0 votes

Whether I try to run a script or manually run the commands to enroll users, users remain unenrolled. Example of a basic script:

Import-Module Adaxes

$question1 = "What are the last 5 digits of your credit card?" $answer1 = "12345" $question2 = "In what city or town was your first job?" $answer2 = "London"

New-AdmPasswordSelfServiceEnrollment user ` -QuestionsAndAnswers @{$question1=$answer1;$question2=$answer2} -AdaxesService localhost

Adaxes version 2021

by (80 points)
0

Hello,

For troubleshooting purposes, please, clarify the following:

  • What authentication methods are enabled in the Password self-service policy effective for the user that you are trying to enroll? For information on how to view the policy effective for a user, have a look at the following help article: https://www.adaxes.com/help/PolicyEffectiveForUser.
  • Do you face any errors/warnings when executing the script?
  • How exactly do you check that the user is not enrolled?
0

Hello,

  1. I have tried all the authentication methods, currently it is set to just the security questions as sms requires an account and email defaults to the company email which won't be accessible if the user account is locked.
  2. I get no errors when executing the scripts or commands, but the user remains unenrolled. I check the enrollment statistics, that's how I know which users are enrolled, I confirmed the statistics are accurate by enrolling the test user via the web interface and the statistics do update accordingly.

I have followed the guide to do it manually via the adaxes commands, despite executing successfully, users remain unenrolled and I am not sure why.

+1

For further troubleshooting, please, do the following:

  • Post here or send us at support@adaxes.com a screenshot of the policy Authentication tab. We need something like this: image.png
  • Specify whether all the questions you are using in the script are present in the list of valid questions for the policy. To check the list, click the Edit Questions link on the Authentication tab of the policy effective for the user you are enrolling. image.png
0

image.png

So I did check the questions being used from the script doesn't exist, but I have added them and I will retest the script now, will comment to confirm is that resolved the issue, but I do have an additional question, I have tried utilizing the authenticator option, but the tokens never match, I have check the time on the server and the user pc, still fails, any idea why this may be?

I have tested and confirmed the questions not being in the question list was the issue, so my only remaining aspect of this issue is, why does the authenticator code not match despite the time being the same on both systems?

0

Hello,

I have tested and confirmed the questions not being in the question list was the issue

Thank you for the confirmation, it is much appreciated!

so my only remaining aspect of this issue is, why does the authenticator code not match despite the time being the same on both systems?

Make sure that the time synchronization with an Internet source is enabled on the computer where the Adaxes service runs and on the mobile device where the authenticator app is installed. The thing is some mobile authenticator applications are very sensitive to time differences. Even 5 seconds difference may cause the issue.

0

Time is synced, did it manually as well, still says code isn't valid or expired, currently working on configuring sms verification, I just a second verification method enabled that would be simpler for my end users, thanks so much for your help, you are greatly appreciated.

+1

Hello,

Please, specify what authenticator mobile app you are using. Additionally, check whether the time synchronization is also enabled on the domain controller (DC) used by Adaxes. To find out which DC Adaxes is using for a domain, create a custom command as follows and execute it on any user from the domain you need. The DC will be displayed in the Execution Log after the command completes.

To create the custom command:

  1. Launch Adaxes Administration console.
  2. In the Console Tree, right-click your service.
  3. In the context menu, navigate to New and click Custom Command.
  4. On step 2 of the Create Custom Command wizard, select the User object type and click Next twice. image.png
  5. Click Add an action.
  6. Select Run a program or PowerShell script and paste the below script into the Script field: image.png
$domainName = $Context.GetObjectDomain("%distinguishedName%")

$context.LogMessage("Domain Controller: " + $Context.GetDomainController($domainName), "Information")
  1. Enter a short description and click OK.
  2. Click Next and finish creating the custom command.
0

Hello there,

I know my response is late on this, thank you very much for the info provided, I sadly could not mark the answer correct since I took some time to get back to this issue. However I did do a time sync on the dc, the adaxes server and the host pc, authenticator tokens still show as invalid, I have tried with authy, microosoft authenticator and a yubikey. Any other ideas I may have overlooked? Thank you for your time.

0

Hello,

Please, clarify whether you are using the same authenticator application on the mobile device as the one you selected in the password self-service policy. If not, please, try using the same authenticator app (e.g. Google Authenticator) both, in the policy and on the mobile device. Does the issue persists in this case?

0

Hello,

Yes I am using the same app as the one selected, I have also tested with alternative apps for testing purposes and receive the same result. I have synced the time on the DC after checking which dc via the script you provided and synced the time on the adaxes server, as well as a time sync check on test devices/computers.

Please log in or register to answer this question.

Related questions

0 votes
0 answers

I have one user in my domain that will not get the self service enrollment popup, no matter which machine they log into. I can log into it and get prompted to ... find any difference and they show as not enrolled in Statistics. Any help would be appreciated.

asked Dec 4, 2014 by jasonearljohnson (70 points)
0 votes
1 answer

Here is what i have been trying with Set-ADUser -Identity $user -Clear "extensionAttribute5" Set-ADUser -Identity $user -Add @{extensionAttribute5 = "NoLicenseNeeded"}

asked Nov 29, 2021 by Markh (20 points)
0 votes
1 answer

Hi, Somehow I cannot enroll users anymore since the upgrade, I get this message: "You cannot enroll for Password Self-Service because the policy effective for your account requires ... disenroll I get this message: Anyone got any idea of what is going wrong?

asked Jul 11, 2018 by droezel (110 points)
0 votes
1 answer

I am attempting to write a powershell script that will enroll users in the self-service password system. However I would like to execute the new enrollment only if the user ... re-enrolling every time I send the command. I would love some assistance, thank you

asked Mar 6, 2015 by david.towle-hilt (70 points)
0 votes
1 answer

Hi there, We're preparing for the release of a Password Self-Service portal with Adaxes, essentially a scaled-down version of the selfservice portal with a customized ... the properties/conditions used to determine "person is not enrolled"? Thanks in advance!

asked Dec 30, 2011 by Kirk (60 points)
3,501 questions
3,193 answers
8,145 comments
547,392 users