Troubleshooting

The information below is intended for administrators who are responsible for troubleshooting Specops Password Reset. Before you perform the tasks in this guide, please ensure you have correctly installed Specops Password Reset.

Access denied message on helpdesk webpage

Possible cause

Delegated Helpdesk does not work against an alias: https://spr.domain.com/specopspassword/helpdesk. You must access the page through the FQDN.

Possible solution

Add another CN to the certificate. “CN=hostname.domain.local” if using https://hostname.domain.local/specopspassword/helpdesk; Or “CN=hostname” if using just the server name https://hostname/specopspassword/helpdesk.

Always get prompted for windows credentials when opening the Helpdesk/Reporting page

Possible cause

You have not added the FQDN of the server (or *.mydomain.com) to the local intranet site using the GPO site to Zone Assignment.

Possible solution

You will need to complete the steps under “Enabling authentication to the Password Reset Web Server” in the Specops Password Reset Installation Guide.

“Access denied” message when enrolling with an admin account

Possible cause

Admin accounts are affected by the adminSDHolder rule, which resets the security permissions on privileged AD accounts every 15 minutes.

Possible solution

Log in with an account with Domain Admin permissions. With the dsacls command, permissions for AdminSDHolder can be adjusted.

Example:

Copy
dsacls "CN=AdminSDHolder, CN=System, DC=example, DC=com" /G "EXAMPLE\sprsvc:CCDC;classStore;" "EXAMPLE\sprsvc:LC;;" "EXAMPLE\sprsvc:CA;Reset Password;" "EXAMPLE\sprsvc:RP;userAccountControl;" "EXAMPLE\sprsvc:RPWP;mobile;" "EXAMPLE\sprsvc:RPWP;pwdLastSet;"
                "EXAMPLE\sprsvc:RPWP;lockoutTime;"

Replace <domainDN> and <serviceAccount> with the domain components of your domain and the name of the SPR service account.

NOTE
Allowing Specops Password Reset to work with an account with administrative permissions is not best practice for security reasons. Enable these settings only if it is required by the practical reality of your organization.

When the user follows the enrollment reminder link, they are told that they do not have a configured enrollment policy

Possible cause

The service account has lost permissions to read the Specops Password Reset Group Policy Object.

Possible solution

From the Group Policy Management Console, add the service account to the Delegation Tab of the Specops Password Reset Group Policy Object with Read rights.

User receives “the certificate revocation list server could not be reached” message when they click the reset password link at the logon screen, but not when they browse to the reset page when logged in.

Possible cause

User is not connected to the internet at the logon screen.

Possible solution

You can use one of the following three options below to solve this issue:

  1. Add a new rule to your proxy that allows “domain computers” to reach the CRL servers on the internet. The rule will look similar to the example below:
    Source: internal network
    Destination: IP address of CRL server
    Port: 80
    Access Group: “Domain Computers”
  2. Disable the CRL check on the client.
    NOTE
    This will disable CRL checking on all certificates. If you visit a site that had its certificate revoked, this would allow the creation of a secure connection, unless the certificate had expired.
  3. If you have an internal Certificate Authority system, use an internal certificate, instead of a public certificate.
    NOTE
    A public certificate is a good choice if you plan on allowing users to reset their passwords externally.

The Reset Password link does not appear on the logon page after reboot

Possible cause

The computer is booting before the network stack has been brought up. This is common when systems are used with wireless or gigabit connected NIC’s.

Possible solution

  • You may want to disable Fast Logon Optimization. You can do this with Group Policy, using the Always wait for the network at computer startup and logon policy setting. You can find this setting under Computer Configuration/ Administrative Templates/ System/ Logon.
  • If you are using Windows 7, you can do this with Group Policy using the Startup Policy Processing Wait Time policy setting. You can find this setting under Computer Configuration/Administrative Templates/ System/ Group Policy.

“Identity check failed for outgoing message” error when accessing any Password Reset Webpage after an upgrade or opening the Configuration tool.

Complete message reads: “Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was ‘servername.domain.com’ but the remote endpoint provided DNS claim ‘webserveralias.domain.com.’ If this is a legitimate endpoint, you can fix the problem by explicitly specifying DNS identity ‘webserveralias.domain.com’ as the identity property of EndpointAddress when creating channel proxy.”

Possible cause

During installation, you may have used the web server certificate when installing the “server” component instead of the “web” component.

Possible solution

The server component requires a certificate with a CN (common name) that matches the FQDN of the server. This is required for Windows Identity Foundation to work correctly. A self-signed certificate or a certificate with a CN, either public or private, can be used for this function.

Event Logging

The Specops Password Reset Server component logs the operations that have been performed to the application log on the appropriate server.

