Troubleshoot authentication errors in GSPS service logs

Follow the troubleshooting steps below to help resolve Authentication failed errors in your G Suite Password Sync (GSPS) logs. Authentication failed errors with error codes 0x6, 0x203, 0x4, or 0x102 indicate that GSPS is unable to authenticate to your Google domain. This error is usually caused either by local proxy or trusted certificate issues.

Open all   |   Close all

Step 1: Check the service logs

Confirm that there are 0x6, 0x203, 0x4, or 0x102 errors in your GSPS service logs. To find your GSPS service logs, see Where are the logs and configuration files located?.

Open your service log files and look for the error. The error may be 0x6, 0x203, 0x4, or 0x102:

2013-10-11T11:19:05.408+11:00 1d30 E:Generic password_sync_service!ThreeLOLogin::TryAuthorizeRequest @ 678 (user1@example.com)> Authentication failed with error code 0x###

If you see this error, continue to step 2.

Step 2: Configure the proxy settings

Follow the steps in I need help configuring proxy settings for GSPS. The steps there will fix most issues associated with Authentication Failed errors.

If configuring proxy settings didn't resolve the errors, continue to step 3.

Step 3: Review the service authorization logs

Review the service authorization logs and check any error messages found there. If they indicate any secure connection errors or token refresh errors, continue to step 5 to resolve them. For details on the file path of these logs, see Where are the logs and configuration files located?.

If reviewing the service authorization logs hasn't help resolve the errors, continue to step 4.

Step 4: Review your WinHTTP logs

Investigate your network traffic to see if the errors are caused by deeper network, proxy, or trusted certificate issues. GSPS connects to Google via HTTPS. Follow the steps to capture your WinHTTP logs so you can see what's occurring on your network when the error is returned by GSPS.

Note: Your Microsoft® Windows® Server may require different steps to capture your WinHTTP logs. Consult your Microsoft documentation, if required.

Once you've obtained your WinHTTP logs, do the following:

  1. Open the GSPS service logs and find the exact time when the error occurred.
  2. Open the WinHTTP log and find the same time stamp in the log
  3. Search in the WinHTTP log for a line that says Using proxy server:. If you find a line like that in the log, then you've verified that you're using a proxy.

  4. Next, look for an error a few lines below that says ERROR_WINHTTP_CANNOT_CONNECT.

    If you see this error, it means that GSPS is unable to connect to your domain's proxy server. To resolve this issue, either remove the proxy server or repeat the steps listed in I need help configuring proxy settings for GSPS.

Step 5: Check the domain's network certificate

If you see a secure connection error in the service authorization logs, or if you don't see the Using proxy server: log line in WinHTTP logs, then the error is most likely caused by an issue with your server's trusted root certificates.

To resolve this, you'll need to check that your trusted certificates include the correct root certificate authority. See Microsoft's How to view certificates for details. 

Step 6: Check the root certificate authority

If you don't see Equifax Secure Certificate Authority while viewing your network certificate, then you're missing the root certificate authority needed to run GSPS.

To resolve this issue, install the root certificate authority:

  1. Download the first Equifax root certificate authority listed on this site. You can right-click it, then select Save As.
  2. Open a command prompt (CMD) window. Depending on your system, you may need to right-click command prompt and choose Run as administrator, so that the command prompt has the correct privileges.
  3. Run the command:
    certutil -addstore Root %userprofile%\Downloads\Equifax_Secure_Certificate_Authority.pem

    If required, replace %userprofile%\Downloads\Equifax_Secure_Certificate_Authority.pem with the path to the file you saved in step 1.

  4. The command should show a success message similar to this:
    Root
    Signature matches Public Key
    Certificate "OU=Equifax Secure Certificate Authority, O=Equifax, C=US" added to store.
    CertUtil: -addstore command completed successfully.
  5. Open Internet Explorer® and go to https://www.googleapis.com. Make sure you don't get a certificate error (a Google error page or a page saying "Not Found" is OK). 
  6. If you still get an error, try logging out of the user session and logging back in.

    Note: If you're using Remote Desktop, disconnecting the session may not be enough to log out.

  7. Restart the GSPS service by running the command sc stop "G Suite Password Sync" then sc start "G Suite Password Sync", and see if the issue is resolved.

If you're still experiencing issues with GSPS, please contact G Suite support (G Suite only).

Was this helpful?
How can we improve it?