X. Common Issues

Also see FAQ for basic questions and Troubleshooting for tools to help diagnose problems.

Have Questions?  Contact Us

Diagnose:

Getting more detailed log information

Startup - Service/Site:

Service did not start
IIS Troubleshooting
Website didn't load

Login / Connectivity:

Cannot Login / Unable to Authenticate
LDAP/AD Bind Errors
Trust Warnings - Connecting to a new server  (KeePass client)
2FA Authenticator error - Invalid Two-Factor Token error
2FA "Two-Factor Required" error
LDAP Connection issue on Windows 2019 Domain Controllers

Access:

Can Only Grant Read-Only Permissions  (v7.6.6+)
Cannot Grant Access
Restore Access Inheritance
Refresh Access Permissions

AD/LDAP:

Cannot Login / Unable to Authenticate
LDAP/AD Bind Errors
Import Users or Groups are missing
Active Directory/LDAP Migration Error  (v7.4+)
Unable to Import

Reset Users:

Problems Resetting User Password  (Reset)

Email:

Test emails do not get sent
Notification emails do not get sent

KeePass:

Trust Warnings - Connecting to a new server...
KeePass The composite key is invalid
KeePass Export Operation is Not Allowed by the Application Policy
KeePass for Password Server errors
PassManClient Connection Error
Timeouts do not auto-close Credentials

Browser:

Nothing happens with Internet Explorer when clicking delete (or any other button)
After Update, home screen shows "loading" and stays there

Features:

Missing tabs or features
Hiding tabs in PPASS Menu
Entry does not appear in search
Using IIS instead of IIS Express

Performance:

Slowness: After Update, AD/LDAP User Login/Refresh
Configurations which Improve Application Performance

SSO:

SSO Authentication Errors
RDP SSO Client crashes on launch (v7.5.2+)

Unable to complete SAML SSO Request

Miscellaneous:

ASP.NET AppDomain is shutting down
Problem installing Pleasant Password Server (Windows 8.1 or Server 2012 R2)
Keyboard not working in Windows Password Reset Client (Windows 8+)
Questions About Session Timeout
Approval Notification has a Grammar Error

Configuring Test Emails - SMTP - Account is not valid

 

 

 

 


Getting more detailed log information

Follow these instructions to get more detailed logging information or to view the log files.

 


Service did not start up

Please Note:

  • When Upgrading: There may be a delay in the service startup while the database is converted to the new version, especially if the versions have been released more than a year ago. It is best to wait while these updates finish. Stopping the service will restart the conversion process.

Sometimes the machine may have a lock on a file, and require a reboot. This is especially so in combination with Windows Updates, that where a restart / reboot is required.

IIS Site:

Otherwise:

If you continue to have trouble, please email Support with your Detailed Logs and a description of your situation.


Website didn't load

Problems? If the web site won't load,

If you continue to have difficulty, please Contact us!

 


Can Only Grant Read-Only Permissions

(versions 7.6.6+)

Relevant only if upgrading from a version previous to 7.6.6.

If your Administrators or users:

This change has been caused by a security improvement in version 7.6.6. To resolve:

Alternative method: If your organization has never added new Access levels or changed the existing Access levels:

Previously this setting was not required for granting/removing permissions, but has been changed for this version (as per Release Notes for 7.6.6).

This will allow  as for your expectations.

If you have additional questions or concerns, please contact Support.


Can Not Grant Access

We use the User Access window to provide the security access to users. This has changed in version 7.9

Basic Steps

  1. To open User Access, will need to have been given an Access Level with the View User Access permission.
  2. Open the User Access window, then select from "Add Access for" dropdown choosing Users or Roles.
  3. In the next field, type the User/Role you wish to give access to.

