Registering & Logging In

To get started with the app, you need to install it, pass the registration and log in.

During registration, new login credentials are created and the first login to the app takes place. At this point, personal encryption keys are created, which will be used to encrypt all your correspondence (later they can be protected with an additional password).

After registration, you can log in to the app on an unlimited number of desktop and mobile devices.

Ways to Log In to the App

Registration and logging in to the app can be done in different ways. If registration without a phone number is enabled by your administrator and corresponding login methods are available, you will see the following buttons on the app's log in screen:

• 🏁 QR code. If you are already logged in to the app on another device, you can quickly log in to the app on your current device using the QR code. This functionality is available to all corporate and non-corporate users with any server settings.
• 📞 Phone and credentials. If you register with eXpress using your mobile phone number, you can communicate in the app as a public user. However, some functions will be limited (for example, you will not be able to create conferences), until you upgrade your account to a corporate one. If you use a dedicated custom ETS client app (not eXpress), logging in to a corporate account is mandatory. You can log in again and do it on other devices using your mobile phone number or QR code. In outdated versions of the application or if registration without a mobile phone number is disabled, this is the only available registration and login method.
  
  ⚠️ It is highly recommended to perform registration using this method! Registration with the use of mobile phone number additionally protects your account and allows you to save your correspondence in case of changing your credentials (login). You can add a mobile phone number later, but only if there is no account already associated with it.
• ✉ Corporate email. To register using corporate e-mail in eXpress or in a dedicated custom ETS client app, a corporate account shall be prepared in advance and simplified authentication must be pre-configured for your organization. You can get your login credentials from your organization. You cannot register as a non-corporate (public) user using this method. You can log in again and do it on other devices using your e-mail (simplified authentication must be pre-configured for your organization), corporate server address or QR code. The app for Aurora OS is not supporting this method yet.
• 💼 Corporate server address. To register using corporate server address in eXpress or in a dedicated custom ETS client app, a corporate account shall be prepared in advance and simplified authentication must be pre-configured for your organization — you can get your login credentials from your organization. You cannot register as a non-corporate (public) user using this method. You can log in again and do it on other devices using your e-mail (simplified authentication must be pre-configured), corporate server address or QR code. The app for Aurora OS is not supporting this method yet.

If registration without a phone number is disabled in your organization, or your app's version is outdated, the app's log in screen will contain a field for entering a mobile phone number with a Login with QR code button.

Where Can I Get a Corporate Account?

You cannot create a corporate account on your own. Contact your organization's support to set up a corporate account, provide access on your workstation and provide instructions on how to use the app. You can verify your corporate e-mail, Login, password, domain and other data, as well as check the availability of your account on the corporate server by contacting your organization's support.

Here is described the classic registration and authentication scheme using a mobile phone number.

Authentication Scheme Using a Phone Number

1. Entering a Mobile Phone Number

Enter your phone number to receive a verification code via SMS. Your HUID and encryption keys will be associated with it. If it is configured, you may also be required to pass an additional Captcha check to ensure you are not a robot.

❓Related Topics:
• “The server is temporarily unavailable” Error when Requesting an SMS Code
• “Please use special application” Error
• “URL not supported” Error when Requesting an SMS Сode on iOS
• “SSL error” or “Server connection error” on Android

2. Entering the SMS Verification Code

Enter the verification code from the SMS. After that, your personal encryption keys will be created on RTS and/or ETS alongside with your personal account.

❓Related Topics:
• The SMS Code is Incorrect or Does Not Arrive
• unhandled_service_error | “An error occurred” when Entering the SMS Verification Code

3. Specifying User Name and Uploading an Avatar (eXpress Only)

Next, enter your name and upload an image for your personal account avatar on RTS. This step is only available in the eXpress app. You can change the avatar of the corporate account later in the profile settings, if it is allowed by the administrator.

4. Entering E-mail Address

The system will search for your organization's server using your corporate e-mail address.


