This site requires JavaScript to be enabled
External Customer KB > General > Troubleshoot the Active Directory Connector
Troubleshoot the Active Directory Connector
Article: KB0010613 Published: 08/30/2022 Last modified: 08/30/2022

Active Directory Connector Connection Issues

If the Active Directory Connector is having problems connecting to OneLogin, restart the AD Connector Service using the domain service account.

If the problem persists, do the following:

  1. Select Start.

  2. Run the following Console.exe command based upon your file location.

    C:\Program Files (x86)OneLogin, Inc\OneLogin Active Directory Connector\console.exe > consoledoc.txt

  3. Submit the console document results to your OneLogin support team. 

If you installed the Active Directory Connector on Windows Server 2003 and experience connection issues with the following error Received an unexpected EOF or 0 bytes from the transport stream.

Ensure that the required hot fixes from Microsoft are installed:

Authentication/Login Issues (including invalid username/passwords)

If you encounter issues when you sign in to OneLogin, try the following:

  1. Confirm credentials (both in Active Directory and OneLogin - first name, last name, email, password)

  2. Confirm no duplicate users are in OneLogin for users experience issue.

    Duplicate users without emails can cause authentication issues.

  3. Confirm the Active Directory connector is connected.

  4. Verify that the Active Directory token is correct:

    Regedit > HKLocalMachine > Software > WOW64 > OneLogin > Active Directory

  5. Restart AD Connector if the token was incorrect.

Syncing Issues

If you are encountering issues with users not syncing between OneLogin and Active Directory, try the following:

  1. Confirm that the Active Directory Connector is Connected within OneLogin.

  2. Confirm that the user is in an Organizational Unit that OneLogin has privileges to View and Read/Write Passwords

  3. Check for Exceptions in OneLogin - under Activities > Events.

  4. Confirm the Active Directory Connector has been granted access to the target Domain/Organizational Unit.

  5. Check the Active Directory log for Errors - specify by Domain Name information:

    Version 3.x
    C:\Program Files (x86)\OneLogin, Inc\OneLogin Active Directory Connector\logs

    Version 4.x logs are located in a hidden folder at:
    C:\ProgramData\OneLogin, Inc\Logs

  6. Record and submit any errors to codes to your OneLogin support team for further assistance.

New OU's Not Syncing

If new Organizational Units in active directory aren't syncing, try the following:

  1. Confirm that the Active Directory Connector is running and connected. If it is not connected, reconnect it with the proper service rights.

  2. Confirm that the target OU is selected on the OneLogin Active Directory Connector import page.

  3. Restart the Active Directory Connector.

    It may take several minutes for directory changes to sync, depending on the complexity of the Active Directory environment.

  4. Check for changes.

If the information is still not syncing the target Organizational Units or specific users:

  1. Stop the Active Directory Connector process and run it in console mode from the command prompt with File / Save ability.

  2. Submit the console file to your OneLogin support team.

Changing Password Issues

If users are unable to change passwords or you are otherwise unable to successfully reset passwords, proceed through the following:

  1. Confirm that the OneLogin Active Directory Connector is connected.

  2. Confirm that the Active Directory Connector has the correct rights on the Domain Account to change and reset passwords.

    To learn more about Domain Service Account configurations, see Create a Domain Service Account to run Active Directory Connector.

  3. Confirm that the affected user is in an OU that OneLogin has the ability to view.

    This can be confirmed in Users > Directories > Import.

  4. Go to Activity > Events to check for any exceptions.

  5. Confirm that the Active Directory minimum password age has been fulfilled.

    Active Directory default is 1 day.

If the issue persists, please contact your OneLogin support team.

Invalid Certificate Chain

On some Windows systems, you may encounter an error when the Active Directory Connector starts and the system reports that it is unable to validate the chain of the certificate installed for .onelogin.com

A frequent cause of this behavior is that the host does not have the intermediate Certificate Authorities installed. You can download the correct CA's from the links below:

Root CA: DigiCertGlobalRootCA

Intermediate CA: DigiCertSHA2SecureServerCA

To install them correctly (so that the Active Directory Connector can access them) you must use the Microsoft Management Console Certificates snap-in. On the Windows system, do the following:

  1. Click Start > Run.

  2. Enter MMC in the run window and click OK.

  3. When the MMC opens, click File > Add/Remove Snap-In.

  4. Select Certificates from the list and click the arrow to add it to your MMC.

  5. After adding it, you will be prompted to choose the certificate store you wish to use.


    1. Select Computer Account > Next.

    2. Select Local Computer > Finish

      If your Active Directory Connector is installed on a different host, select Another Computer and select it from the ADC.

  6. Click OK.

    Once the MMC has loaded, you need to install the trusted Root and Intermediate CA used by Comodo to sign the OneLogin SSL certificate.

  7. Expand Trusted Root Certificate Authorities > Certificates.

    Do not click within the main frame to select a certificate or your Action Menu context will change.

  8. Select Actions > All Tasks > Import > Next > Browse to File > New_Root_CA > Place All Certificates into the Following Store > Trusted Root Certification Authorities > Next > Finish.

  9. Click Intermediate Certificate Authorities > Certificates.

    Don't click within the main frame and select a certificate or your Action Menu context will change.

  10. Select Actions > All Tasks > Import > Next > Browse to File > New_Intermediate_CA > Place All Certificates Into the Following Store > Intermediate Certificate Authorities > Next > Finish.

Once this is done, restart the ADC and verify that the certification validation error is no longer occurring.

OneLogin Active Directory Connector Service Fails to Start After Reboot

In the event that the OneLogin Active Directory Connector service fails to start gracefully after the server reboots, update Startup Type to Automatic (Delayed Start).

If this does not resolve startup issues, you can add a dependency on another Windows service to delay the start of the ADC service even longer, which should give it enough time to start up successfully. We recommend setting a dependency on the Windows Netlogon service.

  1. Open the Windows Services MMC and find the OneLogin Active Directory Connector service.

  2. Right-click on the service and select Properties.

  3. Go to the Dependencies tab, where you will see that No Dependencies are currently configured; however, you cannot use this GUI to add a dependency.

  4. Click OK to close the Properties dialog.

  5. Open a command prompt using the Run As Administrator option.

  6. Run the following command:

    sc config ConnectorService.exe depend=netlogon

    The command should return the message:

    ChangeServiceConfig SUCCESS

  7. View the OneLogin Active Directory Connector service properties again and select the Dependencies tab (as you did in steps 1-3) to confirm that the Netlogon dependency has been added:

  8. Restart the Active Directory Connector.

Expand/Collapse Comments
:     
Was this helpful?
YesYesNoNo