The HelloID Agent can be used to facilitate the use of Active Directory as your organization's Identity Provider (IdP). This article will show you how to diagnose logon issues that your end users may have with the service by finding the log files and relevant error codes.
Agent Log File Location
On each server that you have running the HelloID Agent service, you will find the service's debug log at the following location: C:\ProgramData\Tools4ever\HelloID Directory Agent\log\
There may be more than one instance of the HelloID Agent in your environment if you have installed more than one for load balancing and high-availability. As such, you may need to examine the log files of each server in the agent pool that handles authentication requests in order to track down any logon errors. You can open and search multiple log files at one time by using a program such as Notepad++.
Identifying Logon Issues
After you've opened the relevant log files, the next step in identifying logon issues is to search for the username of the end user in question. Failed logon attempts against Active Directory are logged in the debug log files with the username, domain, and resulting error code. In the screenshot below, we've found a logon error for the user jdoetest.
If the supplied username and domain are correct, the next thing to look at is the error code value. This is an error code returned to HelloID by Active Directory itself.
You can use this article from Microsoft to look up any authentication error codes that you find in the HelloID log files: https://docs.microsoft.com/en-us/windows/win32/debug/system-error-codes--1300-1699-
Using the aforementioned article, we can see that error code "1326" means that the username or password is incorrect. In this case, the end user typed their password incorrectly.
Common Error Codes
There are a lot of error codes that may come out of Active Directory. There are only a handful of them, however, that are common to logon issues with HelloID. Below is a list of the most common ones that you will find, and what they mean.
- 1326: Incorrect username or password.
- 1327: Account restriction in place, such as limited sign-in times, blank passwords, or another policy.
- 1328: Invalid logon hours. The user is attempting to log on outside of allowed hours.
- 1329: Invalid workstation. The user is attempting to log in from a workstation that is not in their whitelist.
- 1330: The user's password is expired.
- 1331: The user's account is disabled.
- 1793: The user's account has expired.
- 1909: The user's account is locked out.