Troubleshooting
The information below is intended for administrators who are responsible for troubleshooting Specops Password Reset. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Reset.
Access denied message on helpdesk webpage
Possible cause
Delegated Helpdesk does not work against an alias: https://spr.domain.com/specopspassword/helpdesk. You must access the page through the FQDN.
Possible solution
Add another CN to the certificate. “CN=hostname.domain.local” if using https://hostname.domain.local/specopspassword/helpdesk; Or “CN=hostname” if using just the server name https://hostname/specopspassword/helpdesk.
Always get prompted for windows credentials when opening the Helpdesk/Reporting page
Possible cause
You have not added the FQDN of the server (or *.mydomain.com) to the local intranet site using the GPO site to Zone Assignment.
Possible solution
You will need to complete the steps under “Enabling authentication to the Password Reset Web Server” in the Specops Password Reset Installation Guide.
“Access denied” message when enrolling with an admin account
Possible cause
Admin accounts are affected by the adminSDHolder rule, which resets the security permissions on privileged AD accounts every 15 minutes.
Possible solution
Log in with an account with Domain Admin permissions. With the dsacls command, permissions for AdminSDHolder can be adjusted.
Example:
dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLE\sprsvc:CCDC;classStore;" "EXAMPLE\sprsvc:LC;;" "EXAMPLE\sprsvc:CA;Reset Password;" "EXAMPLE\sprsvc:RP;userAccountControl;" "EXAMPLE\sprsvc:RPWP;mobile;" "EXAMPLE\sprsvc:RPWP;pwdLastSet;"
"EXAMPLE\sprsvc:RPWP;lockoutTime;"
Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.
When the user follows the enrollment reminder link, they are told that they do not have a configured enrollment policy
Possible cause
The service account has lost permissions to read the Specops Password Reset Group Policy Object.
Possible solution
From the Group Policy Management Console, add the service account to the Delegation Tab of the Specops Password Reset Group Policy Object with Read rights.
User receives “the certificate revocation list server could not be reached” message when they click the reset password link at the logon screen, but not when they browse to the reset page when logged in.
Possible cause
User is not connected to the internet at the logon screen.
Possible solution
You can use one of the following three options below to solve this issue:
-
Add a new rule to your proxy that allows “domain computers” to reach the CRL servers on the internet. The rule will look similar to the example below:
Source: internal network
Destination: IP address of CRL server
Port: 80
Access Group: “Domain Computers” -
Disable the CRL check on the client.
This will disable CRL checking on all certificates. If you visit a site that had its certificate revoked, this would allow the creation of a secure connection, unless the certificate had expired.
-
If you have an internal Certificate Authority system, use an internal certificate, instead of a public certificate.
A public certificate is a good choice if you plan on allowing users to reset their passwords externally.
The Reset Password link does not appear on the logon page after reboot
Possible cause
The computer is booting before the network stack has been brought up. This is common when systems are used with wireless or gigabit connected NIC’s.
Possible solution
- You may want to disable Fast Logon Optimization. You can do this with Group Policy, using the Always wait for the network at computer startup and logon policy setting. You can find this setting under Computer Configuration/ Administrative Templates/ System/ Logon.
- If you are using Windows 7, you can do this with Group Policy using the Startup Policy Processing Wait Time policy setting. You can find this setting under Computer Configuration/Administrative Templates/ System/ Group Policy.
“Identity check failed for outgoing message” error when accessing any Password Reset Webpage after an upgrade or opening the Configuration tool.
Complete message reads: “Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘servername.domain.com’ but the remote endpoint provided DNS claim ‘webserveralias.domain.com.’ If this is a legitimate endpoint, you can fix the problem by explicitly specifying DNS identity ‘webserveralias.domain.com’ as the identity property of EndpointAddress when creating channel proxy.”
Possible cause
During installation, you may have used the web server certificate when installing the “server” component instead of the “web” component.
Possible solution
The server component requires a certificate with a CN (common name) that matches the FQDN of the server. This is required for Windows Identity Foundation to work correctly. A self-signed certificate or a certificate with a CN, either public or private, can be used for this function.
Event Logging
The Specops Password Reset Server component logs the operations that have been performed to the application log on the appropriate server.
Use the search widget below, or find event IDs in the table.
