The article documents various errors displayed by the Zscaler service due to authentication failure.

• Generic Authentication Error Codes

  The following table lists the error codes that the Zscaler service displays when user authentication fails:

  Error Code	Description	What to Do
  211000	This error occurs when gateway redirected traffic is forwarded from a location where authentication is disabled.	Check if you have different routing for the gateway redirected traffic and the actual traffic.
  421000	This error occurs when the organization's information extracted from the user cookie does not match the organization's DPPC port used for forwarding traffic.	Clear the cookies and try again. If the error persists, export logs and contact Zscaler Support.

  Close
• Active Directory & LDAP Synchronization Error Codes

  The following troubleshooting guidelines and tips are for the Active Directory (AD) and Lightweight Directory Access Protocol (LDAP) synchronization errors.

  Unable to Synchronize with a Directory Server

  If you're unable to synchronize with a directory server:

  • Verify the connectivity between the Zscaler Central Authority (CA) server and the directory server
  • Verify that the BIND password is correct

  A User Is Unable to Authenticate

  If a user's password is changed on the AD or LDAP server but the user is still using the old password, you can do the following to resolve this issue:

  • Reset the password on the AD or LDAP server
  • Check the error code

  The following table lists the error codes that the Zscaler service displays when it can't authenticate a user:

  Error Code	Description	When It Occurs	What to Do
  100	The ldapsearch couldn't be done against the directory.	Invalid LDAP filter.	Check the LDAP search filter in the Zscaler service portal and ensure the syntax is correct. Verify if the same filter works with the ldapsearch.
  101	Incorrect password.	Incorrect login password.	Correct the password.
  102	The LDAP connection closed.	The server closed the connection unexpectedly.	Retry. This should only be a transient error.
  103	The user wasn't found on the LDAP servers (search failed).	The ldapsearch for the user failed. The search may be done using "email" or "username" based on advanced search status.	Check if a manual ldapsearch returns the user with the same query as the one configured in the ZIA Admin Portal.
  104	The user's DN couldn't be found.	The user's DN couldn't be read due to LDAP library issues.	Consult your LDAP admin.
  105	Error performing a BIND with the user's credentials.	The DN may be invalid.	Check if a manual BIND works with the same user credentials.
  106	Internal error.	A deleted user tried to log in.	Check if the user is in the list of synchronized users. Synchronize the users.
  108	The LDAP context wasn't found.	A user in a second directory tried to log in when there was no secondary LDAP configuration.	Zscaler must "unset" flags in the DB for secondary users or do a sync-preview sync once for your organization.
  109	The synchronization is in progress. Users are not allowed to log in.	A user tried to log in during the synchronization.	Wait until the synchronization is completed.
  110	The LDAP bind failed.	The admin's LDAP bind password may be wrong.	Check the password.
  111	Internal error.	Internal error.	Retry or contact Zscaler Support.
  112	The advanced search query couldn't be sent.	Your organization is using an advanced search query for logins, and there's a problem with the advanced search filter used.	Check the advanced search filter. Ensure that ldapsearch returns users with the same filter.
  113	The user wasn't found in the list of synchronized users.	The user is not in the list of synchronized users.	Synchronize the user data and retry.
  114	Login failed. The connection to the directory server was reset.	The connection to the directory server was reset.	Retry.
  115	Login failed. The configuration changed.	An admin activated new configuration settings in the ZIA Admin Portal.	Retry.
  116	Login failed. The user was deleted.	A deleted user tried to log in.	Check if the user is in the list of synchronized users. Synchronize the user data and retry.

  Close
• Kerberos Authentication Error Codes

  If Kerberos authentication fails, the Zscaler service displays a page with an error code. The following table lists the information on the Kerberos authentication error codes. For instructions on how to troubleshoot Kerberos, see Troubleshooting Kerberos.

  Error Code	Description	When It Occurs	What to Do
  391000	The page cannot load.	Generic error code.	Contact Zscaler Support.
  441000, 461000	The user cannot be found.	The user was deleted or cannot be found in the registered domain.	Add the user.
  451000	The domain does not exist.	The realm is not a registered domain on the Zscaler service.	Contact Zscaler support to add the realm as a registered domain.
  471000 (Occurrence 1)	The proxy authorization header does not contain the encoded Kerberos ticket. In almost all cases, this means that NTLM was used.	The traffic was sent to the ZIA Public Service Edge IP address. The default Zscaler PAC file was used instead of the Kerberos PAC file. Symptoms: klist does not show either the ZIA Public Service Edge or KDC tickets.	Change the PAC file. Ensure that you use the Kerberos PAC file.
  471000 (Occurrence 2)		The user's computer does not have the GPO updates, the GPO updates are not on the domain controller, or the user is not logged in to the domain. Symptoms: A traffic capture from the user's computer does not show any query to the domain controller for the Zscaler ticket.	Verify the registry settings to ensure the user's computer has the Zscaler Kerberos settings. If they are not on the computer, verify that the domain controller has the GPO configurations. Verify that the user is logged in to the domain.
  471000 (Occurrence 3)		AES encryption is not enabled in the realm trust on the domain controller. Symptoms: klist does not show either the ZIA Public Service Edge or KDC tickets. A traffic capture shows the domain controller returning ETYPE_NOSUPP errors.	Modify the realm trust relationship and ensure that the AES encryption option is selected.
  471000 (Occurrence 4)		The realm trust relationship is not configured on the domain controller or the realm trust was configured with an incorrect password. Symptoms: klist does not show the Zscaler KDC or ZIA Public Service Edge tickets. A traffic capture shows the domain controller returning PRINCIPAL_UNKNOWN error.	Verify the realm trust configuration. Ensure that the realm name is in upper case and that the Zscaler cloud name is correct. To learn how you can find your cloud name, see What is my cloud name for ZIA? If they are both correct, then the passwords in the organization's realm and the Zscaler realm might not match. Log in to the ZIA Admin Portal, regenerate the trust password, and copy it. On the domain controller, delete the trust configuration and create a new one as described in Kerberos Trust Relationship Configuration Guide for Windows Server 2012 and GPO Push. Ensure that you use the newly generated password that you copied from the ZIA Admin Portal.
  471000 (Occurrence 5)		The user's computer cannot connect to the domain controller. Symptoms: When you run klist purge to clear the tickets, refresh the browser, and then run klist again, Kerberos tickets are not displayed, including those of the domain controller.	Verify that the computer can contact the domain controller. If the user is using DirectAccess, run netsh name show effectivepolicy to determine if the DirectAccess client considers the workstation as being in the intranet or outside
  48100	Invalid encoding of Kerberos credentials.	Possible header corruption. Ensure that there is no intermediate proxy or L7 device that may be corrupting the header.	Contact Zscaler Support.
  491000, 501000 (Occurrence 1)	Invalid Kerberos token or username.	The computer time is incorrect.	Kerberos is very sensitive to clocks being in sync. Ensure that computer time is correct and it synchronizes with an NTP server.
  491000, 501000 (Occurrence 2)		Other issues.	Contact Zscaler Support.
  510000	The user name is too long.	The user's login name exceeds the maximum allowed characters.	Contact Zscaler Support.

