Common Issues

Use KeePass with Pleasant Password Server

Also see FAQ for basic questions and Troubleshooting for tools to help diagnose problems.

Have Questions?  Contact Us!

Getting more detailed log information

Startup - Service/Site:

IISExpress Service did not start 
IIS Hosting Troubleshooting
Website didn't load


Upgrade Problems 

Login / Connectivity:

Cannot Login / Unable to Authenticate
LDAP/AD Bind Errors
Trust Warnings - Connecting to a new server  (KeePass client)
2FA Authenticator error - Invalid Two-Factor Token error
2FA "Two-Factor Required" error
LDAP Connection issue on Windows 2019 Domain Controllers


Can Only Grant Read-Only Permissions  (v7.6.6+)
Cannot Grant Access
Restore Access Inheritance
Refresh Access Permissions


Cannot Login / Unable to Authenticate
LDAP/AD Bind Errors
Import Users or Groups are missing
Active Directory/LDAP Migration Error  (v7.4+)
Unable to Import

Reset Users:

Problems Resetting User Password  (Reset)


Test emails do not get sent
Notification emails do not get sent


Trust Warnings - Connecting to a new server...
KeePass The composite key is invalid
KeePass Export Operation is Not Allowed by the Application Policy
KeePass for Password Server errors
PassManClient Connection Error
Timeouts do not auto-close Credentials

KeePass Export


Nothing happens with Internet Explorer when clicking delete (or any other button)
After Update, home screen shows "loading" and stays there


Missing tabs or features
Hiding tabs in PPASS Menu
Entry does not appear in search
Using IIS instead of IIS Express


Slowness: After Update, AD/LDAP User Login/Refresh
Configurations which Improve Application Performance


SSO Authentication Errors
RDP SSO Client crashes on launch (v7.5.2+)
Unable to complete SAML single sign on Request


ASP.NET AppDomain is shutting down

Removing Audit Records
Problem installing Pleasant Password Server (Windows 8.1 or Server 2012 R2)
Keyboard not working in Windows Password Reset Client (Windows 8+)
Questions About Session Timeout
Approval Notification has a Grammar Error
Configuring Test Emails - SMTP - Account is not valid
Minor issue with PPASS server v5 API StatusCodeError: 500 (v7.9.28)

NLog not properly archiving files with dates




Getting more detailed log information

Follow these instructions to get more detailed logging information or to view the log files.


Service did not start up

Please Note:

  • When Upgrading: There may be a delay in the service startup while the database is converted to the new version. 
    • See more details in Upgrading: sections "Step 5" and "Problems?"

Sometimes the machine may have a lock on a file, and require a reboot. This is especially so in combination with Windows Updates, that where a restart / reboot is required.

Hosting with IIS (extra setup):

  • If you are hosting the site with IIS, make sure to stop and disable the IISExpress service. This can also be stopped with an End Task, using the Windows Task Manager. Also see IIS Troubleshooting.

Hosting with IISExpress service (default):

  • Please make sure that the IISExpress.exe process is first shutdown (in task manager), before re-starting the service. This task will be automatically started along with the server startup.

Additional Checks:

  • 1) View the file error logging details, which may often show the cause the problem.

    • Open these files and scroll to the bottom, looking for any errors: Weblogs.txt and PleasantPasswordServerLog.txt 
    • You can forward these to Support via email.
  • 2) There may be an error related to Certificates or SSL:

    • Check that the Certificate is properly imported and seated in the Service Config utility and the computer Certificate Store.

    • There may be a problem with the Certificate port association, or it may also resolve by just re-importing your Certificate.
      • Re-import your Certificate with the Service Config utility (found in Windows Start menu > Programs > Pleasant Password Server > Service Configuration).

      • Otherwise, if there is still a certificate related error:
        • Open a command prompt and run: netsh http del sslcert ipport=

  • 3) Please also see the PowerShell / taskkill commands mentioned here:

  • 4) Rarely this could be an issue with IISExpress, a component that is started along with the Pleasant Server.

