Troubleshooting GAPS

If you're experiencing issues with configuring Google Apps Password Sync (GAPS), first make sure you have completed each of the steps in the GAPS configuration guide correctly. Then see below for common issues with GAPS.

GAPS is synchronizing passwords for some, but not all, of my users
  • Make sure you have installed GAPS successfully on all of your domain's Active Directory servers (Domain Controllers).
    On Microsoft® Windows 2008 and above, you only need to install GAPS on writable Domain Controllers. If you're not sure, install GAPS on all of your DCs; doing so won't cause any issues.
  • Make sure the account privileges for the user whose update failed do not exceed those of your admin account. User accounts with fewer privileges cannot change passwords on accounts with more privileges. For example, an account with admin privileges cannot update passwords for accounts with super-admin privileges.
  • Make sure that your users have email addresses in the attribute you entered under Mail Attribute during configuration, and that these addresses match their Google Apps primary email addresses exactly (including the domain part of the address).
  • Make sure that no password contains unsupported characters (non US-ASCII characters). If a password failed to sync because it contains unsupported characters, GAPS will log a warning to the Windows "Application" event log in addition to the GAPS DLL log:

    Log Name: Application
    Source: Google Apps Password Sync
    Event ID: 40963
    Level: Warning
    Contents: An attempt to change the password for user USERNAME was made. However, the new password contains unsupported characters. The password can not be updated on Google Apps, and will be out of sync with Active Directory.

I'm an Active Directory administrator, but I am not authorized to install or configure GAPS
  • In order to install GAPS, you must be a member of the Domain Admins group. Being a member of the Administrators group does not provide sufficient authorization.
  • You must log in to Windows as a Domain Admin in the same domain as the Domain Controller you are setting up. If you log in as a Domain Admin from a different domain (such as an Enterprise Admin from another domain in the forest, or an admin from from a trusted domain) you will not be authorized to install or configure GAPS.
The GAPS installer fails
  • Make sure you are running the installer locally (not over the network).
  • Make sure you have the right version of GAPS for your server's architecture (32-bit or 64-bit).
Google Apps won't let me grant access to GAPS

Make sure you have enabled API access in Google Apps, as described in step 2 of the GAPS configuration guide.

I need help configuring proxy settings for GAPS

GAPS supports proxy connections if you set up system-wide proxy settings on all of your Domain Controllers. To do so:

  1. Make sure the current user's proxy settings are set up correctly by navigating to https://www.googleapis.com in Internet Explorer.
    1. If you are redirected to google.com or see a page saying "Not Found" your proxy settings are probably correct. Make sure you disable Friendly Error Messages to ensure you see the actual web page.
    2. If you see an authentication prompt or certificate error, your proxy settings may not be correct.
  2. Run the appropriate command for your operating system in command prompt (CMD):
    • Windows 2003: proxycfg -u
    • Windows 2008 and above: netsh winhttp import proxy ie
  3. If you are not using a proxy server, but are still encountering proxy-related issues, run the command bitsadmin /util /setieproxy networkservice no_proxy in the command prompt. This command will set Windows to ignore any auto-discovered proxy configuration that may be present in the system.

Note: GAPS supports unauthenticated proxies only. If your proxy requires authentication (Basic, Kerberos, or NTLM), you need to configure it to allow unauthenticated or direct connections from your Domain Controllers to the following destinations:

  • https://www.googleapis.com using port 443 (HTTPS)
  • http://crl.geotrust.com/crls/gtglobal.crl using port 80 (HTTP)
  • http://pki.google.com/GIAG2.crl using port 80 (HTTP)
  • http://g.symcb.com/crls/gtglobal.crl using port 80 (HTTP)

If you're opening the connection by IP address, see Google IP address ranges.

Although GAPS supports proxy connections, you may need to enable a direct connection if you encounter any issues, to make sure they aren't caused by the proxy server. Because proxy configuration depends on your local setup, Google for Work Support won't be able to assist you with configuration. Contact your network administrator if you encounter any proxy issues.

I get a "Network error connecting to Google" error when attempting to authorize

This error indicates that GAPS could not verify your authorization and can occur for a variety of reasons. Check your proxy settings and ensure that your network allows connections to the URLs required by GAPS.

Windows Server 2003 Admins should also make sure that KB938397 is installed, as it enables support for SHA-2 certificates. More information can be found on the Windows PKI blog.