Specops Password Reset Server events
Event type | ID | Description |
---|---|---|
Information | 100 | Service starting. |
Information | 101 | Service started. |
Information | 103 | Service stopped. |
Information | 104 |
License verification entry. Contains the license count information which is collected nightly. |
Information | 105 |
Reporting database migration started. Only logged if the service discovers an existing database stored in the old xml format. |
Information | 106 | Reporting database migration completed successfully. Only logged if the service discovers an existing database stored in the old xml format. |
Information | 110 |
Enrollment successful. Logged everytime a user enrolls. |
Information | 111 |
Reset successful. Logged everytime a user has successfully reset their password. |
Information | 112 |
Unlock successful. Logged every time a user successfully unlocked their user account. |
Information | 113 |
Change successful. Logged every time a user has successfully changed their password. |
Information | 114 |
Change failed. Logged every time a user tried to change their password, but failed as a result of the password policy rules. |
Warning | 202 |
Too many failed user names. Logged when the call throttling feature has blocked a client request. |
Warning | 203 | Too many verification code requests. |
Warning | 205 |
Ignore password rules on reset found in policy. Logged when Specops Password Reset discovers a user with a Specops Password Policy configured to be ignored on password reset operations. This setting should not be enabled in environment where Specops Password Reset is used because it allows users to bypass their password policy. |
Warning | 206 | Password reset detected from user with the password not required flag set. |
Warning | 207 | Password not required flag discovered on an enrolled user. |
Warning | 208 | Failed to impersonate user. |
Warning | 210 | Enrolment failed. |
Warning | 212 | Unlocked failed. |
Warning | 214 | Wrong answer submitted during user authentication. |
Warning | 215 | Wrong verification code submitted during user authentication. |
Warning | 216 | User was locked out from Specops Password Reset. |
Warning | 220 |
License warning. Logged when the license is close to being exceeded. |
Warning | 221 | User failed to reset their password. |
Warning | 222 | User failed to change their password. |
Warning | 241 | Failed to parse polling time from registry. |
Warning | 245 | Failed to contact domain. |
Warning | 277 | Failed to send enrolment reminder. |
Error | 300 |
Service failed to start. Logged if the server component fails to starts. |
Error | 301 | Service failed to stop. |
Error | 305 | No Specops Password Reset Policy found. |
Error | 306 | Wrong number of questions. |
Error | 310 |
Reporting database migration failed. Logged if the service fails to migrate an existing database stored in the old xml format. |
Error | 320 | License error detected. |
Error | 332 | Failed to get password reset package. |
Error | 334 | Failed to send mobile verification code. |
Error | 335 | Failed to get next secret question. |
Error | 336 | Failed to get password policy for user. |
Error | 337 | Server failed to unlock user account. |
Error | 338 | Server failed to reset user password. |
Error | 346 | Failed to send email. |
Error | 348 | Failed to send mobile verification code from Helpdesk tool. |
Error | 349 | Failed to send new user password from help desk. |
Error | 385 | Failed to add data to the reporting database. |
Error | 386 | Failed to clear user data from the reporting database. |
Debug logging
You can configure the components of Specops Password Reset to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”
For Client debug information, see: https://specopssoft.com/Support/Password-Policy/client-debugging.htm
Registry key | Description |
---|---|
HKLM\Software\Specopssoft\Specops Password Reset\Administration\Debug |
Enables and disables debug logging for the Specops Password Reset Administration Tool. |
HKLM\Software\Specopssoft\Specops Password Reset\Administration\LogFilePath |
Specifies the log file path for the Specops Password Administration Tool log. Default value= %USERPROFILE%\Local Settings\Application Data\SpecopsSoft\SpecopsPasswordReset.log Note: This value does not exist in the registry by default. If you want to change it, add LogFilePath as a reg_sz [string value]. |
HKLM\Software\Specopssoft\Specops Password Reset\Server\Debug |
Enables and disables debug logging for the Specops Password Reset Server. |
HKLM\Software\Specopssoft\Specops Password Reset\Server\LogFilePath |
Specifies the log file path for the Specops Password Reset Server log. Default value = C:\SpecopspasswordResetServer.log |
HKLM\Software\Specopssoft\Specops Password Reset\Web\Debug |
Enables and disables debug logging for the Specops Password Reset Web. |
HKLM\Software\Specopssoft\Specops Password Reset\Web\LogFilePath |
Specifies the log file path for the Specops Password Reset Server log. Default value = C:\Temp\SpecopspasswordResetWeb.log |