  Close
• Identity Proxy Error Codes

  Identity Proxy error codes are displayed when the service provider (i.e., cloud app) authentication requests fail. The following table lists the Identity Proxy error codes and troubleshooting tips:

  Error Code	Description	What to Do
  0x1388	The organization wasn't found.	The organization is invalid or might have been deleted.
  0x1389	Identity Proxy is disabled for the cloud app.	Enable Zscaler as the IdP proxy for the cloud app.
  0x138A	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x138B	An invalid SAML request was received.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x138C	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x138D	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x138E	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x138F	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1390	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1391	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1392	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1393	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1394	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1395	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1396	No ID was found in the SAML request.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1398	An invalid user, cookie, or session.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x1399	An invalid user, cookie, or session.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x139A	An invalid user, cookie, or session.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x139B	The timestamp in the SAML request is invalid.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x139C	The version in the SAML request is invalid.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x139D	The SAML request is outdated.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x139E	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x139F	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13A0	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13A1	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13A3	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13A4	The cloud app in the SAML request isn't supported.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13A5	The SAML request came from an unknown Public Service Edge.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13A6	The SAML endpoint is invalid.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x 13A9	No SAML request was found in the payload.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13AA	No SAML request was found in the payload.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13AB	The SAML request failed to decode.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13AC	The SAML request failed to decode.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13AD	The SAML request path is too long.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13AE	The SAML request was sent to the wrong cloud.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13AF	The user wasn't found.	The user might have been deleted. Re-add the user.
  0x13B0	The user wasn't found.	The user might have been deleted. Re-add the user.
  0x13B1	The user wasn't found.	The user might have been deleted. Re-add the user.
  0x13B2	The user wasn't found.	The user might have been deleted. Re-add the user.
  0x13B3	The user wasn't found.	The user might have been deleted. Re-add the user.
  0x13B4	The domain in the SAML request is invalid. The Zscaler service was unable to perform user transformation.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13B5	The domain in the SAML request is invalid. The Zscaler service was unable to perform user transformation.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13B6	An internal error occurred.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13B7	The cloud app is disabled.	Enable the cloud app for your organization.
  0x13B8	The cloud app configuration was modified during the authentication process.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13B9	An internal error occurred.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13BA	An internal error occurred.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13BC	The user wasn't found.	The user might have been deleted. Re-add the user.
  0x13BD	The SAML request took too long to complete.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13BE	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13BF	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C0	A transient cloud issue.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C1	The user is stored in the Zscaler Hosted User Database and entered the wrong password.	Check if the user is entering the correct password.
  0x13C2	The user is synchronized with Zscaler Authentication Bridge (ZAB). The Zscaler service was unable to connect to the ZAB.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C3	The user is synchronized with Zscaler Authentication Bridge (ZAB). The Zscaler service was unable to connect to the ZAB.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C4	The user is synchronized with Zscaler Authentication Bridge (ZAB) and entered the wrong password.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C5	An internal error occurred.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C6	The user might be authenticated with another organization that doesn't have an identity proxy configured.	The user must log out from their existing Zscaler account and log in using the account with the identity proxy configured.
  0x13C7	There is no key to sign the SAML response.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C8	Wrong binding method. The Zscaler service didn't receive a POST request.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13C9	The organization was deleted during the authentication process.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13CA	The IdP is disabled during the authentication process.	Enable the IdP for your organization.
  0x13CB	An invalid cookie.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13CC	The cloud app configuration was disabled or deleted during the authentication process.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13CD	The cloud app configuration was disabled or deleted during the authentication process.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13CE	The SAML request is outdated.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13CF	The SAML request is outdated.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13D0	The user wasn't found.	The user might have been deleted. Re-add the user.
  0x13D1	The SAML request is outdated.	Retry after a few seconds. If the error persists, contact Zscaler Support.
  0x13D2	An internal error occurred.	Retry after a few seconds. If the error persists, contact Zscaler Support.

  Close