Steps to Resolution

Model(s) Description
bizhub 224e, bizhub 284e, bizhub 364e, bizhub 454e, bizhub 554e, bizhub 654, bizhub 654e, bizhub 754, bizhub 754e, Failed to Authenticate
bizhub C224, bizhub C224e, bizhub C284, bizhub C284e, bizhub C364, bizhub C364e, bizhub C454, bizhub C454e, bizhub
C554, bizhub C554e, bizhub C654, bizhub C654e, bizhub C754, bizhub C754e

Group Name: Main

Select Option

If AU-211P CAC/PIV then go to Group: AU-211P CAC/PIV, Step: 1

Group Name: AU-211P CAC/PIV

PRELIMINARY CHECKS
Prior to continuing with troubleshooting make sure technician has viewed and utilized the AU-211P CAC/PIV Installation Best Practices guide found on the One
Stop Product support page.

Link to Downloads page:

AU-211P CAC/PIV Installation Best Practices

Verify that Network Time Protocol (NTP) is setup properly and working.
If the date and time on the MFP are off by +3 or -3 minutes from the authentication server, machine will not be able to authenticate. (Time zone settings do not
affect this).

Administrator -> Network Settings -> Detail Settings ->Time Adjustment Setting
Disable Auto IPv6 Retrieval and set Auto Time Adjustment Interval to 12 or 24 hrs (Screen 2).

A Best Practice is to set the Host Name of the NTP Server, instead of the IP address. This confirms that all TCP and DNS settings are correct when you
press [Set Date].

Sometimes communication may fail during NTP adjustment and the machine will not error. In this case make sure to verify that the date and time match, or set
date and time manually.

Note: In some cases, customer may have separate servers for Active Directory, DNS or DHCP, or even backup servers for DNS. Have technician try to use a
different server for NTP.

Verify DNS settings are correct:

Try to PING one of the External AD (Active Directory) servers by FQDN (Fully Qualified Domain Name).
Try to ping Net Time Server or LDAP server by name.

(Example of FQDN: dcserv01.mydomain.mil)

Administrator -> Network Settings -> Detail Settings -> Ping Confirmation

If you can PING a host by name, then DNS is working.

Note: Some locations block PING packets, so this may not work. Check with IT staff first to verify.
Continued...
LDAP Port is incorrect for Software Switch 41 – Needs to be set to SSL LDAP Port

[Service Mode] -> [System 2] -> [Software Switch Setting]

Switch No. -> 41

Please see Software Switch 41 Setting Best Practices for proper Software Switch settings.

Note: while the setting of Hex 0C or Hex 18 may work for some environments they are generally not recommended for DoD accounts and will not usually work.
The setting of Hex 1C is generally used.

External Server may be unavailable, External Server may not be an AD (Active Directory) PKI Server, or name is entered incorrectly.

Verify that External Server has been correctly specified in External Server settings:

[Administrator] -> [User Authentication /Account Track] -> [External Server Settings] -> Select the server -> Select [Edit]

[Server Name]: The name should be generic (i.e. Server1). Do NOT use the actual server name.

[Administrator] -> [User Authentication /Account Track] -> [External Server Settings] -> Select the server -> Select [Edit] -> Select [Server Type] ->
Select [Active Directory]

Check [Domain Name]: If Software Switch 41 has bit 4 set (or Hex 1C), then specify the AD Server in its full context.

Syntax: Servername.subdomain.domainroot
Example: dcserv01.mydomain.mil

Other troubleshooting:

Verify with IT that the user logging in is a valid Active Directory user.

Verify with IT that the AD (Active Directory) User Groups of users affected are configured correctly.

In most CAC/PIV environments, workstations (computers) are also CAC enabled. Verify that the user(s) logging in to the MFP is also able to log in to other
CAC enabled devices in the area.

Have another user try to log into the MFP with their card for testing.