Troubleshooting

The information below is  intended for administrators who are responsible for troubleshooting Specops Password Reset. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Reset.

Common Issues

Access denied message on helpdesk webpage

Possible cause

Delegated Helpdesk does not work against an alias: https://spr.domain.com/specopspassword/helpdesk. You must access the page through the FQDN.

Possible solution

Add another CN to the certificate. “CN=hostname.domain.local” if using https://hostname.domain.local/specopspassword/helpdesk; Or “CN=hostname” if using just the server name https://hostname/specopspassword/helpdesk.

Always get prompted for windows credentials when opening the Helpdesk/Reporting page

Possible cause

You have not added the FQDN of the server (or *.mydomain.com) to the local intranet site using the GPO site to Zone Assignment.

Possible solution

You will need to complete the steps under “Enabling authentication to the Password Reset Web Server” in the Specops Password Reset Installation Guide.

“Access denied” message when enrolling with an admin account

Possible cause

Admin accounts are affected by the adminSDHolder rule, which resets the security permissions on privileged AD accounts every 15 minutes.

Possible solution

Log in with an account with Domain Admin permissions and run the following command.

dsacls "CN=AdminSDHolder, CN=System, <Domain DN>" /G "<ServiceAccount>:CCDC;classStore;" "<ServiceAccount>:LC;;" "<ServiceAccount>:CA;Reset Password;" "<ServiceAccount>:RP;userAccountControl;" "<ServiceAccount>:RPWP;mobile;" "<ServiceAccount>:RPWP;pwdLastSet;" "<ServiceAccount>:RPWP;lockoutTime;"

Example:

dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLE\sprsvc:CCDC;classStore;" "EXAMPLE\sprsvc:LC;;" "EXAMPLE\sprsvc:CA;Reset Password;" "EXAMPLE\sprsvc:RP;userAccountControl;" "EXAMPLE\sprsvc:RPWP;mobile;" "EXAMPLE\sprsvc:RPWP;pwdLastSet;" "EXAMPLE\sprsvc:RPWP;lockoutTime;"

Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.

Note: Allowing Specops Password Reset to work with an account with administrative permissions is not best practice for security reasons. Enable these settings only if it is required by the practical reality of your organization.

When the user follows the enrollment reminder link, they are told that they do not have a configured enrollment policy

Possible cause

The service account has lost permissions to read the Specops Password Reset Group Policy Object.

Possible solution

From the Group Policy Management Console, add the service account to the Delegation Tab of the Specops Password Reset Group Policy Object with Read rights.

User receives “the certificate revocation list server could not be reached” message when they click the reset password link at the logon screen, but not when they browse to the reset page when logged in.

Possible cause

User is not connected to the internet at the logon screen.

Possible solution

You can use one of the following three options below to solve this issue:

  1. Add a new rule to your proxy that allows “domain computers” to reach the CRL servers on the internet. The rule will look similar to the example below:
    Source: internal network
    Destination: IP address of CRL server
    Port: 80
    Access Group: “Domain Computers”
  1. Disable the CRL check on the client.
    Note: This will disable CRL checking on all certificates. If you visit a site that had its certificate revoked, this would allow the creation of a secure connection, unless the certificate had expired.
  1. If you have an internal Certificate Authority system, use an internal certificate, instead of a public certificate.
    Note: A public certificate is a good choice if you plan on allowing users to reset their passwords externally.

The Reset Password link does not appear on the logon page after reboot

Possible cause

The computer is booting before the network stack has been brought up. This is common when systems are used with wireless or gigabit connected NIC’s.

Possible solution

  • You may want to disable Fast Logon Optimization. You can do this with Group Policy, using the Always wait for the network at computer startup and logon policy setting. You can find this setting under Computer Configuration/ Administrative Templates/ System/ Logon.
  • If you are using Windows 7, you can do this with Group Policy using the Startup Policy Processing Wait Time policy setting. You can find this setting under Computer Configuration/Administrative Templates/ System/ Group Policy.

“Identity check failed for outgoing message” error when accessing any Password Reset Webpage after an upgrade or opening the Configuration tool.

Complete message reads: “Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘servername.domain.com’ but the remote endpoint provided DNS claim ‘webserveralias.domain.com.’ If this is a legitimate endpoint, you can fix the problem by explicitly specifying DNS identity ‘webserveralias.domain.com’ as the identity property of EndpointAddress when creating channel proxy.”

Possible cause

During installation, you may have used the web server certificate when installing the “server” component instead of the “web” component.