Automatic troubleshooting

You can use the GAPS support tool from Google Code to gather GAPS logs and troubleshooting information from all of your Domain Controllers at once. It connects to all of the writeable Domain Controllers in your domain and gathers all of the information listed in the troubleshooting checklist below from each of them (except for network connectivity tests).

Manual troubleshooting checklist
Some of the steps in this list require running console commands. To do so, open a command prompt (CMD) window by clicking on the Start button and navigating to All Programs > Accessories > Command Prompt.

Depending on your system, you may need to right-click Command Prompt and choose Run as administrator so that the command prompt will have the correct privileges.
  • Check if you are a member of the Domain Admins group.
  • List your Domain Controllers:
    Run the command nltest /dclist:youraddomain.com, replacing youraddomain.com with the name of your Active Directory domain.
  • Verify the following steps on each of them:
    1. You have installed GAPS on the server.
    2. You restarted the server after installing GAPS.
    3. You installed the correct edition of GAPS (32-bit or 64-bit).
    4. You can access https://www.googleapis.com using Internet Explorer on the machine (it is OK if this page shows an error or displays "Not Found"). Make sure the page doesn't show a certificate error, and does not present any requests for proxy authentication, as authenticated proxy servers are not supported. Disable Friendly Error Messages to ensure you see the actual web page.
    5. Copy your current user's proxy settings to the system-wide proxy settings:
      With Windows 2003, use the command proxycfg -u.
      With Windows 2008 and above, use the command netsh winhttp import proxy ie.
    6. If you are not using a proxy server, but are still encountering proxy-related issues, run the command bitsadmin /util /setieproxy networkservice no_proxy.
    7. Make sure that the GAPS DLL is registered on the machine by running the command reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v "Notification Packages". The output should include the text password_sync_dll. If it does not, you'll need to re-install GAPS.
    8. Make sure that the GAPS DLL is loaded by running the command tasklist /m password_sync_dll.dll. The process "lsass.exe" should be listed in the results.

      If it isn't, the DLL isn't loaded. Verify that the DLL is registered and that the edition (32-bit or 64-bit) matches the system. If they do, restart the machine so the DLL loads.

    9. Make sure that the GAPS service is started by running the command sc query "Google Apps Password Sync". If it prints:
      • STATE: RUNNING: The service is running.
      • STATE: STOPPED: The service isn't running. Try running the command sc start "Google Apps Password Sync" to start it. If it doesn't start, review the prerequisites again.
      • The specified service does not exist as an installed service: The service isn't installed on the system. Re-install GAPS.
    10. Make sure your network and proxy settings are set up correctly, as described above.

Where are the logs and configuration file located?

Configuration file:

  • Windows 2003:
    C:\Documents and Settings\All Users\Application Data\Google\Google Apps Password Sync\config.xml
  • Windows 2008 and above:
    C:\ProgramData\Google\Google Apps Password Sync\config.xml

Review this file to inspect your settings.

Service logs:

  • Windows 2003:
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google\Google Apps Password Sync\Tracing\password_sync_service
  • Windows 2008 and above:
    C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Google\Google Apps Password Sync\Tracing\password_sync_service

Review these files if GAPS was configured successfully but all or some of your users' passwords are not being synced.

Configuration interface logs:

  • Windows 2003:
    C:\Documents and Settings\username\Local Settings\Application Data\Google\Google Apps Password Sync\Tracing\GoogleAppsPasswordSync
  • Windows 2008 and above:
    C:\Users\username\AppData\Local\Google\Google Apps Password Sync\Tracing\GoogleAppsPasswordSync

Review these files if you encounter issues during the configuration.

Configuration interface authorization logs:

  • Windows 2003:
    C:\Documents and Settings\username\Local Settings\Application Data\Google\Identity
  • Windows 2008 and above:
    C:\Users\username\AppData\Local\Google\Identity

Review these files if you encounter issues during the Google authorization part of the configuration.

DLL logs:

  • Windows 2003:
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Google\Google Apps Password Sync\Tracing\lsass
  • Windows 2008 and above:
    C:\WINDOWS\system32\config\systemprofile\AppData\Local\Google\Google Apps Password Sync\Tracing\lsass

Review these files if the service logs show no indication of password change attempts (no success and no failure reports).

Was this article helpful?