Troubleshooting Synchronization Errors

Following are some troubleshooting tips:

Unable to synchronize with directory server

  • Verify connectivity between the Zscaler CA server and the directory server.
  • Verify that the BIND password is correct.

A user is unable to authenticate

  • The user password was changed on the AD/LDAP  server, but the end user is still using the old password. Do the following to resolve this issue:   
    • Reset the password on the AD/LDAP server.  
  • Check the error code. The following table lists the error codes that the service displays when it cannot authenticate a user.
Error Codes Definition Reason Solution
100
Ldapsearch could not be done against directory
Invalid LDAP filter
Check the LDAP search filter in the Zscaler service portal and ensure the syntax is correct. Verify if same filter works with ldapsearch.
101
Incorrect password
Incorrect login password
Correct the password.
102
LDAP connection closed
Random error. May happen if the server closed the connection un-expectedly.
Retry. This should only be a transient error.
103
User not found on LDAP servers (search failed)
Ldapsearch for the user failed. Search may be done using 'email' or 'user-name' based on advanced search status.
Check if manual ldapsearch returns the user with the same query as the one configured in the Zscaler service portal.
104
Users DN could not be found
User's DN could not be read due to LDAP library issues.
Consult your LDAP admin.

105
Error performing BIND with user credentials
The DN might be invalid.
Check if a manual BIND works with the same user credentials.
106
Internal error
Possible cause is due to deleted user logging in. Check if user is in the list of synchronized users. Synchronize users.
107
Synchronization is in progress. Users are not allowed to log in.

Wait for the synchronization to complete.
108
LDAP context not found.
Possible cause is a 'Secondary directory user trying to login, when there is no more a secondary LDAP configuration'.
If company had a secondary directory in past and user logging is a secondary user, this may happen. To solve this, we need to 'unset' flags in DB for secondary users. OR do a sync-preview sync once for the company.
109
Synchronization is in progress. Users are not allowed to log in.

Wait for the synchronization to complete.
110
LDAP bind failed.
LDAP bind password may be wrong.
Bind password for admin may be wrong. Check the password.
111
Internal error.
Internal error.
Retry or contact Zscaler Support.
112
Advanced search query could not be sent
The organization is using advanced search query for login and there is a problem in the advanced search filter used.
Check the advanced search filter. Ensure that ldapsearch returns users with same filter.
113
User was not found in the list of synchronized users.
User is not in the list of synchronized users.
Synchronize the user data and check again.
114
Login failed. The connection to the directory server was reset.
The connection to the directory server was reset.
Retry
115
Login failed. The configuration changed.
An admin activated new configuration settings in the Zscaler service portal.
Retry