Directory issues may limit or block access to applications, connectors, users and user groups, user authentication, multi-factor authentication, or Login Portal authentication.

Troubleshoot directory reachability

The connection between your connector and directory may fail, making the directory unreachable.

📘
This procedures do not support the Cloud Directory service.

Test connectivity between directory and connector

To troubleshoot directory issues, check if the directory is reachable by the connector.

Log in to Enterprise Center.
In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.
Click Directory Diagnostics next to your directory.
An error or success message appears. If the directory is not reachable, continue to troubleshoot.
Make sure that the connector associated with the directory is the one you expect.
1. To view the connectors associated with the directory, return to the directory you want to test and select it to open it.
2. Click Connectors.
3. Click Add connector to select the connector, and click Add connector.
Make sure your directory configuration is up to date. Click Sync Directory next to your directory. Wait for two to five minutes for the EAA directory configuration to sync across the cloud.
Test the connectivity again. Click Directory Diagnostics next to your directory.
An error or success message appears. If the directory is not reachable, continue to troubleshoot.
To continue to troubleshoot review directory diagnostics and domain information.

Review directory diagnostics and domain information

Make sure the directory domain information is correct in EAA and review your internal network firewall rules.

Log in to Enterprise Center.
In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.
Make sure your directory configuration is up to date. Click Sync Directory next to your directory. Wait for two to five minutes for the EAA directory configuration to sync across the cloud.
Select your Directory and verify the following:
1. Domain. This field contains the AD or LDAP domain location of your native directory. Make sure that the domain name listed is the one you expect to be associated with this directory. If it is not correct, continue with this procedure.
2. Last synchronized. This field contains the date and time that the directory was last synchronized. If you completed step 3 in this procedure and this field does not have an updated date and time, contact your account representative for further support.
Select the directory to open it.
Review the domain fields for accuracy and make changes as needed. For more information about the domain fields see Add or edit an LDAP, AD or AD LDS directory. Issues are commonly found with the information entered into these fields:
1. Host. Based on your native directory setup make sure the correct service, either LDAP set to port 389 or LDAPS set to port 636, is selected.
2. Admin account, admin password, and admin permissions for the directory. Make sure the correct admin account and admin password are captured in EAA. Access your native directory and make sure that the admin account entered in EAA has read-only permissions or higher.
📘
If you make any changes to the directory domain fields in the previous step, save the changes and sync the directory.
Outside of EAA, review your internal firewall rules and make sure they allow the host information as it appears in EAA to communicate with the connector's source IP.
Outside of EAA, review your internal access rules and make sure there is nothing blocking the data path between the EAA cloud service and the directory. This is often resolved by having an "allow" rule in place for the native directory source IP address on your network.

Troubleshoot search and sync

Troubleshoot issues with your users, groups, or organizational units (OU) in the directories.

Log in to Enterprise Center as an administrator.
In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.
Make sure your directory configuration is up to date. Click Sync Directory next to your directory. Wait for two to five minutes for the EAA directory configuration to sync across the cloud.
Click Directory diagnostics next to your directory.
In the Connectivity Test and Directory Diagnostics you see Test Status - Success when the directory is reachable. If not, you are not able to search users or groups.
Type the group name or OU and click Search Group.
To make sure the directory is reachable troubleshoot directory reachability.
Make sure that the number of groups in the directory is correct. Return the to directory list and verify that the number of groups listed is correct.
Make sure that the user, group, or OU you searched for is part of the directory.
1. Click Users to display users existing in the directory.
2. Click Groups to display groups existing in the directory.
If the user, group or OU is not present, add the user, group, or OU to the directory.
1. For groups see Overlay groups.
2. For OUs, click Add New Group icon and follow onscreen directions. See OU
Click Save and Sync Directory.
Search for the directory group or OU in Directory diagnostics > Search Group again.
The directory group or OU appears.

Sync users, groups, or organizational units in the EAA directory

Troubleshoot directory sync issues if your directory card shows that zero users, groups, or organizational units (OU) have synced, or if a newly added user is not sync to the directory along with others.

Log in to Enterprise Center as an administrator.
In the Enterprise Center navigation menu, select Application Access > Identity & Users > Directories.
Make sure your directory configuration is up to date. Click Sync Directory next to your directory. Wait for two to five minutes for the EAA directory configuration to sync across the cloud.
To make sure the directory is reachable troubleshoot directory reachability.
To make sure the group or OU where the users belong has been added to the directory search EAA for a directory user, group, or OU.
Outside of EAA check the native directory and make sure the user has at least a user-principal name (UPN) or email address listed.

Troubleshoot authentication

Check login credentials

Troubleshoot EAA Login Portal authentication issues. The EAA Login Portal is accessed by users with their login credentials. Those are defined in the EAA directory user and groups configuration. For example, in an Active Directory (AD) or LDAP configuration, use your AD username and password to log in to the Portal. If these credentials do not work, to troubleshoot:

Log in to Enterprise Center.
Test connectivity between directory and connector.
If connectivity is confirmed, log in and access applications in the Login Portal.

If the problem persists, continue to troubleshoot.

Verify that the connector status is reachable.
In the Enterprise Center navigation menu, select Application Access > Clients & Connectors > Access and Identity Connectors.
Check if your connector status is Running.
If the connector is not reachable, see Common reasons for connector check-in failure.
Test connectivity between directory and connector again.
In a new browser window or tab, log in and access applications in the Login Portal again.

If the problem persists, continue to troubleshoot.

Check the login preference for the directory in EAA and verify that the user name entered in the EAA Login Portal is as configured. To learn more see Manage password complexity for the Login Portal from the Active Directory (AD).
In the navigation menu, select Identity & Users > Directories.
Select your directory to open it.
The configured login preference for the directory is listed. To change the login preference choose one of the following: 'Email', 'sAMAaccountName', 'User Principal Name (UPN)', 'Domain/sAMAaccountName'.
Click Save and Sync Directory.
In a new browser window or tab, Log in and access applications in the Login Portal again.

If the problem persists, continue to troubleshoot.

In your native directory outside EAA, check if user's account is active, that their password has not expired, and that they do not need to change their password at the next logon.
If you make any changes to the user's account in your native directory, return to the directory in Enterprise Center, and click Sync Directory.
In a new browser window or tab, log in and access applications in the Login Portal again.

If the problem persists, continue to troubleshoot.

Verify that the user is associated with the directory in EAA.
1. From the top menu bar select Identity & Users > Directories.
2. Locate the directory you want to view users for and click Users.
3. Click Search Users and enter the name of the user. If the user is not returned in the search, add the user. Then return to the directory on the directory list page, and click Sync Directory.

If the user returns in the search, continue to troubleshoot.

Verify that the user's directory group is assigned to the application. To learn more see Assign a directory to an application.
1. Go to Identity &Users > Directories and click Sync Directory.
2. In a new browser window or tab, log in and access applications in the Login Portal again.

If the problem persists, contact support.

Unable to add a new user

If you try to add a new user to the to the Cloud Directory, and cannot see it in EAA dashboard, or get this error message:

Oops! We seemed to have experienced an error. If this problem persists, raise a support case.

Confirm that the user was not previously added to this Cloud Directory. You encounter this error if you are trying to add a duplicate user.
```
Enter the result of your step here.
```
After you confirm the user does not already exist, try to add the user again with a password that follows these rules:
- Has a minimum length of eight characters.
- Contains uppercase and lowercase letters and non-alphabetic characters, such as numbers or symbols.