    • Option A) To resolve simply try to repair the IISExpress install.

    • Option B) As a last resort, if option A above still does not help:

      • Uninstall both Pleasant Password Server (which will leave your database intact with your admin settings) and
      • Uninstall IISExpress
      • Rename the Password Server program folder
      • Then re-install Pleasant Password Server. This will also install a new version of IISExpress.

If you continue to have trouble, please email Support with your Detailed Logs and a description of your situation.

Website didn't load

Problems? If the web site won't load,

  • Check that the installation/upgrade is complete and hasn't reported errors in the logs
  • Make sure Password Server isn't sharing a port with anything else:
    1. Stop the Password Server service.
    2. Click Start, type cmd, right-click Command Prompt, then click Run as administrator.
    3. From the prompt, run netstat -b -p TCP -q. If you see anything ending in :10001 in the Local Address column, either switch the software using 10001 to another port or switch Password Server itself.

If you continue to have difficulty, please Contact Us!


Can Only Grant Read-Only Permissions

(versions 7.6.6+)

Relevant only if upgrading from a version previous to 7.6.6.

If your Administrators or users:

  • Cannot change the User Access except to Read-only, or
  • Cannot add entries in the mobile client

This change has been caused by a security improvement in version 7.6.6. To resolve:

  • Please edit your Access Levels: Full, Full + Grant, Full + Grant + Block
  • Set “Grant” for "View User Access" to True

Alternative method: If your organization has never added new Access levels or changed the existing Access levels:

  • Click Reset Access Levels, which will also achieve the same results.

Previously this setting was not required for granting/removing permissions, but has been changed for this version (as per Release Notes for 7.6.6).

This will allow  as for your expectations.

If you have additional questions or concerns, please Contact Us!

Can Not Grant Access

We use the User Access window to provide the security access to users. This has changed in version 7.9.


  • To open User Access, will need to have been given an Access Level with the View User Access permission.

Basic Steps

  1. Open the User Access window,
  2. Choose "Users" or "Roles" from the "Add Access for" dropdown,
  3. Then in the next field, type or select the User/Role you wish to give access to.

Wiki Guide - Please review the instructions for granting access, examples here:


  • Is scripting disabled in your web browser?
  • Are you using the IE browser with either Compatibility View (displayed in Address Bar) or Enable Protected Mode (in Tools > Security tab).

If you continue to have difficulty, please Contact Us and provide:

  • Version #
  • Screenshots of your User Access screen and Access Level screen.


Restore Access Inheritance

(versions 6.4.13+)

If you block access inheritance on entry/folder X without first ensuring you have the Set Block Inheritance permission set directly on X (rather than inherited from an ancestor), you'll only be able to remove the block by editing your database as follows:

  1. Open your database
    • For SQLite
      • Stop the "Pleasant Password Server" service
      • Open your database in SQLiteManager (as administrator)
        • Open SQLiteManager with a right-click, "Run as administrator". This avoids the "Database is read only" error.
  2. Open the SQL tab and run the following command (assumes that the blocked entry/folder is uniquely named; if not, the WHERE clause will need to use rowid or Id rather than Name):

    UPDATE "CredentialObject"
    SET "PermissionInheritanceBlocked" = 0

  3. Refresh the folder tree visibility:
    DELETE from "CredentialObjectVisibilityAccessRow";
    DELETE from "CredentialObjectVisibility";
  4. For SQLite
  5. Re-add the User Access directly to the specific folder (or entry) you just restored.

    NOTE: If you notice the Block Access Inheritance  button has disappeared you can restore it by:
  6. Right-click the folder (where the block inheritance button is missing) > Click Move > Select the folder it is currently in


Refresh Access Permissions

(versions 7.9.13+)

When Restoring inheritance we refresh the Access data with the steps below.