Wiki Guide - Please review the instructions for granting access, examples here:

Problems? If you continue to have difficulty, please Contact us and provide:

 


Restore Access Inheritance

(versions 6.4.13+)

If you block access inheritance on entry/folder X without first ensuring you have the Set Block Inheritance permission set directly on X (rather than inherited from an ancestor), you'll only be able to remove the block by editing your database as follows:

  1. Stop the "Pleasant Password Server" service
  2. Open your database in SQLiteManager (as administrator)
    • Open SQLiteManager with a right-click, "Run as administrator". This avoids the "Database is read only" error.
  3. Open the SQL tab and run the following command (assumes that the blocked entry/folder is uniquely named; if not, the WHERE clause will need to use rowid or Id rather than Name):

    UPDATE "CredentialObject"
    SET "PermissionInheritanceBlocked" = 0
    WHERE "Name" = '[THE_NAME_OF_THE_BLOCKED_ENTRY_OR_FOLDER]';

  4. Refresh the folder tree visibility:
    DELETE from "CredentialObjectVisibilityAccessRow";
    DELETE from "CredentialObjectVisibility";
  5. Start the Password Server service

  6. Re-add the User Access directly to the specific folder (or entry) you just restored.

    NOTE: If you notice the Block Access Inheritance  button has disappeared you can restore it by:
  7. Right-click the folder (where the block inheritance button is missing) > Click Move > Select the folder it is currently in

 


Refresh Access Permissions

(versions 7.9.13+)

When Restoring inheritance we refresh the Access data with the steps below.

This may be also helpful is some other rare instances, when: for example, the actual access does not seem to align with the User Access, or folders remain hidden.

  1. Stop the "Pleasant Password Server" service
  2. Open your database in SQLiteManager (as administrator)
    • Open SQLiteManager with a right-click, "Run as administrator". This avoids the "Database is read only" error.
  3. Refresh the folder tree visibility:
    DELETE from "CredentialObjectVisibilityAccessRow";
    DELETE from "CredentialObjectVisibility";
  4. Start the Password Server service

 


2FA Authenticator App gets Invalid Two-Factor Token error

The Authenticator protocol is time-based. If your Server, Device, or App is out of sync by even by 30 seconds, this will cause problems:

This should be the only issue your user's will have authenticating using the Authenticator apps.

Still a problem?

1. Watch the clocks simultaneously count up the minutes and seconds. Set the time.

2. Workarounds -- if your users are still having difficulties with their secret, you can take these actions:

Additional Notes:

 


Two-Factor Required error

If you enable the option to Require Two Factor Authentication without first configuring a provider, users will be able to log in until this requirement is removed.

Two-Factor Required Two-factor verification is required but has not been configured. Please contact your website administrator.

In this case the administrator should contact us for information to resolve this configuration problem.


Nothing happens with Internet Explorer when clicking delete (or any other button)

The most likely cause of this is an old version of Internet Explorer or Compatibility View being enabled. More information about Compatibility View can be found here:

http://windows.microsoft.com/en-CA/internet-explorer/use-compatibility-view

If disabling Compatibility View doesn't solve your problem and you're running a recent version of Internet Explorer (IE9+), feel free to contact us for support.

NOTE: Internet Explorer may sometimes automatically enable Compatibility View for Intranet.


LDAP Bind Errors

For problems with Bind Errors / Authenticating a Directory user, start here: Unable to Bind to LDAP/AD


LDAP Connection issue on Windows 2019 Domain Controllers

There appears to be a new issue for LDAP connections to Windows 2019 Domain Controllers. This is not isolated to Password Server, but includes other Microsoft users in general.

A bug fix is pending release from Microsoft hopefully August or September.

For further information, and to keep updated with the progress of this issue:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/4f14412f-dd81-4b9a-b6b5-aa69100e87d0/intermittent-not-enough-space-errors-when-doing-ldap-queries-against-2019-domain-controller

 


Active Directroy/LDAP Migration Error

(versions 7.4+)

For problems with a Migration error message at Login screen see: Active Directory/LDAP Migration Error


Error System.Exception: ASP.NET AppDomain is shutting down... Reason:

Change Notification for critical directories.

bin dir change or directory rename

HostingEnvironment initiated shutdown

This is due to a Portable Class Library that requires a .Net patch.  Simply install the relevant Windows Update to fix this problem.  Details in the following link:  http://www.paraesthesia.com/archive/2013/01/21/using-portable-class-libraries-update-net-framework.aspx


Pleasant Password Server won't install on Windows 8.1 or Server 2012 R2

It is possible that ASP.NET 4.5 is installed but not enabled. To enable it:

  1. Find Windows PowerShell on your system (in Server 2012 R2, it may already be in your taskbar).
  2. Right-click on the PowerShell icon and select "Run as Administrator".
  3. In the PowerShell window, type

    & ${env:windir}\syswow64\cmd.exe

    Press enter.
  4. Now type:

    %windir%\sysnative\dism.exe /Online /Enable-Feature /FeatureName:NetFx4Extended-ASPNET45

    Press enter. You should get a message that the command was successful.
  5. Close the PowerShell window and run the Pleasant Password Server installer. It should now install successfully.

