Client Connector
Zscaler Client Connector: ZPA Authentication Errors
The table below provides a list of error messages your users might see for Zscaler Client Connector during the enrollment process.
| Error Code | Error Message | Error Description | Resolution |
|---|---|---|---|
|
Inconsistency in user credentials is detected. Log out of the client and retry. |
When the user attempts to reauthenticate to ZPA, this error occurs if:
|
Verify that the user has entered the username provided during initial enrollment, and have the user retry authentication. If the error persists, verify that the IdP SAML response has the NameID that ZPA received during initial enrollment. You can also have the user log out from Zscaler Client Connector and attempt to re-enroll into ZPA. |
|
|
Internal Error: Contact Administrator |
This error occurs when a user attempts to log in to Zscaler Client Connector without a domain name. In this case, ZPA cannot identify the user's organization and as a result cannot proceed further. This is not applicable if you have specifically configured the App installer so that the domain name is not required in the username field. |
Verify that the user has entered a valid domain as part of the username (for example, joe@safemarch.com). This is not applicable if you have specifically configured the App installer so that the domain name is not required in the username field (in this case, the user would only enter joe). |
|
|
Zscaler Private Access is not configured for your company. |
This error occurs when ZPA is not configured correctly and is unable to identify the IdP that must be used for enrolling the user. |
Verify that an IdP is configured for ZPA and that the IdP can communicate with ZPA. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
Internal Error: Contact Administrator |
This error occurs if Zscaler Client Connector is not sending the expected information to ZPA during the user's enrollment process. |
Verify that single sign-on (SSO) for ZPA has been configured correctly. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
Internal Error: Contact Administrator |
This error occurs if ZPA cannot correctly interpret the information sent by Zscaler Client Connector during the user's enrollment process. |
Verify that SSO for ZPA has been configured correctly. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
Internal Error: Contact Administrator |
This error occurs when the SAML response validation fails. The failure could be due to issues like the system clock being out of sync, an expired IdP certificate, a failure in the SAML response signature validation, or issues around IdP lookup by IdP entity ID. |
Verify that SSO for ZPA has been configured correctly. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
Internal Error: Contact Administrator |
This error occurs when the certificate signing request in ZPA fails during the user enrollment process. |
Verify that the signing certificate chosen for enrolling the user device to ZPA is valid. ZPA provides a default signing certificate that can be used when enrolling user devices to ZPA. Check the ZPA admin portal to ensure this certificate is still available, or if a new, valid certificate has been added in its place. If the error persists, contact Zscaler Support. |
|
|
Internal Error: Contact Administrator |
This error occurs if ZPA does not receive the expected information during the user enrollment process. |
This is an internal error. Contact Zscaler Support. |
|
|
The message is not of the SAML response object type. |
This error occurs if the IdP SAML response doesn’t match the expected SAML response object type. |
Update the IdP configuration to send the expected object type in the SAML response. |
|
|
The SAML response status is unsuccessful. |
This error occurs if the status in the SAML response is unsuccessful. |
Review the user’s information in the IdP and have the user retry logging in. |
|
|
Failed to validate the SAML response signature. |
This error occurs if:
|
Verify that the IdP certificates are configured correctly in ZPA. Check the expiration date of the IdP certificate, and upload a valid certificate if the current certificate has expired. |
|
|
The response issue time is either too old or with date in the future. IdP Issue Time: [Timestamp]s Accepted Range: [Timestamp]s to [Timestamp]s |
This error occurs if the IdP and the ZPA authentication service clocks have a large skew. The maximum accepted skew time is 120 seconds. |
Ensure the value for the response issue time is in the accepted range. |
|
|
The IdP originated SSO is not supported. |
This error occurs if the IdP sends ZPA a SAML response without the ZPA authentication service initiating it. |
Only the service provider (SP) initiated SSO is supported with ZPA. |
|
|
Failed to look up the SAML request corresponding to the SAML response received. |
This error occurs if the ZPA authentication service failed to look up the SAML request corresponding to the SAML response from its database. |
Contact Zscaler Support. |
|
|
The intended destination doesn't match any of the configured endpoints. |
This error occurs if the assertion consumer endpoint of the ZPA authentication service isn't properly configured in the IdP. |
Review the SP configuration in your IdP. |
|
|
Failed to validate the issuer in the SAML response. |
This error occurs if the IdP entity ID isn't properly configured in the ZPA Admin Portal. The entity ID is case sensitive. |
In the ZPA Admin Portal, review the entity ID of the IdP configuration. |
|
|
Possible error messages:
|
This error occurs if the ZPA authentication service failed to validate the assertions in the SAML response. The assertion validation may fail due to timing issues, unsupported assertion conditions (e.g., OneTimeUse condition), etc. |
Ensure the value for the response issue time is in the valid range. |
|
|
Missing NameID in the SAML response. |
This error occurs if the SAML response doesn't have NameID in it. |
In the IdP configuration, ensure NameID is part of the subject in the SAML response message. |
|
|
The CA certificate (signing certificate) for Zscaler Client Connector has expired. |
