Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security
AuthPoint can successfully connect to your LDAP external identity, but AuthPoint does not sync or only partially syncs users.
If you cannot sync any users at all, the most common cause is that the system account user specified in the external identity does not have the necessary permissions. If AuthPoint only syncs some of your users, the most common causes are missing or incorrect user attributes, and not enough AuthPoint licenses.
Symptoms
- AuthPoint can connect to your LDAP external identity
- When AuthPoint syncs users, no users are created or only some of the intended users are created
Diagnostic Steps
- Test the connection to your external identity and make sure AuthPoint can connect. For detailed steps, go to Test the Connection to an LDAP External Identity.
- Verify the account has enough AuthPoint licenses.
- Verify that the user is a member of the correct groups in Active Directory or your LDAP database.
- Verify that the correct groups are specified in the group sync or advanced query that syncs users.
- Make sure the search base specified in your external identity is set to the top level of the domain unless there is a specific reason to narrow it, for example dc=test,dc=com as opposed to ou=sales,dc=test,dc=com.
In most configurations, administrators set up AuthPoint to sync users from a specific group with a group sync that imports all users that belong to that group under the entire domain as a search base. If you have a narrow search base, it can cause AuthPoint to not import users even if they are a member of a group sync, because the user object is under different a search base. To prevent this problem, you can set the search base to the top level of your domain.
- In WatchGuard Cloud, go to Administration > Audit Logs and look for synchronization events that indicate "User not created."
Possible Causes and Solutions
| Possible Cause | Solution |
|---|---|
| The service account user in Active Directory does not have the necessary permissions to find and sync users. |
Make sure the service account has the necessary permissions in Active Directory. The most common missing permission is the "Read group membership" permission. This can affect Domain Administrators and can happen even if everything worked previously, because Microsoft sometimes makes changes to the default permissions for Active Directory user accounts. For more information, go to AuthPoint does not sync or partially syncs users from Active Directory in the WatchGuard Knowledge Base. |
| The missing user does not have the required attributes. |
LDAP users that do not have a first name, user name, or email address are not included in the synchronization. Make sure the user has each of the these attributes. |
| The missing user does not have an email address. | LDAP users that do not have an email address are not included in the synchronization. Make sure the user has an email address. |
| The missing user has a comma in the email address. | Remove the comma from the email address. |
| The missing user has a duplicate email address. |
If a user identified by your group sync or advanced query has the same email address as a different, existing AuthPoint user account, AuthPoint does not sync the external user. Change the email address for one of the user accounts, or delete the existing AuthPoint user account. |
| The account does not have enough AuthPoint licenses. |
If your group sync or advanced query returns more users than you have available AuthPoint licenses for, the sync only creates as many users as your license supports. If you do not have enough AuthPoint licenses, reduce your user count or purchase more users. |
AuthPoint Does Not Sync or Partially Syncs Users from Active Directory (knowledge base article)
General Troubleshooting Tips for AuthPoint