Possible solution

The server component requires a certificate with a CN (common name) that matches the FQDN of the server. This is required for Windows Identity Foundation to work correctly. A self-signed certificate or a certificate with a CN, either public or private, can be used for this function.

Event Logging

The Specops Password Reset Server component logs the operations that have been performed to the application log on the appropriate server.

Specops Password Reset Server events

Event typeIDDescription
Information100Service starting.
Information101Service started.
Information103Service stopped.
Information104License verification entry.
Contains the license count information which is collected nightly.
Information105Reporting database migration started.
Only logged if the service discovers an existing database stored in the old xml format.
Information106Reporting database migration completed successfully. Only logged if the service discovers an existing database stored in the old xml format.
Information110Enrollment successful.
Logged everytime a user enrolls.
Information111Reset successful.
Logged everytime a user has successfully reset their password.
Information112Unlock successful.
Logged every time a user successfully unlocked their user account.
Information113Change successful.
Logged every time a user has successfully changed their password.
Information114Change failed.
Logged every time a user tried to change their password, but failed as a result of the password policy rules.
Warning202Too many failed user names.
Logged when the call throttling feature has blocked a client request.
Warning203Too many verification code requests.
Warning205Ignore password rules on reset found in policy.
Logged when Specops Password Reset discovers a user with a Specops Password Policy configured to be ignored on password reset operations.
This setting should not be enabled in environment where Specops Password Reset is used because it allows users to bypass their password policy.
Warning206Password reset detected from user with the password not required flag set.
Warning207Password not required flag discovered on an enrolled user.
Warning208Failed to impersonate user.
Warning210Enrolment failed.
Warning212Unlocked failed.
Warning214Wrong answer submitted during user authentication.
Warning215Wrong verification code submitted during user authentication.
Warning216User was locked out from Specops Password Reset.
Warning220License warning.
Logged when the license is close to being exceeded.
Warning221User failed to reset their password.
Warning222User failed to change their password.
Warning241Failed to parse polling time from registry.
Warning245Failed to contact domain.
Warning277Failed to send enrolment reminder.
Error300Service failed to start.
Logged if the server component fails to starts.
Error301Service failed to stop.
Error305No Specops Password Reset Policy found.
Error306Wrong number of questions.
Error310Reporting database migration failed.
Logged if the service fails to migrate an existing database stored in the old xml format.
Error320License error detected.
Error332Failed to get password reset package.
Error334Failed to send mobile verification code.
Error335Failed to get next secret question.
Error336Failed to get password policy for user.
Error337Server failed to unlock user account.
Error338Server failed to reset user password.
Error346Failed to send email.
Error348Failed to send mobile verification code from Helpdesk tool.
Error349Failed to send new user password from help desk.
Error385Failed to add data to the reporting database.
Error386Failed to clear user data from the reporting database.

Debug logging

You can configure the components of Specops Password Reset to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

Registry keyDescription
HKLM\Software\Specopssoft\uReset\Client\DebugEnables and disables debug logging for the Specops uReset Client components.

Default value = 0 (set to 1 to enable logging)

The default log paths are:

SecuredBrowser: c:\windows\debug (if running as a logged on user, make sure user has write permissions in there)

Credential provider: c:\windows\debug

Tiled Credential provider: c:\windows\debug

uReset client:
%LocalAppData%\Specopssoft

Paths cannot be changed.

HKLM\Software\Specopssoft\Specops
Password
Reset\Administration\Debug
Enables and disables debug logging for the Specops
Password Reset Administration Tool.
HKLM\Software\Specopssoft\Specops
Password
Reset\Administration\LogFilePath
Specifies the log file path for the Specops Password
Administration Tool log.
Default value= %USERPROFILE%\Local
Settings\Application
Data\SpecopsSoft\SpecopsPasswordReset.log
Note: This value does not exist in the registry by default. If
you want to change it, add LogFilePath as a reg_sz [string
value].
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Debug
Enables and disables debug logging for the Specops
Password Reset Server.
HKLM\Software\Specopssoft\Specops
Password Reset\Server\LogFilePath
Specifies the log file path for the Specops Password
Reset Server log.
Default value = C:\SpecopspasswordResetServer.log
HKLM\Software\Specopssoft\Specops
Password Reset\Web\Debug
Enables and disables debug logging for the Specops
Password Reset Web.
HKLM\Software\Specopssoft\Specops
Password Reset\Web\LogFilePath
Specifies the log file path for the Specops Password
Reset Server log.
Default value = C:\Temp\SpecopspasswordResetWeb.log

Note: Do not leave  the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition.

  • Was this Helpful ?
  • Yes   No