After successfully detecting the server, depending on your organization's server settings, you will need to select a server (you can get help with that from your organization's support team) and proceed to the next step, either enter your credentials to connect to the server, or confirm your e-mail with a code from the e-mail, or enter the server address manually (you can also check it with your organization's support team).

The eXpress app may have a Skip button that will log you in to the public server as a “green” user. In the eXpress Corporate Desktop app, clicking this button will prompt you to enter the corporate server address, since eXpress Corporate does not allow you to register on a public server. A dedicated branded ETS client app does not have the Skip button.

For Administrators: Explanation of This Step

On this step, the system automatically searches for URL domains that match the e-mail addresses/domains provided on RTS or ETS (if this has been configured) for simplified authentication, a feature where e-mail domains are mapped to server URLs (hosts) so users don't have to manually enter server information. With the help of this function the corresponding server is suggested when appropriate e-mail address is entered.

• If simplified authentication has been configured for e-mail and the user has been found on the server, the corporate server authentication screen will open (if several hosts are found, it is necessary to select the desired server first). The next step is 5.1 Authentication on the Server (Short Path).
• If simplified authentication has not been configured for e-mail, the user was not found on the server, or they clicked the Skip button (this button is only available in eXpress and only when logging in from the phone number entry screen), then:
  • in the eXpress app, the user will log in to the public server as a “green” user.
  • in a dedicated custom ETS client app or when logging in via Settings (avatar button above the chat list) > Profile > Corporative information > Connect, the user will proceed to step 5.2 Entering Address and Authenticating on the server (Long Path).

5.1 Authentication on the Server (Short Path)

Enter your connection details to the corporate server, and depending on the server authentication method, you will need to enter your credentials or a code from your e-mail. When you log in again, you can quit the corporate server.

For Administrators: Explanation of This Step

What the user will see depending on the authentication method:

• NTLM: login and domain are filled; the user is prompted to enter domain password.
• Email: the user is prompted to enter the verification code sent to their e-mail.
• OpenID: the user is prompted to enter their corporate data in the KeyCloak form.
  If a user is experiencing errors on the KeyCloak form screen, you will need to check their corporate account in Keycloak.

If you log in to the app again and click the Logout button at this step, a logout request will be sent to the corporate server, and the data for contacting the administrator will be displayed on the screen. If the corporate server administrator confirms the logout, you will need to log in to the app again to be able to use it. In some cases you will be able to log back in to the same corporate server (e.g. if your corporate account has not been deleted). The only condition is that you need to log back in on the same device you logged out on.

5.2 Entering Address and Authenticating on the Server (Long Path)

You will see these screens if you entered your e-mail and simplified authentication was not pre-configured for your e-mail, the user was not found on the server in a dedicated custom ETS client app, or if in the eXpress app you select 
Settings (avatar button above the chat list) > Profile >
Corporative information >
Connect.

1. Enter the corporate server address.
2. Enter your connection details to the corporate server, and depending on the server authentication method, you will need to enter your credentials or a code from your e-mail. When you log in again, you can quit the corporate server.
   For Administrators: Explanation

   What the user will see depending on the authentication method:

   • NTLM: login and domain are filled; the user is prompted to enter domain password.
   • Email: the user is prompted to enter the verification code sent to their e-mail.
   • OpenID: the user is prompted to enter their corporate data in the KeyCloak form.
     If a user is experiencing errors on the KeyCloak form screen, you will need to check their corporate account in Keycloak.
If the data entered on this screen is incorrect, or if the user does not exist, an error will be displayed. If the data is correct, you will be taken to one of the following screens:
• 6. User Agreement and PIN Code, if you need to accept the user agreement and set a PIN code to log in.
• 7. Entering Personal Password for Additional Protection, if no user agreement and PIN code are required and you have a personal password for the encryption keys.
• 8. Opening the Chat List or the Main Page, if the user agreement and PIN code are not required and you do not have a personal password for the encryption keys.
If you log in to the app again and click the Logout button at this step, a logout request will be sent to the corporate server, and the data for contacting the administrator will be displayed on the screen. If the corporate server administrator confirms the logout, you will need to log in to the app again to be able to use it. In some cases you will be able to log back in to the same corporate server (e.g. if your corporate account has not been deleted). The only condition is that you need to log back in on the same device you logged out on.

