X. Common Issues

Also see FAQ for basic questions and Troubleshooting for tools to help diagnose problems.

Have Questions?  Contact Us

Reset Users:

Problems Resetting User Password (Reset)


ASP.NET AppDomain is shutting down
Problem installing Pleasant Password Server (Windows 8.1 or Server 2012 R2)
Keyboard not working in Windows Password Reset Client (Windows 8+)
Questions About Session Timeout






Getting more detailed log information

Follow these instructions to get more detailed logging information or to view the log files.


Service did not start up

Please Note:

  • There may be a delay in the service startup after upgrading while the database is converted to the new version

Please make sure that the IISExpress.exe task is shutdown (in task manager), before re-starting the service. This will be automatically included in the startup procedure.

Service did not start up - after a Windows Update

Please Note:

  • There may be a delay in the service startup after upgrading while the database is converted to the new version

Please make sure that the IISExpress.exe task is shutdown (in task manager), before re-starting the service. This task will be automatically started along with the server startup.

Sometimes Windows Update still requires a restart / reboot.


1) Service startup errors will usually show additional logging details, please follow the steps here for Server Logging, and review the weblogs.txt file for any errors.

2) Rarely this could be an issue with IISExpress, a component that is started along with the Pleasant Server.

  • To resolve simply try to repair the IISExpress install.
  • If this still does not help:
    • Uninstall both Pleasant Password Server (which will leave your database intact with your admin settings) and
    • Uninstall IISExpress
    • Rename the Password Server program folder
    • Then re-install Pleasant Password Server. This will also install a new version of IISExpress.

3) See also the commands mentioned here: Stopping Pleasant Password Service

If you continue to have trouble, please email Support with your Detailed Logs and a description of your situation.

Website didn't load

Problems? If the web site won't load,

  • Check that the installation/upgrade is complete and hasn't reported errors in the logs
  • Make sure Password Server isn't sharing a port with anything else:
    1. Stop the Password Server service.
    2. Click Start, type cmd, right-click Command Prompt, then click Run as administrator.
    3. From the prompt, run netstat -b -p TCP -q. If you see anything ending in :10001 in the Local Address column, either switch the software using 10001 to another port or switch Password Server itself.

If you continue to have difficulty, please Contact us!

Can Only Grant Read-Only Permissions (v7.6.6+)

Relevant only if upgrading from a version previous to 7.6.6.

If your Administrators or users:

  • Cannot change the User Access except to Read-only, or
  • Cannot add entries in the mobile client

This change has been caused by a security improvement in version 7.6.6. To resolve:

  • Please edit your Access Levels: Full, Full + Grant, Full + Grant + Block
  • Set “Grant” for "View User Access" to True

Alternative method: If your organization has never added new Access levels or changed the existing Access levels:

  • Click Reset Access Levels, which will also achieve the same results.

Previously this setting was not required for granting/removing permissions, but has been changed for this version (as per Release Notes for 7.6.6).

This will allow  as for your expectations.

If you have additional questions or concerns, please contact Support.

Restore Access Inheritance (v6.4.13+)

If you block access inheritance on entry/folder X without first ensuring you have the Set Block Inheritance permission set directly on X (rather than inherited from an ancestor), you'll only be able to remove the block by editing your database as follows:

  1. Stop the "Pleasant Password Server" service
  2. Open your database in SQLiteManager (as administrator)
    • Open SQLiteManager with a right-click, "Run as administrator". This avoids the "Database is read only" error.
  3. Open the SQL tab and run the following command (assumes that the blocked entry/folder is uniquely named; if not, the WHERE clause will need to use rowid or Id rather than Name):

    UPDATE "CredentialObject"
    SET "PermissionInheritanceBlocked" = 0

  4. Refresh the folder tree visibility:
    DELETE from "CredentialObjectVisibilityAccessRow";
    DELETE from "CredentialObjectVisibility";
  5. Start the Password Server service

  6. Re-add the User Access directly to the specific folder (or entry) you just restored.


2FA Authenticator App gets Invalid Two-Factor Token error

The Authenticator protocol is time-based. If your Server, Device, or App is out of sync by even by 30 seconds, this will cause problems:

  • Check the server time
  • Check the device time
  • Check the app time

This should be the only issue your user's will have authenticating using the Authenticator apps.

For more info: Google Authenticator help (Android)

Still a problem?

1. Watch the clocks simultaneously count up the minutes and seconds. Set the time.

2. Workaround --

However, if your users are still having difficulties with their secret, you can take these actions:

  • A) Reset their Google Authenticator secret:
    • Reset Two-Factor Secret

    • This will allow users to enroll again and synchronize to a new secret:

      • Reset 1 user's secret
      • Reset all users simultaneously

  • B) Temporarily, the policy can be changed so that 2FA is not required for the user(s).