Use the search widget below, or find event IDs in the table.

Search Event ID
ID:
Type:
Description

Specops Password Reset Server events

Event type ID Description
Information 100 Service starting.
Information 101 Service started.
Information 103 Service stopped.
Information 104 License verification entry.
Contains the license count information which is collected nightly.
Information 105 Reporting database migration started.
Only logged if the service discovers an existing database stored in the old xml format.
Information 106 Reporting database migration completed successfully. Only logged if the service discovers an existing database stored in the old xml format.
Information 110 Enrollment successful.
Logged everytime a user enrolls.
Information 111 Reset successful.
Logged everytime a user has successfully reset their password.
Information 112 Unlock successful.
Logged every time a user successfully unlocked their user account.
Information 113 Change successful.
Logged every time a user has successfully changed their password.
Information 114 Change failed.
Logged every time a user tried to change their password, but failed as a result of the password policy rules.
Warning 202 Too many failed user names.
Logged when the call throttling feature has blocked a client request.
Warning 203 Too many verification code requests.
Warning 205 Ignore password rules on reset found in policy.
Logged when Specops Password Reset discovers a user with a Specops Password Policy configured to be ignored on password reset operations.
This setting should not be enabled in environment where Specops Password Reset is used because it allows users to bypass their password policy.
Warning 206 Password reset detected from user with the password not required flag set.
Warning 207 Password not required flag discovered on an enrolled user.
Warning 208 Failed to impersonate user.
Warning 210 Enrolment failed.
Warning 212 Unlocked failed.
Warning 214 Wrong answer submitted during user authentication.
Warning 215 Wrong verification code submitted during user authentication.
Warning 216 User was locked out from Specops Password Reset.
Warning 220 License warning.
Logged when the license is close to being exceeded.
Warning 221 User failed to reset their password.
Warning 222 User failed to change their password.
Warning 241 Failed to parse polling time from registry.
Warning 245 Failed to contact domain.
Warning 277 Failed to send enrolment reminder.
Error 300 Service failed to start.
Logged if the server component fails to starts.
Error 301 Service failed to stop.
Error 305 No Specops Password Reset Policy found.
Error 306 Wrong number of questions.
Error 310 Reporting database migration failed.
Logged if the service fails to migrate an existing database stored in the old xml format.
Error 320 License error detected.
Error 332 Failed to get password reset package.
Error 334 Failed to send mobile verification code.
Error 335 Failed to get next secret question.
Error 336 Failed to get password policy for user.
Error 337 Server failed to unlock user account.
Error 338 Server failed to reset user password.
Error 346 Failed to send email.
Error 348 Failed to send mobile verification code from Helpdesk tool.
Error 349 Failed to send new user password from help desk.
Error 385 Failed to add data to the reporting database.
Error 386 Failed to clear user data from the reporting database.

Debug logging

You can configure the components of Specops Password Reset to log their internal activity to a verbose debug log. The debug log allows you to follow the events leading up to the error. Debug logging is enabled by changing the relevant registry key from “0” to “1.” Additional logging will be returned by using the higher debug levels “2” or “3.”

For Client debug information, see: https://specopssoft.com/Support/Password-Policy/client-debugging.htm

Registry key Description
HKLM\Software\Specopssoft\Specops
Password
Reset\Administration\Debug
Enables and disables debug logging for the Specops
Password Reset Administration Tool.
HKLM\Software\Specopssoft\Specops
Password
Reset\Administration\LogFilePath
Specifies the log file path for the Specops Password
Administration Tool log.
Default value= %USERPROFILE%\Local
Settings\Application
Data\SpecopsSoft\SpecopsPasswordReset.log
Note: This value does not exist in the registry by default. If
you want to change it, add LogFilePath as a reg_sz [string
value].
HKLM\Software\Specopssoft\Specops
Password Reset\Server\Debug
Enables and disables debug logging for the Specops
Password Reset Server.
HKLM\Software\Specopssoft\Specops
Password Reset\Server\LogFilePath
Specifies the log file path for the Specops Password
Reset Server log.
Default value = C:\SpecopspasswordResetServer.log
HKLM\Software\Specopssoft\Specops
Password Reset\Web\Debug
Enables and disables debug logging for the Specops
Password Reset Web.
HKLM\Software\Specopssoft\Specops
Password Reset\Web\LogFilePath
Specifies the log file path for the Specops Password
Reset Server log.
Default value = C:\Temp\SpecopspasswordResetWeb.log
NOTE
Do not leave the debug logging turned on unless you need it. Verbose logging over an extended amount of time can create large log files which have the potential of filling your system disk partition.