Self-Service Portal: Troubleshooting

This page collects the issues most likely to come up when setting up and running the Self-Service Portal, and how to resolve them. When a reset behaves unexpectedly, the audit log is the first place to look — it records every step with the outcome and source IP.

---

The “Forgot password?” link does not appear

The link is shown only when both conditions are met:

1. The Self-Service Portal module is licensed (see Licensing and Deployment).
2. Allow anonymous password reset is enabled in the Anonymous Password Reset panel of the settings page.

If the module is not licensed, the public reset URL is not served at all and the admin settings pages redirect away. If the module is licensed but reset is disabled, signed-in features still work but the public reset page does not.

---

The Self-Service menu or admin page is missing

If the Self-Service menu (for users) or the Self-Service Portal admin entry is missing, the module is not licensed on this install, or the license has expired. Check the License page. On a trial, confirm the trial is still active.

---

The test page or a reset fails to find the user / connect

Run /admin/TestSelfServiceReset against a known username to isolate the cause. The usual culprits:

Symptom	Likely cause	Fix
Service account cannot connect	Domain entered as a NetBIOS short name	Set Service account domain to the fully qualified, DNS-resolvable name (e.g. company.local), not the short name.
Service account cannot connect	Wrong username/password, or password changed in AD	Re-enter the service account password in the Service Account panel (leave blank only to keep the existing one).
User not found	The user is in an OU the service account was not delegated on	Extend the “Reset password” delegation to the OU that holds the user (see delegation steps).
Connection refused / certificate errors	LDAPS preferred but the DC has no valid certificate	The portal falls back to a signed and sealed connection automatically; if it still fails, check connectivity to the domain controller and DNS resolution of the FQDN.

---

A user does not receive a verification code

This is the most common real-world support case. Work through it in order:

1. Confirm the AD attribute mapping. The portal reads the email and phone from the attributes set in AD Attributes & Security Limits (defaults extensionAttribute1 for email and mobile for phone). Make sure the attribute you mapped is the one actually populated for users.
2. Confirm the user has a value in that attribute. A user with neither email nor phone on file cannot receive a code — and for security the page will not say so. Populate the attribute (this is the “chicken-and-egg” case for brand-new or never-enrolled users).
3. Check email delivery. Verify your SMTP settings. For testing, point SMTP at a capture service (such as Mailtrap) and confirm the message arrives.
4. Check SMS delivery (if used). Confirm your Twilio Account SID, auth token, and E.164 “From” number are correct and that the Twilio account has credit.
5. Rule out a rate limit. If many requests were made quickly from one IP or for one username, the portal stops sending codes for the window while the UI still appears to succeed. Wait out the window or adjust the limits in settings.

---

“That code is invalid or has expired”

• The code’s lifetime (default 10 minutes) has passed — start over to get a fresh code.
• Too many wrong codes were entered and the attempt is locked — wait for the lockout window (default 60 minutes) to pass.
• The reset was started in a different browser session — start the flow again from Forgot password? in the same session.

---

The new password is rejected at the final step

The new password is written subject to your domain’s password policy. A rejection usually means the chosen password does not meet the minimum length, complexity, or password-history requirements. Have the user choose a password that satisfies the policy shown on the page.

---

Signed-in “Change Password” fails

Message	Meaning
The current password is incorrect	The user mistyped their existing password.
The new password does not meet the domain password policy	Length, complexity, or history requirement not satisfied.
Unable to find your account / contact your administrator	The account could not be located in the domain — check that the portal can reach the domain controller.

The portal logs each attempt (success or failure, with a friendly reason) under the Password Change action in the audit log.

---

Where to look next

• Review the audit log for the exact step that failed and its outcome.
• Re-check the configuration walkthrough and the recommended setup order.
• For licensing and deployment questions, see Licensing and Deployment.