Unable to Import

Pleasant.Identity.Mvc.Controllers.IdentityControllerBase Pleasant.Identity.IdentityOperationException: Unable to import 1 users. 0 slots remaining.

The above error message is letting you know that you don't have anymore Users on your License. You must delete a user or upgrade your license (e.g. from 10 to 20) in order to be able to import more users.

 


 

Missing tabs or features 

Make sure the user is a member of a role that has permission to access those features.  Users may need to sign out and sign back in for permission changes to take effect.

 


Hiding tabs in PPASS Menu

 Hiding tabs is possible, however is not available in trial mode. Once the license is activated these can be hidden.

 

SSO Server tab

 

Contracts tab


Entry does not appear in search 

SQLite only understands upper/lower case for ASCII characters by default. The LIKE operator is case sensitive by default for unicode characters that are beyond the ASCII range.


Use IIS instead of IIS Express

Using IIS is possible and is recommended, especially for customers with more advanced environments:

Using IIS as a Reverse Proxy: some customers may wish to know that it is also possible to setup a new IIS site and redirect the incoming TCP requests to the Password Server's IIS Express. This effectively makes IIS a reverse proxy.

 

Other info: Redirect HTTP Requests to HTTPS


Keyboard not working in Windows Password Reset Client (Windows 8+) 

Press CTRL once to fix the keyboard.

Details: Windows 8/8.1/10 will sometimes mistakenly behave as though CTRL is being held down on the login screen. Because the browser opened by the Reset Client ignores any keys pressed while CTRL is held down, this can make it seem like the keyboard has stopped working. Pressing CTRL forces Windows to acknowledge that CTRL is not being held down.


KeePass for Password Server errors 

Trust Warnings 

"Connecting to a new server for the first time..."

KeePass Export operation is not allowed by the application policy

View sections here to re-enable / restrict exporting passwords:

PassMan Client Connection Error

Version 6.0.1 - 7.1.19:

PassManClient connection error: Could not load type 'System.Collections.Generic.IReadOnlyDictionary`2' from assembly 'mscorlib, Version=4.0.0.0, Culture=neutral, PublicKey Token=b77a5c561934e089'

Verify that you have .NET Framework ≥ 4.5 installed by following these instructions.

KeePass Timeouts do not auto-close Credentials

This is designed this way by KeePass after some consideration, and there is a KeePass explanation for choosing this design (included below).

Users can be reminded to close Vault credentials after use.

The KeePass offical FAQ explains this best:

KeePass automatically tries to lock its workspace when Windows is locked, with one exception: when a KeePass sub-dialog (like the  'Edit Entry' window) is currently opened, the workspace is not locked.

To understand why this behavior makes sense, it is first important to know what happens when the workspace is locked. When locking, KeePass completely closes the database and only remembers several view parameters, like the last selected group, the top visible entry, selected entries, etc. From a security point of view, this achieves best security possible: breaking a locked workspace is equal to breaking the database itself.

Now back to the original question. Let's assume an edit dialog is open and the workstation locks. What should KeePass do now? Obviously, it's too late to ask the user what to do (the workstation is locked already and no window can't be displayed), consequently KeePass must make an automatic decision. There are several possibilities:

  • Do not save the database and lock.
    In this case, all unsaved data of the database would be lost. This not only applies to the data entered in the current dialog, but to all other entries that have been modified previously.
  • Save the database and lock.
    In this case, possibly unwanted changes are saved. Often you open files, try something, having in mind that you can just close the file without saving the changes. KeePass has an option 'Automatically save database when KeePass closes or the workspace is locked'. If this option is enabled and no sub-dialog is open, it's clear what to do: try to save the database and if successful: lock the workspace. But what to do with the unsaved changes in the sub-dialog? Should it be saved automatically, taking away the possibility of pressing the 'Cancel' button?
  • Save to a temporary location and lock.
    While this sounds the best alternative at first glance, there are several problems with it, too. First of all, saving to a temporary location could fail (for example there could be too few disk space or some other program like virus scanner could have blocked it). Secondly, saving to a temporary location isn't uncritical from a security point of view. When having to choose such a location, mostly the user's temporary directory on the hard disk is chosen (because it likely has enough free space, required rights for access, etc.). Therefore, KeePass databases could be leaked and accumulated there. It's not clear what should happen if the computer is shutdown or crashes while being locked. When the database is opened the next time, should it use the database stored in the temporary directory instead? What should happen if the 'real' database has been modified in the meanwhile (quite a realistic situation if you're carrying your database on an USB stick)?

