Defender self-service error

Hello,

We encountered an issue in one of two defender servers

when user is trying to access the token registration, he got an issue in self-service states that self-service portal not configures properly.

Web management logs:

ERROR 2025-05-19 16:02:49,002 30297ms [47] HomeController LoginInternal - Failed to log in service account, user account will be used for impersonation
ERROR 2025-05-19 16:02:49,329 30623ms [51] UserRepository GetByNetBios - UserRepository::GetByNetBios objectsid Error
System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.Runtime.InteropServices.COMException: The network path was not found.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.PropertyValueCollection.PopulateList()
at System.DirectoryServices.PropertyValueCollection..ctor(DirectoryEntry entry, String propertyName)
at System.DirectoryServices.PropertyCollection.get_Item(String propertyName)
at lambda_method(Closure )
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Delegate.DynamicInvokeImpl(Object[] args)
at BdsSoft.DirectoryServices.Linq.DirectoryQuery`1.GetCondition(BinaryExpression e)
at BdsSoft.DirectoryServices.Linq.DirectoryQuery`1.ParsePredicate(Expression e, StringBuilder sb)
at BdsSoft.DirectoryServices.Linq.DirectoryQuery`1.BuildPredicate(LambdaExpression q)
at BdsSoft.DirectoryServices.Linq.DirectoryQuery`1.GetEnumerator()
at System.Collections.Generic.List`1..ctor(IEnumerable`1 collection)
at System.Linq.Enumerable.ToList[TSource](IEnumerable`1 source)
at Defender.Models.UserRepository.GetByNetBios(String nb)
ERROR 2025-05-19 16:03:39,181 80475ms [34] nStorageLocationWriter Save - Error:
ERROR 2025-05-19 16:03:39,184 80478ms [34] elfRegConfigController kenStorageLocation - Token Storage Location failed: Error:The System Service Account user could not be logged in or has not been configured.

please note below:

service account has full permissions

server is connected to active directory

service account has full delegation and no login restriction applied

Parents

0 Tawfiq.Ahmad 4 days ago

Hi,

The mentioned error can happen when the service account password is incorrect which is specified in the Management Portal > Configuration > Service Account tab > The service account password needs to be updated here.

"The Defender Management Portal requires a user account to program and assign tokens to users who requested them through the Defender Self-Service Portal and to retrieve data for Defender reports from Active Directory. By default, the service account specified on this page is used to perform these actions."

Thanks!
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Mahmoud Emad 3 days ago in reply to Tawfiq.Ahmad

Hi Tawfiq,

exactly it gives "wrong credentials", but every time i have to update the password with the same credentials then save to get a a successful response.

and the self-service issue still exists.

does it a version issue?
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Tawfiq.Ahmad 3 days ago in reply to Mahmoud Emad

It would be a good idea to upgrade to latest version of Defender if possible to rule out issues that we have already resolved yes

Other issues can be related to the browser, so make sure you are using a supported browser (for example IE is not compatible) and ty to type the password instead of using copy \ paste.

You may install (only the Management portal component) separately on a dedicated new server as a test \ comparison to rule out issues with the existing server \ IIS as well if possible and add only the Defender Service account as member of the Local Administrator group
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Reply

0 Tawfiq.Ahmad 3 days ago in reply to Mahmoud Emad

It would be a good idea to upgrade to latest version of Defender if possible to rule out issues that we have already resolved yes

Other issues can be related to the browser, so make sure you are using a supported browser (for example IE is not compatible) and ty to type the password instead of using copy \ paste.

You may install (only the Management portal component) separately on a dedicated new server as a test \ comparison to rule out issues with the existing server \ IIS as well if possible and add only the Defender Service account as member of the Local Administrator group
Cancel
Up 0 Down

Reply

Verify Answer

Cancel

Children

0 Mahmoud Emad 3 days ago in reply to Tawfiq.Ahmad

i have restarted the IIS feature but issue still exits.
in your point of view why it gives (Token Storage Location failed) every time i make change in self-service configuration in web portal ?

i can't edit the token registration groups as well.
Cancel
Up 0 Down

Reply

Verify Answer

Cancel
0 Tawfiq.Ahmad 2 days ago in reply to Mahmoud Emad

Please check the local administrators group to make sure there are no orphaned members that appear with SID s-1-#-# and remove these

Also remove members that belong to different domains other than the domain which Defender service account belongs to because the service account may not have permissions to read other domains when its trying to enumerate the Local Administrators group and it has members from other domains and causes the Management portal to fail saving the service account credentials in the service account configuration tab.

Reference KB:
https://support.oneidentity.com/defender/kb/4209930/error-specified-user-account-for-management-portal-service-account-is-not-a-member-of-the-local-administrators-group-on-the-system
Cancel
Up 0 Down

Reply

Verify Answer

Cancel