Unable to perform NTLM authentication in ADSelfService Plus
Issue description
When trying to log in to ADSelfService Plus using NTLM authentication, most users may encounter authentication failures, while it still works for a few.
This inconsistent behavior typically occurs when ADSelfService Plus is configured with a trial version of the JESPA library (jespa.jar). The trial version has a built-in limitation on the number of users it supports, which causes authentication failures once the limit is reached.
Possible causes
- The trial version of jespa.jar is being used.
- The JESPA trial version restricts NTLM authentication to a maximum of 25 users. Once this limit is reached, NTLM SSO attempts from any additional users will fail.
Prerequisite
- Administrator access to the ADSelfService Plus server.
Resolution
Follow these steps to resolve the NTLM authentication failure for users beyond the 25-user limit.
Step 1: Purchase a JESPA license
- Select and purchase a license tier that corresponds to the number of users in your organization.
Step 2: Replace the trial JESPA file
- Download the licensed jespa.jar file after purchase.
- Navigate to the installation directory: C:\Program Files\ManageEngine\ADSelfService Plus\lib\
- Replace the existing jespa.jar file with the newly licensed file.
Step 3: Restart the service
- Restart the ADSelfService Plus service using services.msc or from the command line.
Validation and confirmation
- Attempt to log in again using NTLM SSO. Confirm that authentication now works for all users without hitting the 25-user restriction.
How to reach support
New to ADSelfService Plus?
Related Articles
Troubleshooting the loading freeze error in the ADSelfService Plus login screen when NTLM SSO is enabled
Error When NTLM authentication is enabled, ADSelfService Plus suddenly stops authenticating users and the following error is seen in the serverout file. server.security.NtlmAuthenticator: NTLM authentication error ...Multi-factor authentication techniques in ADSelfService Plus
Let's take a look into the various authentication methods supported by ADSelfService Plus for enterprise multi-factor authentication (MFA). Why should you use MFA? Authentication based solely on usernames and passwords is no longer considered secure. ...ADSelfService Plus product startup issues
What do you need to know before troubleshooting You need to have administrator access to ADSelfService Plus. When you experience an error with ADSelfService Plus, check if these prerequisites are satisfied: Install ADSelfService Plus as a service ...How to enable Partial Enrollment for Active Directory users in ADSelfService Plus
Active Directory domain users need to complete enrollment with ADSelfService Plus before they can use the below listed features: Self-service password reset Self-service account unlock Endpoint multi-factor authentication ADSelfService Plus' logon ...Troubleshooting Guide for Common Errors in ADSelfService Plus End User Portal
Permission denied. Please contact your administrator. Cause: There are two reasons why this error could occur: End users trying to access any of the self-service features in ADSelfService Plus such as password reset or directory self-update need to ...