Obviously, none of these alternatives is satisfactory. Therefore, KeePass implements the following simple and easy to understand behavior:

When Windows is locked and a KeePass sub-dialog is opened, the KeePass workspace is not locked.

This simple concept avoids all the problems above. The user is responsible for the state of the program.

Security consequence: the database is left open when Windows locks. Normally, you are the only one who can log back in to Windows. When someone else logs in (like administrator), he can't use your programs anyway. By default, KeePass keeps in-memory passwords encrypted, therefore it does not matter if Windows caches the process to disk at some time. So, your passwords are pretty safe anyway.

 

http://keepass.info/help/base/faq_tech.html#noautolock

 


RDP SSO Client crashes on launch (v7.5.2 - 7.5.7)

The RDP SSO Client relies on the existence of a default settings file for RDP that will not exist if the user currently logged into the machine has never used Remote Desktop Connection on that machine before.   Start up Remote Desktop Connection and connect to another machine to make sure that defaults are established, then try the Launch RDP SSO link again.

 


SSO Authentication Errors

The most common causes for Access Denied errors when authenticating with Password Server (PPASS) are:

 

Common causes of wrong username or password when authenticating with the target server are:

 

Please check all your settings. If the problem persists, please provide us with screenshots of your settings when contacting us for support and what you are doing in the browser or terminal (confidential info blurred).

 


 

After Update, Active Directory/LDAP User Log In/Refresh is Slow (v7+)

Some users have reported that after upgrading from version 6 to 7 their user login times have drastically increased, even when no changes have been made to the AD/LDAP directory settings.
The slowdown is caused by a change in the way Password Server tracks imported users and groups (more details).

Specify an OU

Specifying an OU for Pleasant Password Server users should speed up logins significantly. Only quering the targeted OU is allows the permissions check to occur much faster, speeding up the end-user experience.

 

Users and Roles > Manage Directory > Edit Directory > Import


Configurations which Improve Application Performance

See this page for factors affecting the speed of Password Server or clients.

 


After Update, Home screen shows "loading" and stays there

(version 7.5.15 - 7.6.2)

Some users have reported that after upgrading, the Home screen does not finish loading / stays empty.

 

If this does not resolve the problem:

 

 


Questions about Session Timeout

To adjust for users to be automatically logged out the user after a specific amount of time.

Web Client - Automatic log out

KeePass / Mobile/ API / etc. - Automatic log out

KeePass (option) - Automatic workspace lock/etc.

For more information see these sections in the User Policy:

 


Approval Notification has a Grammar Error

Approval notifications may have a grammar error when granting permanent access, which could confuse some users:

"... has granted you Full access that will expire on with comment:"

 

Suggested wording could instead be change to display like this:

Approved Request
Your request for Full access to \Root\Departments\Folder has been approved by Approver.

Approver has granted you Full access.

- Expiry Date:
- Comment: Approval granted...

You can access the requested object with the link below:
https://YourServername:10001

Change the notification text here:

<h3>Approved Request</h3>  
<p>Your request for {{ RequestedAccessLevelName }} access to
{{ RequestedObjectPath }} <strong>has been approved</strong> by
{{ ApprovingUserName }}.</p>
<p>{{ ApprovingUserName }} has granted you
{{ ApprovedAccessLevelName }} access.</p>
<ul>
<li><strong>Expiry Date:</strong> {{ ExpireDate }} </li>
<li><strong>Comment:</strong> {{ ApproverComment }}</li>
</ul> <p>You can access the requested object with the link below:</p>
<p><a href="{{ RequestedObjectUrl }}">{{ RequestedObjectUrl }}</a></p>

 

Test Emails - SMTP - Account is not valid Error

Try enabling Trace email logging to get a little more details.

Try manually re-entered the SMTP Username even if it was entered correctly. This has been known to fix the issue.