One or more users fail to log on to RM Unify with the error:

Having trouble signing in? Are your username and password correct? If you're unable to sign in, please ask your teacher or establishment administrator for help.

They are using the correct username as shown in the User Name column of the RM Unify Management Console, Users screen.

One of the following conditions is true:

1. The user has previously logged on to RM Unify. They have since changed their local network password, but see the above error when using the new password. They can successfully log on to RM Unify using their old password.
2. The user is a new RM Unify user. They have reset their local network password to complete user provisioning into RM Unify but still cannot log on.

This document covers troubleshooting steps to identify the source of the issue and details how to successfully uninstall the RM Unify Password Filter software.

The full list of possible causes and solutions, are listed in the Procedure section, but for ease of reference:

• Where Network Provisioning is in use, the network password may not meet RM Unify complexity requirements and so was discarded.
• The server time (as shown in the system tray) may be incorrect i.e. +\- 5 minutes.
• Where AD Sync is in use, the RM Unify AD Sync service is not running as the identitysyncservice user.
• The Password Filter software is not installed on every domain controller (DC) on the network; or, is installed but is the wrong version (x86 or x64); or the DC has not been rebooted and logged on to after installation.
• The permissions on the RM Unify Password Filter folder and/or RMNetIdentityQueue$ share on one or more DCs are wrong.
• There is more than one RM Unify AD Sync installation on the network. There should only be one AD Sync installation registered to your RM Unify establishment - any password changes on your network being detected and uploaded to the datacentre by the unregistered installation, will be discarded.
• Anti-virus or other protection software such as Sophos, Trend Micro is preventing password filtering.
• A manually-provisioned RM Unify account with the same name already exists and is preventing creation of the account from AD.

Check if the school is using RM Unify Network Provisioning
RM Unify will reject a password coming from AD if it is too simple. The User Audit log in the RM Unify Management Console will show if RM Unify has rejected a user's AD password. For more information, refer to TEC5943089 in the Other Useful Articles section below.

Note: The use of RM Network Provisioning can be confirmed by navigating to the User Audit page of the RM Unify Management Console as a super admin, selecting 'Network Agent' from the Change type drop down, and returning logs for the past month or so. Change type entries such as, "Update AD User" or "Create AD User" indicate RM Unify Network Provisioning.

Check that the server time on your network is accurate
If the time on your servers is plus or minus five minutes, the password change files sent from your network (via AD Sync) to the RM Unify datacentre will be ignored. This is a security measure to protect against any potential unauthorised interception and replay of those files. You must ensure that your network's DCs are properly time-synchronised.

Confirm the RM Unify AD Sync service is set to log on as the identitysyncservice user
This service is installed on the RM Unify AD Sync server and should be set to log on as the dedicated identitysyncservice user. If it has been changed to log on as another account, set a new secure password for the identitysyncservice user in Active Directory and change the service to log on as the identitysyncservice user.

Check Event Viewer logs for related errors
View the 'Application and System Windows' logs for warnings or errors referencing RM Unify Password Filter.

Confirm RM Unify Password Filter is installed on all domain controllers (DCs)

1. On a DC, open 'Active Directory Users and Computers'.
2. Browse to the Domain Controllers OU and sub-OUs, as necessary.
3. Make a note of all the DCs.
4. In the RM Unify AD Sync Tool, expand Domains and right-click the Domain Controllers folder.
5. Select Rescan domain and confirm if all the DCs noted above (step 3) are now displayed.
6. For each DC, use DWN3182456 in the Other Useful Articles section below to confirm if the RM Unify Password Filter is installed.

Check the RM Unify Password Filter log files on each DC
If password changes have never worked or appear to work intermittently, check C:\Program Files\RM\RM Unify Password Filter\LogFiles on each DC for installation errors.

Confirm the correct version of RM Unify Password Filter is installed
There is a 32-bit and a 64-bit installer for RM Unify Password Filter, depending on whether the Microsoft® Windows® server is 32-bit or 64-bit. Please see Appendix 1 in both the Release Notes contained within DWN3182456 to help check if the operating system is 32-bit or 64-bit.

In Programs and Features, you should see either RM Unify Password Filter 32-bit or RM Unify Password Filter 64-bit listed.

Check access and permissions on all RMNetIdentityQueue$ shares 

1. In the RM Unify AD Sync Config Tool, expand Domains and view the list of DCs.
2. Check that all your DCs are listed and that none have a red cross. A DC with a red cross indicates that the Configuration Tool has been unable to access the DC and/or its RMNetIdentityQueue$ share.
3. For any DC with a red cross, confirm that RM Unify Password Filter has been installed.
4. On every DC, check the permissions on the C:\Program Files\RM\RM Unify Password Filter\RMNetIdentityQueue folder. It should be shared as RMNetIdentityQueue$ with share permissions of Everyone=Full Control. NTFS permissions should include Read, Write, Modify and Delete for the identitysyncservice user.
5. Confirm if the RMNetIdentityQueue$ share on each DC contains an RMUnifyADSyncCert.cer file. The RM Unify AD Sync service should automatically download a copy of the file to C:\Program Files (x86)\RM\RM Unify AD Sync and distribute it to all DCs in a heartbeat every 15 minutes by default. You can manually copy the .cer file to RMNetIdentityQueue$ shares (it is not), but having to do so may indicate an underlying issue that still requires resolution.

