Troubleshooting for SSO-H - Canon imageRUNNER ADVANCE 6075/6065/6055 e-Manual

Troubleshooting for SSO-H

This section includes troubleshooting information for SSO-H.

List of Error Messages and Their Causes and Remedies

This section explains the various messages that may appear on the display, along with possible causes and remedies.

The authentication server is not found. Contact the system manager for details.

The authentication server is not running. Contact the system manager for details.

Could not log in. The timer settings of your computer and the authentication server may not be in sync, or the user name or password is incorrect.

A password is not set on the authentication server side. Contact system manager.

The account expiration date has passed. Contact system manager.

The password expiration date has passed. Contact system manager.

The machine will not operate normally because Dept. ID Management is set to ON. Contact system manager.

Could not obtain log in information. Contact system manager.

The account is locked. You cannot log in to this account temporarily.

Cannot log in because the number of locked out users is over the limit. Wait a while, then try to log in again.

The authentication server is not found. Contact the system manager for details.

Cause 1	The LAN cable is not connected.
Remedy	Connect the LAN cable.
Cause 2	The primary/secondary DNS server settings in the machine are incorrect or not specified.
Remedy	Confirm the DNS server settings of the machine, and specify the correct values.
Cause 3	The DNS server specified in the machine is not started, or the service has been stopped.
Remedy	Follow the procedure below to confirm the settings. Confirm the DNS server specified on the machine, and start the server if it has not been started. Start the "Services" management tool on the DNS server. Confirm the status of the DNS Server. If 'Started' is not displayed under <Status>, right-click [DNS Server] → select [Start].
Cause 4	Domain name resolution could not be performed with the DNS server.
Remedy	Confirm the following: Confirm that the host record exists on the DNS server. Confirm that the forwarding settings are correct.

The authentication server is not running. Contact the system manager for details.

Cause 1	The LAN cable is not connected.
Remedy	Connect the LAN cable.
Cause 2	The Active Directory server is not started.
Remedy	Start the Active Directory server.
Cause 3	The KDC (Key Distribution Center) service of Active Directory is stopped.
Remedy	Follow the procedure below to confirm the settings. Start the "Services" management tool on the Active Directory server. Check whether the Active Directory server is operating normally.

Could not log in. The timer settings of your computer and the authentication server may not be in sync, or the user name or password is incorrect.

Cause	The difference between the time set on the machine and the Active Directory server is greater than the allowed difference.
Remedy	Adjust the times of the machine and the Active Directory server so that they are within the allowed time difference. For more information, see "Current Date and Time."

A password is not set on the authentication server side. Contact system manager.

Cause	The DES (Data Encryption Standard) key required for Domain Authentication has not been generated for Active Directory.
Remedy	Follow the procedure below to change the settings. Start the Active Directory management tool, "Active Directory Users and Computers." Right-click the user that failed to be authenticated. Select [Reset Password] from the pop-up menu that is displayed. Enter a new password in the [Reset Password] dialog box → click [OK].

The account expiration date has passed. Contact system manager.

Cause 1	The expiration date of the authenticated user account has expired.
Remedy	Follow the procedure below to confirm the settings. Start the Active Directory management tool, "Active Directory Users and Computers." Right-click the user account that has expired. Select [Properties] from the pop-up menu that is displayed. Select the [Account] tab → confirm the values in [Expiration Date] in [Account Expires]. If the expiration date has passed, extend the expiration date, or set it to 'None'.
Cause 2	The account of the authenticated user is disabled.
Remedy	Follow the procedure below to confirm the settings. Start the Active Directory management tool, "Active Directory Users and Computers." Right-click the user whose account is disabled. Select [Properties] from the pop-up menu that is displayed. Select the [Account] tab → confirm the [Disable Account] setting in [Account Options]. If [Disable Account] is selected, deselect it → click [OK].

The password expiration date has passed. Contact system manager.

Cause 1	The expiration date of the password for the authenticated user account has expired.
Remedy	Follow the procedure below to confirm the settings. Start the Active Directory management tool, "Active Directory Users and Computers." Right-click the user whose password expired. Select [Reset Password] from the pop-up menu that is displayed. Enter a new password in the [Reset Password] dialog box → click [OK].
Cause 2	The account of the authenticated user is set to 'Require Change of Password Next Login'.
Remedy	Follow the procedure below to confirm the settings. Start the Active Directory management tool, "Active Directory Users and Computers." Right-click the user that failed to be authenticated. Select [Properties] from the pop-up menu that is displayed. Select the [Account] tab → confirm the [Require Change of Password Next Login] setting in [Account Options]. If [Require Change of Password Next Login] is selected, deselect it → click [OK].

The machine will not operate normally because Dept. ID Management is set to ON. Contact system manager.

Cause

The Department ID Management function of the machine is set to 'On'.

Remedy

Follow the procedure below to confirm the settings.

Change the current login service to a login application other than SSO-H.

Set Department ID Management to 'Off'. For information on setting Department ID Management to 'Off', see "Department ID Management."

Turn the main power of the machine to OFF, wait 10 seconds, and then turn the power back ON. For more information on turning ON/OFF the main power of the machine, see "Main Power and Control Panel Power."

Could not obtain log in information. Contact system manager.

Cause

The port number specified in the '_ldap' SRV record (part of the DNS information of the domain specified as the login destination) is incorrect.

Remedy

Follow the procedure below to confirm the settings.

Start the DNS server management tool, "DNS."

Double-click [Forward Lookup Zones] → [<domain specified as the login destination>] → [_tcp], and then right-click the '_ldap' SRV record.

Select [Properties] from the pop-up menu that is displayed.

Select the [Service Location (SRV)] tab → confirm the value in [Port Number].

