Resolving slow performance or connection errors with the ADSelfService Plus login agent
Issue description
Users may observe significant delays during the Windows login process or receive the error message Identity server is either unreachable or could not be securely reached after installing the ADSelfService Plus login agent. This issue typically occurs on machines where the login agent attempts to communicate with the ADSelfService Plus server over an SSL-secured connection.
Possible causes
The Local System account on the client machine is unable to access the Certificate Revocation List (CRL) URL over the internet—often due to firewall or proxy restrictions. This typically occurs when the SSL certificate for ADSelfService Plus is issued by a public Certificate Authority (CA), such as GoDaddy, Digicert, or Sectigo, but network policies prevent the client machine from reaching the CA’s CRL URL required for certificate validation via the Online Certificate Status Protocol (OCSP).
Prerequisites
- Administrative access to client machines.
- Permissions to modify firewall or proxy settings.
Resolution
- On the client machine, open the ADSelfService Plus portal in a browser (e.g., https://adss.yourcompany.com:9251).
- Click the padlock icon in the address bar. Select View certificate and navigate to the Details tab in the Certificate pop-up.
- Select Authority Information Access and, in the section below, copy the URL value listed under Authority Info Access.
- Open Command Prompt as an administrator and run the Test-NetConnection command to verify connectivity to the copied URL.
- If you receive the result TcpTestSucceeded : False, then outbound access to the CRL URL is blocked.
- In the machine's firewall or Windows proxy/WinHTTP settings, create an allow rule for the identified CRL URL (e.g., http://crl.godaddy.com).
Validation and confirmation
Reboot the affected client machine and attempt to log in to the machine. The delay or error should be resolved, confirming successful SSL certificate validation.
How to reach support
New to ADSelfService Plus?
Related Articles
Sequential ADSelfService Plus Windows agent login installation process
This article highlights the process sequence for the ADSelfService Plus Windows login agent installation via the admin portal and the prerequisites to be addressed to successfully complete each step. Additionally, we're also discussing some common ...How to reset forgotten Windows passwords from the login screen using ADSelfService Plus
Empowering users with a Windows password reset tool According to recent research, organizations are spending close to one million dollars annually on resolving password-related tickets. This isn’t that surprising, as the Microsoft-approved methods to ...Installing the ADSelfService Plus login agent through WMI or PAExec services instead of RemCom
The Windows login agent that comes bundled with ADSelfService Plus must be installed on users' machines to enable: Self-service password reset and account unlock options from the Windows login screen. MFA during machine login. Cached credentials ...Updating the ADSelfService Plus Login Agent in Windows
The ADSelfService Plus login agent can be installed on machines running Windows manually, through the ADSelfService Plus admin portal, via GPOs, SCCM, and tools like Endpoint Central. You can update the Windows login agent to its latest version in ...Updating the ADSelfService Plus Login Agent for macOS
The ADSelfService Plus login agent for macOS can be updated from the ADSelfService Plus admin portal, manually through the Terminal on the machine running macOS, or via tools like Endpoint Central. Updating the login agent through the ADSelfService ...