Check there is only one RM Unify Password Filter installation on each DC
If a previous installation of RM Unify Password Filter has not been uninstalled correctly you might have two installations, which will cause you an issue. Confirm you have just one installation in C:\Program Files\RM\RM Unify Password Filter and no installation in C:\Program Files (x86)\RM\RM Unify Password Filter.

If the server is Community Connect 4 (CC4), check if another RM product called RM Password Filter is installed in Programs and Features. This is a password capture product associated with RM Password Plus. The two products may not co-exist successfully. RM Unify Password Filter should start working immediately once RM Password Plus is uninstalled, but in rare cases you may need to reinstall RM Password Filter.

Check there is only one RM Unify AD Sync installation on the network
Although only one installation of RM Unify AD Sync can be registered with your RM Unify establishment, the presence of two or more Enabled instances of the RM Unify AD Sync Service running on the network could result in issues affecting the successful synchronisation of data, including passwords, to the RM Unify datacentre.

As RM Unify AD Sync can be installed on a DC or member server, complete the following:

1. Identify the server you usually use to launch and configure the RM Unify AD Sync Config Tool. This should be the only server on the network with the RM Unify AD Sync Service listed in services.msc.
2. On the next server, click Start, Run and type services.msc and press Enter.
3. If you locate the RM Unify AD Sync Service, double-click it and select Disabled from the Startup type. Click OK.
4. Change the password of an AD user that has an RM Unify account.
5. If the user is able to log on to RM Unify with the new password after 60+ seconds, you are free to uninstall AD Sync from that server.
6. Repeat Steps 2-5 on each server on your network.

Check the anti-virus or protection software installed on each DC
Temporarily suspend the protection on one DC and follow the steps in the section 'Test a new password change' below. If you find a password is changed successfully, please consult your anti-virus/protection support provider on how to exclude the C:\Program Files\RM\RM Unify Password Filter and sub-folders from the protection software on each DC. Depending on the software, you may have to complete additional tasks to allow RM Unify Password Filter to function while the protection is on.

Check if a manually-provisioned RM Unify user with the same username already exists

1. Sign in to RM Unify as a user with super admin rights.
2. Click Management Console.
3. Click Users.
4. Click the down arrow key next to the box 'Any data source' and select 'Manual/CSV'.
5. In the Username filter box, enter the username of the affected user and press Enter.
6. If the filter does not return a user, click the down arrow key next to the box View and select a different role group.
7. Repeat until you have checked all the six role groups.
8. If a user is returned, please contact the RM Cloud Support team for further assistance.

Test a new password change

1. Open the RM Unify AD Sync Configuration Tool.
2. Click Service, Settings.
3. Under Logging, change the Log level to LOG (this enables verbose logging).
4. Click OK.
5. Restart the RM Unify AD Sync Service.
6. Open 'Active Directory Users and Computers' on a DC and change the AD password of an existing RM Unify user that still has membership of the RM Unify Users security group.
7. On the same DC, browse to the C:\Program Files\RM\RM Unify Password Filter\RMNetIdentityQueue folder and confirm that you can see a new .json file with the date/time when you changed the password. If you cannot see the new .json file or see a new .bin file instead, then RM Unify Password Filter has been unable to capture the change successfully. Please review the NTFS/share permissions and .cer file on the C:\Program Files\RM\RM Unify Password Filter folder and sub-folders detailed in the 'Check access and permissions on all RMNetIdentityQueue$ shares' section above.
   Note: If the DC is a read-only domain controller (RODC), it has to forward the password change request to another DC for processing. In this case, you should check the RMNetIdentityQueue folders on the other DCs to identify the one that processed the change and created the .json file.
8. Wait five minutes and then open the latest log file on the RM Unify AD Sync server:
   1. Locate the log files in C:\Program Files\RM\RM Unify AD Sync\LogFiles.
   2. Search for a Domain Timer event with information 'Saved password for xxx', where xxx is the username. This proves the password change has been detected.
   3. Then search for a later 'RM Unify upload timer' event with information 'Password change complete for User xxx', where xxx is the username. This proves the password change has been uploaded.
9. Repeat Steps 6-8 on each DC.
10. Return the logging back to ERROR by repeating Steps 1-4 and setting the Log level to ERROR.

If the above checks fail to reveal a root cause and all user passwords are not propagating to RM Unify, uninstall RM Unify Password Filter on all DCs using the instructions below and reinstall. Please note that the install of RM Unify Password Filter requires a server reboot, followed by the domain administrator logging on to the server and then logging off again to complete the installation.

1. From Control Panel, Programs, select 'Uninstall a Program'.
2. Right-click RM Unify Password Filter and select Uninstall.
3. Accept prompts and confirm successful uninstallation.
4. Open Computer Management and click Shared Folders>Shares.
5. Right-click RMNetIdentityQueue$ and select Stop Sharing.
6. If a prompt appears "There are x user(s) connected...Do you want to continue", click Yes.
7. Close Computer Management.
8. In File Explorer, delete the C:\Progam Files\RM\RM Unify Password Filter folder.
9. Reboot the server.

Note: It is expected that the C:\Progam Files\RM\RM Unify Password Filter folder structure and the RMNetIdentityQueue$ share will remain after the uninstallation has completed.  A reinstallation of RM Unify Password Filter will delete and recreate the RMNetIdentityQueue$ share. By manually deleting the share and folder structure in steps 4-8 above, you are ensuring complete removal of the software.