Additional Notes:

  • Mobile devices can store multiple Google Authenticator secrets. 
  • Backup your Google Authenticator secret by saving the QR code / number code

Nothing happens with Internet Explorer when clicking delete (or any other button)

The most likely cause of this is an old version of Internet Explorer or Compatibility View being enabled. More information about Compatibility View can be found here:


If disabling Compatibility View doesn't solve your problem and you're running a recent version of Internet Explorer (IE9+), feel free to contact us for support.

NOTE: Internet Explorer may sometimes automatically enable Compatibility View for Intranet.

LDAP Bind Errors (v7+)

For problems with Bind Errors / Authenticating a Directory user, start here: Unable to Bind to LDAP/AD

Active Directroy/LDAP Migration Error (v7.4+)

For problems with a Migration error message at Login screen see: Active Directory/LDAP Migration Error

Error System.Exception: ASP.NET AppDomain is shutting down... Reason:

Change Notification for critical directories.

bin dir change or directory rename

HostingEnvironment initiated shutdown

This is due to a Portable Class Library that requires a .Net patch.  Simply install the relevant Windows Update to fix this problem.  Details in the following link:  http://www.paraesthesia.com/archive/2013/01/21/using-portable-class-libraries-update-net-framework.aspx

Pleasant Password Server won't install on Windows 8.1 or Server 2012 R2

It is possible that ASP.NET 4.5 is installed but not enabled. To enable it:

  1. Find Windows PowerShell on your system (in Server 2012 R2, it may already be in your taskbar).
  2. Right-click on the PowerShell icon and select "Run as Administrator".
  3. In the PowerShell window, type

    & ${env:windir}\syswow64\cmd.exe

    Press enter.
  4. Now type:

    %windir%\sysnative\dism.exe /Online /Enable-Feature /FeatureName:NetFx4Extended-ASPNET45

    Press enter. You should get a message that the command was successful.
  5. Close the PowerShell window and run the Pleasant Password Server installer. It should now install successfully.

Missing tabs or features 

Make sure the user is a member of a role that has permission to access those features.  Users may need to sign out and sign back in for permission changes to take effect.

Entry does not appear in search 

SQLite only understands upper/lower case for ASCII characters by default. The LIKE operator is case sensitive by default for unicode characters that are beyond the ASCII range.

Use IIS instead of IIS Express

Using IIS is possible and is recommended, especially for customers with more advanced environments:

Using IIS as a Reverse Proxy: some customers may wish to know that it is also possible to setup a new IIS site and redirect the incoming TCP requests to the Password Server's IIS Express. This effectively makes IIS a reverse proxy.


Other info: Redirect HTTP Requests to HTTPS

Keyboard not working in Windows Password Reset Client (Windows 8+) 

Press CTRL once to fix the keyboard.

Details: Windows 8/8.1/10 will sometimes mistakenly behave as though CTRL is being held down on the login screen. Because the browser opened by the Reset Client ignores any keys pressed while CTRL is held down, this can make it seem like the keyboard has stopped working. Pressing CTRL forces Windows to acknowledge that CTRL is not being held down.

KeePass for Password Server errors 

Version 6.0.1 - 7.1.19:

PassManClient connection error: Could not load type 'System.Collections.Generic.IReadOnlyDictionary`2' from assembly 'mscorlib, Version=, Culture=neutral, PublicKey Token=b77a5c561934e089'

Verify that you have .NET Framework ≥ 4.5 installed by following these instructions.

Trust Warnings

"Connecting to a new server for the first time..."

KeePass Timeouts do not auto-close Credentials

This is designed this way by KeePass after some consideration, and there is a KeePass explanation for choosing this design (included below).

  • KeePass client: an open dialog disables vault time-out until user closes it.
  • Web client: an open dialog does effect the time-out with a save change message, and does not allow the user to save changes or open other entries, etc.

Users can be reminded to close Vault credentials after use.

The KeePass offical FAQ explains this best:

KeePass automatically tries to lock its workspace when Windows is locked, with one exception: when a KeePass sub-dialog (like the  'Edit Entry' window) is currently opened, the workspace is not locked.

To understand why this behavior makes sense, it is first important to know what happens when the workspace is locked. When locking, KeePass completely closes the database and only remembers several view parameters, like the last selected group, the top visible entry, selected entries, etc. From a security point of view, this achieves best security possible: breaking a locked workspace is equal to breaking the database itself.

