LOGIN_002 with AD Connect

LOGIN_002 with AD Connect

Published: 03/20/2017
The Login_002 error is usually caused by AD Connect not being able to authenticate users from your Active Directory Domain Controller. Sometimes it is caused by the user being disabled in AD. If that's not the case, it may be caused by login cache as well.  There may also be a general communication error either between your AD Connect server and the Domain Controller or between AD Connect and PingOne.  This error seems to primarily affect AD Connect customers using the Agent rather than AD Connect with IIS.

Here are a few recommendations on steps to take to troubleshoot and resolve this problem:
  • One solution that we have seen resolve this error consistently is restarting the Windows server where AD Connect is installed.  This will restart the cache on the machine and AD Connect will reconnect with the PingOne server after restart.
  • When troubleshooting we first recommend determining if one user is affected or if all users are affected.  Open Event Viewer on the machine where AD Connect is installed and look at Windows Service Logs -> Applications.  Check to see if there are any errors that help explain the behavior your users are experiencing.
  • One other thing to consider.  Is this a problem for all authentication attempts or only for some?  Do you have multiple domains running AD Connect?  It's possible that one of the instances has gotten into a bad state with cache or otherwise and restarting that server will fix all authentication attempts.
  • If you're seeing errors related to your internal network and communication problems with your Active Directory please review this KB article - https://ping.force.com/Support/PingOne/ADConnect/How-to-configure-a-domain-user-to-run-the-AD-Connect-Authentication-Agent-Service as well as this one - https://ping.force.com/Support/PingIdentityArticle?id=kA340000000GsCPCA0
 
Category:
ADConnect ,