This may be also helpful is some other rare instances, when: for example, the actual access does not seem to align with the User Access, or folders remain hidden.

  1. Stop the "Pleasant Password Server" service
  2. Open your database in SQLiteManager (as administrator)
    • Open SQLiteManager with a right-click, "Run as administrator". This avoids the "Database is read only" error.
  3. Refresh the folder tree visibility:
    DELETE from "CredentialObjectVisibilityAccessRow";
    DELETE from "CredentialObjectVisibility";
  4. Start the Password Server service


2FA Authenticator App gets Invalid Two-Factor Token error

Error: "Invalid Token"

The Authenticator protocol is time-based. If your Server, Device, or App is out of sync by even by 30 seconds, this will cause problems:

  • Check the server time
  • Check the device time

This should be the only problem for users using Authenticator apps.

Still a problem?

1. Watch the clocks simultaneously count up the minutes and seconds. Set the time.

2. Workarounds -- if your users are still having difficulties with their secret, you can take these actions:

  • A) Reset their Google Authenticator secret:
    • Reset Two-Factor Secret

    • This will allow users to enroll again and synchronize to a new secret:

      • Reset 1 user's secret
      • Reset all users simultaneously
  • B) Temporarily, the policy can be changed so that 2FA is not required for the user(s).

  • C) Sync the time in the Authenticator App itself.

Additional Notes:

  • Backup your Google Authenticator secret by saving the QR code / number code
  • Mobile devices can store multiple Google Authenticator secrets. 


Two-Factor Required error

If you enable the option to Require Two Factor Authentication without first configuring a provider, users will be able to log in until this requirement is removed.

Two-Factor Required Two-factor verification is required but has not been configured. Please contact your website administrator.

In this case the administrator should contact us for information to resolve this configuration problem.

Nothing happens with Internet Explorer when clicking delete (or any other button)

The most likely cause of this is an old version of Internet Explorer or Compatibility View being enabled. More information about Compatibility View can be found here:

If disabling Compatibility View doesn't solve your problem and you're running a recent version of Internet Explorer (IE9+), feel free to contact us for support.

NOTE: Internet Explorer may sometimes automatically enable Compatibility View for Intranet.

LDAP Bind Errors

For problems with Bind Errors / Authenticating a Directory user, start here: Unable to Bind to LDAP/AD

LDAP Connection issue on Windows 2019 Domain Controllers

Windows 2019 has provided a couple of patches for a connection bug with their Windows 2019 Domain Controllers. This is not isolated to Password Server, but includes other Microsoft users in general.

This fix is available here:


For further information, and to keep updated with the progress of this issue:


Active Directroy/LDAP Migration Error

(versions 7.4+)

For problems with a Migration error message at Login screen see: Active Directory/LDAP Migration Error

Error System.Exception: ASP.NET AppDomain is shutting down... Reason:

Change Notification for critical directories.

bin dir change or directory rename

HostingEnvironment initiated shutdown

This is due to a Portable Class Library that requires a .Net patch.  Simply install the relevant Windows Update to fix this problem.  Details in the following link:


Removing Audit Records

For now audit records can be removed as needed.

These can also be filtered out by Username or UserID

- Contact us for any help needed with this technical process and we will respond ASAP



Pleasant Password Server won't install on Windows 8.1 or Server 2012 R2

It is possible that ASP.NET 4.5 is installed but not enabled. To enable it:

  1. Find Windows PowerShell on your system (in Server 2012 R2, it may already be in your taskbar).
  2. Right-click on the PowerShell icon and select "Run as Administrator".
  3. In the PowerShell window, type

    & ${env:windir}\syswow64\cmd.exe

    Press enter.
  4. Now type:

    %windir%\sysnative\dism.exe /Online /Enable-Feature /FeatureName:NetFx4Extended-ASPNET45

    Press enter. You should get a message that the command was successful.
  5. Close the PowerShell window and run the Pleasant Password Server installer. It should now install successfully.