This error occurs if the Central Authority (CA) certificate for Zscaler Client Connector has expired. |
Provision a valid CA certificate for Zscaler Client Connector. To learn more, see Using the Default ZPA Signing Certificates. |
|
|
The CA certificate (signing certificate) for Zscaler Client Connector is missing. |
This error occurs if the CA certificate for Zscaler Client Connector is missing. |
Provision a valid CA certificate for Zscaler Client Connector. To learn more, see Using the Default ZPA Signing Certificates. |
|
|
The private key for the Zscaler Client Connector CA certificate (signing certificate) is missing. |
This error occurs if the private key for the Zscaler Client Connector CA certificate is missing. |
Provision a valid CA certificate for Zscaler Client Connector. To learn more, see Using the Default ZPA Signing Certificates. |
|
|
Unable to secure a valid certificate for this user. |
This error occurs if Zscaler Client Connector fails to get a valid certificate. |
Contact Zscaler Support. |
|
|
Your organization has reached the limit for the maximum number of allowed users. |
This error occurs if your organization has provisioned more users than the number allowed by its subscription. |
Verify that the existing ZPA subscription meets the needs of your organization. |
|
|
Unexpected or missing information when enrolling or unenrolling Zscaler Client Connector. |
This error occurs if the ZPA authentication service receives a request from Zscaler Client Connector with missing or unexpected information. |
Contact Zscaler Support. |
|
|
Unable to identify the user by domain from the provided username. |
This error occurs if the user's username doesn't have a domain that is associated with the organization. |
Contact Zscaler Support. |
|
|
Unable to look up the user’s organization information. |
This error occurs due to missing information in the account associated with the ZPA service. |
Contact Zscaler Support. |
|
|
Unable to authorize Zscaler Client Connector enrollment request. |
This error occurs due to missing information in the account associated with the ZPA service. |
Contact Zscaler Support. |
|
|
The ZPA authentication service doesn’t support the OneTimeUse condition in the SAML assertion. |
This error occurs if the IdP issues a SAML assertion with the OneTimeUse condition. |
Update the IdP configuration to not issue OneTimeUse SAML assertion. |
|
|
ZPA SP was not able to validate the SAML response. Please check the IdP configuration on both ZPA and your IdP. |
This error occurs when the ZPA service cannot validate the SAML response for the ZPA admin. |
Verify that an IdP is configured for ZPA administrator SSO and that the IdP can communicate with ZPA. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
ZPA SP was not able to validate the SAML response. Please check the IdP configuration on both ZPA and your IDP. |
This error occurs when the ZPA service cannot validate the SAML response for the ZPA user. |
Verify that an IdP is configured for ZPA user SSO and that the IdP can communicate with ZPA. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
|
User not authorized because of domain mismatch. Please check configuration on both ZPA and your IdP. |
This error occurs if the user’s username domain doesn’t match any domains associated with the organization. |
Contact Zscaler Support. |
|
Unable to verify the IdP configuration for the IdP entity ID. |
This error occurs when the ZPA service cannot verify the entity ID for the IdP configuration. |
In the ZPA Admin Portal, review the entity ID of the IdP configuration. |
|
|
IdP is not enabled for admin SSO.Please check the IdP for user admin SSO in your IDP configuration. |
This error occurs when the IdP isn’t enabled for the admin SSO. |
Verify that SSO for ZPA is configured correctly. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for admin SSO. |
|
|
Failed to insert into Object Store. |
This is an internal error. |
Contact Zscaler Support. |
|
|
Unable to verify the SP configuration for this domain. |
This error occurs when the ZPA service cannot verify the service provider (SP) configuration for the domain. |
Verify that the SP for IdP has been configured correctly. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
Failed to encrypt. |
This is an internal error. |
Contact Zscaler Support. |
|
|
Configured IdP is disabled for SSO. |
This error occurs when IdP is disabled on ZPA. |
Enable the IdP on ZPA UI. |
|
|
IdP configuration is incomplete. |
This error occurs when the IdP is misconfigured. |
Verify configuration. To learn more, see Using Zscaler Client Connector Portal as an Identity Provider. |
|
|
IdP configuration has mismatched SSO type/usage. |
This error occurs when the SSO type and usage for the IdP configuration do not match. |
Verify that SSO for ZPA is configured correctly. Prior to enrolling users with Zscaler Client Connector, verify that your IdP Configuration is correctly set up for SSO. |
|
|
Zscaler Private Access: SAML Assertion input too large. |
This error occurs if the IdP issues a SAML assertion that is larger than expected. |
Contact Zscaler Support. |
|
|
All the signing certificates associated with the IdP are expired. |
This error occurs when a user tries to log in to Zscaler Client Connector and the IdP’s signing certificates in ZPA have expired. |
Update the IdP configuration to upload a valid signing certificate from the IdP. |
|
|
The SAML request signing certificate has expired. |
This error occurs if the SAML request signing certificate configured in ZPA Admin Portal has expired. |
Edit the IdP configuration to change the certificate used by the IdP to another certificate, and then update the IdP. To learn more, see Managing a Service Provider Certificate Rotation. |
|
|
The SAML request signing certificate is invalid. |
This error occurs if the SAML request signing certificate configured in ZPA Admin Portal is not valid. |
Edit the IdP configuration to change the certificate used by the IdP to another certificate, and then update the IdP. To learn more, see Managing a Service Provider Certificate Rotation. |