If the port number is different from the port number of the LDAP service, enter the correct port number for the LDAP service → click [OK].

The account is locked. You cannot log in to this account temporarily.

Cause	Since you failed the user authentication, the login service for the failed user is temporarily stopped.
Remedy	Wait a while, and then try to log in again.

Cannot log in because the number of locked out users is over the limit. Wait a while, then try to log in again.

Cause	Since you have exceeded the lockout threshold, the login service for the user is temporarily stopped.
Remedy	Wait a while, and then try to log in again.

Trouble That May Occur When Using the SSO-H Management Application

This section explains the various problems that may occur when using the SSO-H Management Application, along with possible causes and remedies.

Symptom: [Domain Authentication from Client Computer] is not displayed on the Settings page.

Cause	The machine operating SSO-H does not support SSL communication.
Remedy	[Domain Authentication from Client Computer] is only displayed when SSO-H is installed on a machine that supports SSL communication.

Trouble That May Occur When the Windows Firewall Is Set

This section explains the various problems that may occur when a firewall is set, along with possible causes and remedies.

Symptom: Service information fails to be retrieved when automatically retrieving domain information.

Symptom: Domain Authentication has failed. (The <Authentication server not operating.> error message is displayed.)

Symptom: User authentication has failed.

Symptom: Service information fails to be retrieved when automatically retrieving domain information.

Cause	Communication with the DNS server is blocked due to firewall settings.
Remedy	Unblock port 53 (the default port) for the UDP protocol and TCP protocol. The DNS server normally uses port 53 to perform communications with the UDP protocol, but as data over a certain size may be processed using the TCP protocol, unblock port 53 for both the TCP protocol and UDP protocol.

Symptom: Domain Authentication has failed. (The <Authentication server not operating.> error message is displayed.)

Cause	Domain Authentication is blocked due to firewall settings.
Remedy	Unblock port 88 (the default port) for the UDP protocol and TCP protocol. Domain Authentication normally uses port 88 to perform communications with the UDP protocol, but as data over a certain size may be processed using the TCP protocol, unblock port 88 for both the TCP protocol and UDP protocol.

Symptom: User authentication has failed.

Cause	Communication for LDAP searches is blocked due to the firewall settings.
Remedy	Unblock port 389 (the default port) for the TCP protocol. User data is retrieved from Active Directory using LDAP searches. By default, LDAP searches are performed using the TCP protocol with port 389. Therefore, unblock port 389 for the TCP protocol. (If the port number used for the TCP protocol has been changed, unblock the port number used by the TCP protocol.)

Other Trouble

This section explains the various other problems that can occur, along with possible causes and remedies.

Symptom: Cannot log in using Domain Authentication with a user created before Active Directory was installed.

Symptom: It takes time for the application to start.

Symptom: It takes time to determine if a login is successful.

Symptom: Cannot log in using Domain Authentication with a user created before Active Directory was installed.

Cause

Accounts for users that were created before Active Directory was installed are automatically generated by placing them in the 'Users' folder after installing Active Directory. However, the accounts that are generated do not manage the DES (Data Encryption Standard) keys for Domain Authentication required by SSO-H. Also, as a user logon name is not set, the Domain Authentication System of SSO-H cannot be used for authentication because user data cannot be retrieved, even if a DES key is generated.

Remedy

Follow the procedure below to change the settings.

Start the Active Directory management tool, "Active Directory Users and Computers."

Right-click the user that failed to be authenticated.

Select [Properties] from the pop-up menu that is displayed.

Select the [Account] tab → enter a name in [User Logon Name] → click [OK].

Right-click the user name you changed.

Select [Reset Password] from the pop-up menu that is displayed.

Enter a new password in the [Reset Password] dialog box → click [OK].

Symptom: It takes time for the application to start.

Cause 1	A host whose name cannot be resolved is set in the SRV record retrieved with automatic domain retrieval.
Remedy	Perform the following on the DNS server to enable name resolution for the specified host. Specify forwarding settings. Add an A record. Specify secondary settings.
Cause 2	The DNS server set cannot be found, or communication on is not possible.
Remedy	Confirm the network settings to see that the machine can communicate with the DNS server set on the machine, and adjust them if it cannot. Confirm things such as the following, and make the necessary adjustments: Whether the LAN cable is connected correctly. Whether the IP address of the DNS server set on the machine is correct. Whether the specified DNS server exists. Whether the specified DNS server is operating. Whether the router settings are correct.
Cause 3	A network delay time is set.
Remedy	Adjust the network delay time.

Symptom: It takes time to determine if a login is successful.

Cause 1	Name resolution cannot be performed for the domain name specified as the login destination.
Remedy	Confirm the network settings to see that name resolution can be performed for the domain name specified as the login destination, and adjust them if it cannot. Confirm things such as the following, and make the necessary adjustments: Whether the LAN cable is connected correctly. Whether the IP address of the DNS server set on the machine is correct. Whether the specified DNS server exists. Whether the specified DNS server is operating. Whether the router settings are correct.
Cause 2	The DNS server set cannot be found, or communication on is not possible.
Remedy	Confirm the network settings to see that the machine can communicate with the DNS server set on the machine, and adjust them if it cannot. Confirm things such as the following, and make the necessary adjustments: Whether the LAN cable is connected correctly. Whether the IP address of the DNS server set on the machine is correct. Whether the specified DNS server exists. Whether the specified DNS server is operating. Whether the router settings are correct.
Cause 3	Multiple domain controllers exist for managing the specified domain. If multiple domain controllers exist for managing the specified domain when using SSO-H, it may take some time to perform authentication, as each domain controller called until one answers.
Remedy	Confirm the domain controllers, and adjust them, if necessary.