❓Related Topics:
• “Corporate e-mail not found” Error when Entering E-Mail
• Incorrect Login or Password for Corporate Account
• Maximum Number of Authentication Attempts Exceeded
• “User not found”, “User not registered on the server”
• “The user is already registered”, “This login is already used”, “This user is already in the system”
• “Network error, check your connection to the server”, “The server with the specified hostname could not be found”
• “The specified host is unreachable”
• “Error loading public keys” on iOS
• “Error while connecting to Active Directory via NTLM”
• “Request_invalid_signature” Error when Logging In to Corporate Server
• “SSL error” or “Server connection error” on Android
• Error creating a profile | Cannot decrypt RTS access token

6. User Agreement and PIN Code

If it is configured on a corporate server, set a PIN and accept the User Agreement.

7. Entering Personal Password for Additional Protection

If you have a personal password for the encryption keys, you will need to enter it. For details about this password, follow this link.

8. Opening the Chat List or the Home Page

Done! You have logged in to the corporate server.

Authentication scheme using your corporate e-mail address. You don't need to enter your mobile phone number. A corporate account must be ready, and simplified authentication (suggests) must be configured on RTS or ETS.

⚠️ This log in method is temporarily not supported by the app for Aurora.

Authentication Scheme Using a Corporate E-mail

1. Entering E-mail Address

The system will search for your organization's server using your corporate e-mail address. After that, depending on your organization's server settings, you will need to select a server (you can get help with that from your organization's support team) and proceed to the next step, either enter your credentials to connect to the server, or confirm your e-mail with a code from the e-mail, or enter the server address manually (you can also check it with your organization's support team).

For Administrators: Explanation of This Step

On this step, the system automatically searches for URL domains that match the e-mail addresses/domains provided on RTS or ETS (if this has been configured) for simplified authentication, a feature where e-mail domains are mapped to server URLs (hosts) so users don't have to manually enter server information. With the help of this function the corresponding server is suggested when appropriate e-mail address is entered.

• If simplified authentication has been configured for e-mail and the user has been found on the server, you will be taken to the screen Authenticating the User on the Server and Discovering the Phone Number (if several hosts were found, you need to select the desired server before doing this).
• If simplified authentication has not been set up for your e-mail, you will see the error “Corporate e-mail not found”.

2. Authenticating the User on the Server and Discovering the Phone Number

On this screen, you need to enter your authentication details, after which the system checks if your account has an associated mobile phone number.

1. Enter your login details to connect to your corporate server, and depending on your server authentication method, you may need to enter your credentials or a code from your e-mail and confirm your phone number if found. When you log in again, you can quit the corporate server.
   For Administrators: Explanation of This Step

   What the user will see depending on the authentication method:

   • NTLM: login and domain are filled; the user is prompted to enter domain password.
   • Email: the user is prompted to enter the verification code sent to their e-mail.
   • OpenID: the user is prompted to enter their corporate data in the KeyCloak form.
     If a user is experiencing errors on the KeyCloak form screen, you will need to check their corporate account in Keycloak.
   If you log in to the app again and click the Logout button at this step, a logout request will be sent to the corporate server, and the data for contacting the administrator will be displayed on the screen. If the corporate server administrator confirms the logout, you will need to log in to the app again to be able to use it. In some cases you will be able to log back in to the same corporate server (e.g. if your corporate account has not been deleted). The only condition is that you need to log back in on the same device you logged out on.


2. Next, the mobile phone number is discovered: if the number has not been found or you have already confirmed it, you will be taken to the screen 3. User Agreement and PIN Code. If the phone number has been found, you will need to confirm it, then re-enter your login details or the code from your e-mail.
   
