CLE Emergency Access fails

  • 7015895
  • 14-Nov-2014
  • 21-Jan-2016


Self Service Password Reset
SSPR 3.2
SSPR 3.3
Client Login Extension
CLE 3.8
CLE 3.9
Emergency Access


Cache file for emergency access is not created
CLE Emergency Access won't work - no C/R questions appear
Emergency Access fails to present challenge questions
Problem occurs when trying to use the emergency access feature with the workstation off line.
Error  "Unable to retrieve the challenge responses for the user."


Solution 1:

Using the SSPR 3.3 Configuration Editor, set "Enabled" to  "True"  for  "Enable External Web Services" and "Allow Web Services to Read Answers."   These settings are located under "Settings, Web Services, Rest services."  

With SSPR 3.2 similar settings are found in SSPR Configuration Editor under
Settings, Integration/ Developer."

Solution 2:

If using CLE 3.9 to connect to an SSPR 3.2 server,  disable TLS1.2 per  KB 7016836 at

Solution 3:

Make sure the LDAP and HTTPS certificates used with the SSPR server are valid  per KB 7014508   at  (see additional information section for an explanation of the certificates involved with SSPR).  It may also be necessary to import the HTTPS certificate into the browser.

Solution 4:

Update the certificate in the GPO used for file encryption.   This certificate is located in the "Default" domain Policy, "Public Key Policies (or Public Key Policies / Encrypting File System depending on tool used), Encrypted Data Recovery Agents."

Solution 5:

This solution applies only for remote users.  On remote workstations, make a VPN connection to the network before answering the SSPR challenge questions as follows:
1) Login in to the remote workstation off line
2) Connect to the network over a VPN
3) Switch user
4) Login as the user that you want to configure for emergency access

This is necessary because CLE must be connected to the network in order to capture the SSPR challenge responses, and CLE is only active on the workstation during login time.

Additional Information

Emergency Access creates an encrypted cache file containing the user's SSPR challenge responses in C:/Windows/system32/cache  after the user answers the SSPR challenge questions.  To create this file CLE attaches to the SSPR server and reads the challenge responses for the specified user.  This read requires a secure connection per solutions 2 and 3.  Note that CLE is only active on the workstation during login.

The emergency access cache file is encrypted with the "encrypted data recovery agents" certificate.  Active Directory uses this certificate to encrypt all encrypted files on workstations joined to the domain. When the Emergency Access cache file is created, the  "Create File" operation is specified with "Encryption Attribute."  If the encryption fails the cache file will not be created.

Use the following steps to troubleshoot the "encrypted data recovery agents" certificate: 
•    Create a new text document on a problem workstation where CLE is installed
•    Go to the properties of this new text document and click the "Advanced" button on the "General" tab.
•    Click the “Encrypt contents to secure data” check box option in the popup and then click OK.
•    Click Apply
•    Select the “Encrypt file only” check box option in the popup and click OK.
•    If there are problems with the certificate an “Invalid Recovery Certificate” error will be returned


The following third party articles may help resolve the “Invalid Recovery Certificate” error: