You should now be able to save the identity services configurations in the Admin Web.

March 4, 2021

Was this article helpful?

Related Articles