Now back to the original question. Let's assume an edit dialog is open and the workstation locks. What should KeePass do now? Obviously, it's too late to ask the user what to do (the workstation is locked already and no window can't be displayed), consequently KeePass must make an automatic decision. There are several possibilities:

  • Do not save the database and lock.
    In this case, all unsaved data of the database would be lost. This not only applies to the data entered in the current dialog, but to all other entries that have been modified previously.
  • Save the database and lock.
    In this case, possibly unwanted changes are saved. Often you open files, try something, having in mind that you can just close the file without saving the changes. KeePass has an option 'Automatically save database when KeePass closes or the workspace is locked'. If this option is enabled and no sub-dialog is open, it's clear what to do: try to save the database and if successful: lock the workspace. But what to do with the unsaved changes in the sub-dialog? Should it be saved automatically, taking away the possibility of pressing the 'Cancel' button?
  • Save to a temporary location and lock.
    While this sounds the best alternative at first glance, there are several problems with it, too. First of all, saving to a temporary location could fail (for example there could be too few disk space or some other program like virus scanner could have blocked it). Secondly, saving to a temporary location isn't uncritical from a security point of view. When having to choose such a location, mostly the user's temporary directory on the hard disk is chosen (because it likely has enough free space, required rights for access, etc.). Therefore, KeePass databases could be leaked and accumulated there. It's not clear what should happen if the computer is shutdown or crashes while being locked. When the database is opened the next time, should it use the database stored in the temporary directory instead? What should happen if the 'real' database has been modified in the meanwhile (quite a realistic situation if you're carrying your database on an USB stick)?

Obviously, none of these alternatives is satisfactory. Therefore, KeePass implements the following simple and easy to understand behavior:

When Windows is locked and a KeePass sub-dialog is opened, the KeePass workspace is not locked.

This simple concept avoids all the problems above. The user is responsible for the state of the program.

Security consequence: the database is left open when Windows locks. Normally, you are the only one who can log back in to Windows. When someone else logs in (like administrator), he can't use your programs anyway. By default, KeePass keeps in-memory passwords encrypted, therefore it does not matter if Windows caches the process to disk at some time. So, your passwords are pretty safe anyway.




RDP SSO Client crashes on launch (v7.5.2 - 7.5.7)

The RDP SSO Client relies on the existence of a default settings file for RDP that will not exist if the user currently logged into the machine has never used Remote Desktop Connection on that machine before.   Start up Remote Desktop Connection and connect to another machine to make sure that defaults are established, then try the Launch RDP SSO link again.


SSO Authentication Errors

The most common causes for Access Denied errors when authenticating with Password Server (PPASS) are:

  • incorrect username or password
  • incorrect unique identifier
  • user does not have SSO permission on that credential


Common causes of wrong username or password when authenticating with the target server are:

  • wrong username or password stored in the PPASS credential


Please check all your settings. If the problem persists, please provide us with screenshots of your settings when contacting us for support and what you are doing in the browser or terminal (confidential info blurred).


After Update, Active Directory/LDAP User Log In/Refresh is Slow (v7+)

Some users have reported that after upgrading from version 6 to 7 their user login times have drastically increased, even when no changes have been made to the AD/LDAP directory settings.
The slowdown is caused by a change in the way Password Server tracks imported users and groups (more details).

Specify an OU

Specifying an OU for Pleasant Password Server users should speed up logins significantly. Only quering the targeted OU is allows the permissions check to occur much faster, speeding up the end-user experience.

  • User Directory: server.xxx.yyy/accounts/ppass
  • Group Directory: server/directory/folder/groups/


Users and Roles > Manage Directory > Edit Directory > Import

  • Base Distinguished Name: DC=server, DC=xxx, DC=yyy
  • User Relative DN: OU=ppass, OU=accounts
  • Group Relative DN: OU=groups, OU=folder, OU=directory 

Configurations which Improve Application Performance

See this page for factors affecting the speed of Password Server or clients.


After Update, Home screen shows "loading" and stays there

(version 7.5.15 - 7.6.2)

Some users have reported that after upgrading, the Home screen does not finish loading / stays empty.

  • Clear the browser cache, or refresh the page:  CTRL+F5 (PC's)    CMD+R (Apple)    F5 (Linux)


If this does not resolve the problem:

  • Try a different browser,
  • Check that Javascript is enabled,
  • Rule out other browser extensions that could be interfering,
  • Reset the browser settings.



Questions about Session Timeout

To adjust for users to be automatically logged out the user after a specific amount of time.

Web Client - Automatic log out

  • Navigate to the menu Users and Roles > Manage Policies > Actions > Edit > Login Timeout
    Set the timeout to the appropriate amount.

    • Note: For Web clients in versions 7.6 and older, you will need to sign out for this policy to take effect.

KeePass / Mobile/ API / etc. - Automatic log out

  • Navigate to the menu Users and Roles > Manage Policies > Actions > Edit > Application Authentication Timeout
    Set the timeout to the appropriate amount.

KeePass (option) - Automatic workspace lock/etc.

  • An inactivity timeout also exists in the KeePass Client
    • Tools menu > Options... > Security tab > "Lock workspace after..." checkboxes (one for KP inactivity, one for global inactivity)

For more information see these sections in the User Policy:

Tag page
You must login to post a comment.