Unable to Import

Pleasant.Identity.Mvc.Controllers.IdentityControllerBase Pleasant.Identity.IdentityOperationException: Unable to import 1 users. 0 slots remaining.

The above error message is letting you know that you don't have anymore Users on your License. You must delete a user or upgrade your license (e.g. from 10 to 20) in order to be able to import more users.



Missing tabs or features 

Make sure the user is a member of a role that has permission to access those features.  Users may need to sign out and sign back in for permission changes to take effect.


Hiding tabs in PPASS Menu

 Hiding tabs is possible, however is not available in trial mode. Once the license is activated these can be hidden.


SSO Server tab


Contracts tab

  • Settings > Appearance > Show contracts tab > Choose "Selected users"
    • Available for Enterprise+ and higher license keys.

Entry does not appear in search 

SQLite only understands upper/lower case for ASCII characters by default. The LIKE operator is case sensitive by default for unicode characters that are beyond the ASCII range.

Use IIS instead of IIS Express

Using IIS is possible and is recommended, especially for customers with more advanced environments:

Using IIS as a Reverse Proxy: some customers may wish to know that it is also possible to setup a new IIS site and redirect the incoming TCP requests to the Password Server's IIS Express. This effectively makes IIS a reverse proxy.


Other info: Redirect HTTP Requests to HTTPS

Keyboard not working in Windows Password Reset Client (Windows 8+) 

Press CTRL once to fix the keyboard.

Details: Windows 8/8.1/10 will sometimes mistakenly behave as though CTRL is being held down on the login screen. Because the browser opened by the Reset Client ignores any keys pressed while CTRL is held down, this can make it seem like the keyboard has stopped working. Pressing CTRL forces Windows to acknowledge that CTRL is not being held down.

KeePass for Password Server errors 

Trust Warnings 

"Connecting to a new server for the first time..."

(see the Trust Warning wiki page)

KeePass Export operation is not allowed by the application policy

View sections here to re-enable / restrict exporting passwords:

PassMan Client Connection Error

Version 6.0.1 - 7.1.19:

PassManClient connection error: Could not load type 'System.Collections.Generic.IReadOnlyDictionary`2' from assembly 'mscorlib, Version=, Culture=neutral, PublicKey Token=b77a5c561934e089'

Verify that you have .NET Framework ≥ 4.5 installed by following these instructions.

KeePass Timeouts do not auto-close Credentials

This is designed this way by KeePass after some consideration, and there is a KeePass explanation for choosing this design (included below).

  • KeePass client: an open dialog disables vault time-out until user closes it.
  • Web client: an open dialog does effect the time-out with a save change message, and does not allow the user to save changes or open other entries, etc.

Users can be reminded to close Vault credentials after use.

The KeePass offical FAQ explains this best:

KeePass automatically tries to lock its workspace when Windows is locked, with one exception: when a KeePass sub-dialog (like the  'Edit Entry' window) is currently opened, the workspace is not locked.

To understand why this behavior makes sense, it is first important to know what happens when the workspace is locked. When locking, KeePass completely closes the database and only remembers several view parameters, like the last selected group, the top visible entry, selected entries, etc. From a security point of view, this achieves best security possible: breaking a locked workspace is equal to breaking the database itself.