   If you entered a different number that is not associated with the server, you will be returned to step 4. Entering E-mail Address of the authentication scheme using mobile phone number.

❓Related Topics:
• “Corporate e-mail not found” Error when Entering E-Mail
• Incorrect Login or Password for Corporate Account
• Maximum Number of Authentication Attempts Exceeded
• “User not found”, “User not registered on the server”
• “The user is already registered”, “This login is already used”, “This user is already in the system”
• “Network error, check your connection to the server”, “The server with the specified hostname could not be found”
• “The specified host is unreachable”
• “Error loading public keys” on iOS
• “Error while connecting to Active Directory via NTLM”
• “Request_invalid_signature” Error when Logging In to Corporate Server
• “SSL error” or “Server connection error” on Android
• Error creating a profile | Cannot decrypt RTS access token

3. User Agreement and PIN Code

If it is configured on a corporate server, set a PIN and accept the User Agreement.

4. Entering Personal Password for Additional Protection

If you have a personal password for the encryption keys, you will need to enter it. For details about this password, follow this link.

5. Opening the Chat List or the Home Page

Done! You have logged in to the corporate server.

Authentication scheme using corporate server (CTS) address. You don't need to enter your mobile phone number. A corporate account must be ready.

⚠️ This log in method is temporarily not supported by the app for Aurora.

Authentication Scheme Using Corporate Server Address

1. Entering the Corporate Server (CTS) Address

Enter your corporate server (CTS) address. Next, a discovery will be performed on RTS or ETS.

• If such a server is found, you will be taken to the screen 2. Authenticating the User on the Server and Discovering the Phone Number.
• If such a server is not found, the error “Corporate server address not found” will be displayed.

2. Authenticating the User on the Server and Discovering the Phone Number

On this screen, you need to enter your authentication details, after which the system checks if your account has an associated mobile phone number.

1. Enter your login details to connect to your corporate server, and depending on your server authentication method, you may need to enter your credentials or a code from your e-mail and confirm your phone number if found. When you log in again, you can quit the corporate server.
   For Administrators: Explanation of This Step

   What the user will see depending on the authentication method:

   • NTLM: login and domain are filled; the user is prompted to enter domain password.
   • Email: the user is prompted to enter the verification code sent to their e-mail.
   • OpenID: the user is prompted to enter their corporate data in the KeyCloak form.
     If a user is experiencing errors on the KeyCloak form screen, you will need to check their corporate account in Keycloak.
   If you log in to the app again and click the Logout button at this step, a logout request will be sent to the corporate server, and the data for contacting the administrator will be displayed on the screen. If the corporate server administrator confirms the logout, you will need to log in to the app again to be able to use it. In some cases you will be able to log back in to the same corporate server (e.g. if your corporate account has not been deleted). The only condition is that you need to log back in on the same device you logged out on.


2. Next, the mobile phone number is discovered: if the number has not been found or you have already confirmed it, you will be taken to the screen 3. User Agreement and PIN Code. If the phone number has been found, you will need to confirm it, then re-enter your login details or the code from your e-mail.
   
   If you entered a different number that is not associated with the server, you will be returned to step 4. Entering E-mail Address of the authentication scheme using mobile phone number.

❓Related Topics:
• “Corporate e-mail not found” Error when Entering E-Mail
• Incorrect Login or Password for Corporate Account
• Maximum Number of Authentication Attempts Exceeded
• “User not found”, “User not registered on the server”
• “The user is already registered”, “This login is already used”, “This user is already in the system”
• “Network error, check your connection to the server”, “The server with the specified hostname could not be found”
• “The specified host is unreachable”
• “Error loading public keys” on iOS
• “Error while connecting to Active Directory via NTLM”
• “Request_invalid_signature” Error when Logging In to Corporate Server
• “SSL error” or “Server connection error” on Android
• Error creating a profile | Cannot decrypt RTS access token

3. User Agreement and PIN Code

If it is configured on a corporate server, set a PIN and accept the User Agreement.