Now back to the original question. Let's assume an edit dialog is open and the workstation locks. What should KeePass do now? Obviously, it's too late to ask the user what to do (the workstation is locked already and no window can't be displayed), consequently KeePass must make an automatic decision. There are several possibilities:

  • Do not save the database and lock.
    In this case, all unsaved data of the database would be lost. This not only applies to the data entered in the current dialog, but to all other entries that have been modified previously.
  • Save the database and lock.
    In this case, possibly unwanted changes are saved. Often you open files, try something, having in mind that you can just close the file without saving the changes. KeePass has an option 'Automatically save database when KeePass closes or the workspace is locked'. If this option is enabled and no sub-dialog is open, it's clear what to do: try to save the database and if successful: lock the workspace. But what to do with the unsaved changes in the sub-dialog? Should it be saved automatically, taking away the possibility of pressing the 'Cancel' button?
  • Save to a temporary location and lock.
    While this sounds the best alternative at first glance, there are several problems with it, too. First of all, saving to a temporary location could fail (for example there could be too few disk space or some other program like virus scanner could have blocked it). Secondly, saving to a temporary location isn't uncritical from a security point of view. When having to choose such a location, mostly the user's temporary directory on the hard disk is chosen (because it likely has enough free space, required rights for access, etc.). Therefore, KeePass databases could be leaked and accumulated there. It's not clear what should happen if the computer is shutdown or crashes while being locked. When the database is opened the next time, should it use the database stored in the temporary directory instead? What should happen if the 'real' database has been modified in the meanwhile (quite a realistic situation if you're carrying your database on an USB stick)?

Obviously, none of these alternatives is satisfactory. Therefore, KeePass implements the following simple and easy to understand behavior:

When Windows is locked and a KeePass sub-dialog is opened, the KeePass workspace is not locked.

This simple concept avoids all the problems above. The user is responsible for the state of the program.

Security consequence: the database is left open when Windows locks. Normally, you are the only one who can log back in to Windows. When someone else logs in (like administrator), he can't use your programs anyway. By default, KeePass keeps in-memory passwords encrypted, therefore it does not matter if Windows caches the process to disk at some time. So, your passwords are pretty safe anyway.



KeePass Export Errors

The composite key is invalid! Make sure the composite key is correct and try again

The export password you want to use is:


For further information about exporting passwords please see our wiki:


RDP SSO Client crashes on launch (v7.5.2 - 7.5.7)

The RDP SSO Client relies on the existence of a default settings file for RDP that will not exist if the user currently logged into the machine has never used Remote Desktop Connection on that machine before.   Start up Remote Desktop Connection and connect to another machine to make sure that defaults are established, then try the Launch RDP SSO link again.


SSO Authentication Errors

The most common causes for Access Denied errors when authenticating with Password Server (PPASS) are:

  • incorrect username or password
  • incorrect unique identifier
  • user does not have SSO permission on that credential


Common causes of wrong username or password when authenticating with the target server are:

  • wrong username or password stored in the PPASS credential


Please check all your settings. If the problem persists, please provide us with screenshots of your settings when contacting us for support and what you are doing in the browser or terminal (confidential info blurred).



After Update, Active Directory/LDAP User Log In/Refresh is Slow (v7+)

Some users have reported that after upgrading from version 6 to 7 their user login times have drastically increased, even when no changes have been made to the AD/LDAP directory settings.
The slowdown is caused by a change in the way Password Server tracks imported users and groups (more details).

Specify an OU

Specifying an OU for Pleasant Password Server users should speed up logins significantly. Only quering the targeted OU is allows the permissions check to occur much faster, speeding up the end-user experience.

  • User Directory:
  • Group Directory: server/directory/folder/groups/


Users and Roles > Manage Directory > Edit Directory > Import

  • Base Distinguished Name: DC=server, DC=xxx, DC=yyy
  • User Relative DN: OU=ppass, OU=accounts
  • Group Relative DN: OU=groups, OU=folder, OU=directory 

Configurations which Improve Application Performance

See this page for factors affecting the speed of Password Server or clients.


After Update, Home screen shows "loading" and stays there

(version 7.5.15 - 7.6.2)

Some users have reported that after upgrading, the Home screen does not finish loading / stays empty.

  • Clear the browser cache, or refresh the page:  CTRL+F5 (PC's)    CMD+R (Apple)    F5 (Linux)


If this does not resolve the problem:

  • Try a different browser,
  • Check that JavaScript is enabled,
  • Rule out other browser extensions that could be interfering,
  • Reset the browser settings.



Questions about Session Timeout

To adjust for users to be automatically logged out the user after a specific amount of time.

Web Client - Automatic log out

  • Navigate to the menu Users and Roles > Manage Policies > Actions > Edit > Login Timeout
    Set the timeout to the appropriate amount.

    • Note: For Web clients in versions 7.6 and older, you will need to sign out for this policy to take effect.

KeePass / Mobile/ API / etc. - Automatic log out

  • Navigate to the menu Users and Roles > Manage Policies > Actions > Edit > Application Authentication Timeout
    Set the timeout to the appropriate amount.

KeePass (option) - Automatic workspace lock/etc.

  • An inactivity timeout also exists in the KeePass Client
    • Tools menu > Options... > Security tab > "Lock workspace after..." checkboxes (one for KP inactivity, one for global inactivity)

For more information see these sections in the User Policy:


Approval Notification has a Grammar Error

Approval notifications may have a grammar error when granting permanent access, which could confuse some users:

"... has granted you Full access that will expire on with comment:"


Suggested wording could instead be change to display like this:

Approved Request
Your request for Full access to \Root\Departments\Folder has been approved by Approver.

Approver has granted you Full access.

- Expiry Date:
- Comment: Approval granted...

You can access the requested object with the link below:

Change the notification text here:

  • Advanced > Email Templates > Click the "Approved Request" template link
  • Click the </> button (to View HTML)
  • Copy and paste the following:
<h3>Approved Request</h3>  
<p>Your request for {{ RequestedAccessLevelName }} access to {{ RequestedObjectPath }} <strong>has been approved</strong> by {{ ApprovingUserName }}.</p>
<p>{{ ApprovingUserName }} has granted you {{ ApprovedAccessLevelName }} access.</p>
<li><strong>Expiry Date:</strong> {{ ExpireDate }} </li>
<li><strong>Comment:</strong> {{ ApproverComment }}</li>
</ul> <p>You can access the requested object with the link below:</p>
<p><a href="{{ RequestedObjectUrl }}">{{ RequestedObjectUrl }}</a></p>
  • Click Update


Test Emails - SMTP - Account is not valid Error

Try enabling Trace email logging to get a little more details.

Try manually re-entered the SMTP Username even if it was entered correctly. This has been known to fix the issue.


API v5 StatusCodeError: 500

This error is particular to the version 7.9.28, when using API v5 to integrate with other software. A fix of this issue has been added in 7.10.4.

To resolve in this version, include a "X-Pleasant-Client-Identifier" header that is a valid GUID with one of the following formats:

  • 32 digits:  00000000000000000000000000000000
  • 32 digits separated by hyphens:  00000000-0000-0000-0000-000000000000
  • 32 digits separated by hyphens, enclosed in braces:  {00000000-0000-0000-0000-000000000000}
  • 32 digits separated by hyphens, enclosed in parentheses:  (00000000-0000-0000-0000-000000000000)

Where the digits are 0-9, A-F.

NLog not properly archiving files with dates

Password Server uses a logging tool called NLog. Currently there is a bug with the nlogger which does not properly archive files with dates in the filename.

Use the following steps to fix. Please not that these changes will be over-written when you upgrade to a new version. So you will have to remember to re-apply these steps (until the problem is fixed).

1) Stop the Pleasant Password Service:

2) Open the file NLog.config with administrative access (by default, found here):
C:\Program Files (x86)\Pleasant Solutions\Pleasant Password Server

3) Find references to archiveFileName

4) Remove the reference to shortdate ("_${shortdate}") in the archiveFileName. The lines should look like this:

5) Save the file, and restart the Pleasant Password Service.

6) Delete or move the old logs.

From now on, the logs:

  • will be saved with the new filename,
  • will store 10 files by default, and
  • will delete anything older.