4. Entering Personal Password for Additional Protection

If you have a personal password for the encryption keys, you will need to enter it. For details about this password, follow this link.

5. Opening the Chat List or the Home Page

Done! You have logged in to the corporate server.

If you are already logged in to the app on a mobile device, you can quickly log in to the app on your PC, or vice versa. If you haven't signed in to other devices yet or cleared sessions, you'll have to log in to the app again from scratch.

To quickly log in using a QR code:

• If you need to sign in on a mobile device via you PC, in the Desktop app or Web app on your PC, go to Settings (avatar button) > Active sessions > eXpress mobile, and in the Mobile app, on the first login screen, click Login with QR code and scan the code on your PC’s screen with your mobile device. You will not need to enter a password or any other credentials.
• If you need to sign in on your PC via your mobile device, in the Mobile app, go to Settings (avatar button) > eXpress WEB, in the Desktop or Web app, go back to the first screen with the QR code (you may need to click Back to start or Clear data) and scan the QR code on your PC’s screen with your mobile device. You will not need to enter a password or any other credentials.

❓Related Topics:
• “Pairing error” when Scanning a QR Code
• After Scanning a QR code, a Screen for Entering Your E-mail Opens, After Entering It, You Get “Server error”
• “Can't read RTS keys” Error when Logging In via QR Code from iOS to Web/Desktop App

The app can be used on an unlimited number of devices, but only one user can work in it.

Current open sessions on other devices are visible in the app's settings in the Active sessions section. Your current session cannot be seen in the list of sessions. Your sessions for a particular device are visible to the administrator in the Admin Panel in the Activations section. The last activity of a session is considered to be the time when the client app connected to the server. On the corporate server, all sessions have a special identifier — UDID.

I Changed the Device I Use to Work with the App, What Should I Do?

If you change the device on which you will use the app, do the following:

1. Log in on your new device using a QR code, your mobile phone number associated with the app, corporate e-mail, or corporate server address.
2. Close the session on your previous device:
   • either via the previous device: Settings (avatar button) > Close session;
   • either via the new device: Settings (avatar button) > Active sessions > tap the cross (swipe on iOS) to close the session of the previous device.

❓Related Topics:
• The User Gets Kicked Out of the Session to the Login Screen

A personal password and PIN code can be created as an additional measure to protect your data. To create it, after logging in to the app open Settings (avatar button) > Additional data protection. In app versions up to 2.21 (Mobile) and up to 2.6 (Web/Desktop), the user had to create a personal password during registration.

Depending of your organization's configuration, you may also need to create a PIN when you register in the app.

Your personal password and PIN code are known only to you, and neither the vendor, developers or even administrators cannot restore or change them for you. Your personal password is associated with your personal account, and, if you use the same mobile phone number to log in, it will be requested even when you migrate from one corporate server to another until you delete it.

What to Do if You Forgot Your Personal Password

1. You can try to recall your password: after the preset number of attempts has been reached, a start page will open to login in to the app, enabling you to start again.
2. You can change your personal password if the app is open on another device (for example, you log in to the Mobile app while having an active session in the Web app, or vice versa). The password can be changed in the app's settings:

   App version	How to change your personal password
   Android	Settings (avatar button) > Additional data protection > enter a new password and confirm > Done
   iOS (iPadOS)	Settings (avatar button) > Security > Additional data protection > enter a new password and confirm > Done
   Web/Desktop	Settings (avatar button) > Main settings > Additional data protection > enter a new password and confirm > Done

3. If you are already using the app on your PC, you can log in on your Mobile app using the QR code, and vice versa:
   • If you need to sign in on a mobile device via you PC, in the Desktop app or Web app on your PC, go to Settings (avatar button) > Active sessions > eXpress mobile, and in the Mobile app, on the first login screen, click Login with QR code and scan the code on your PC’s screen with your mobile device. You will not need to enter a password or any other credentials.
   • If you need to sign in on your PC via your mobile device, in the Mobile app, go to Settings (avatar button) > eXpress WEB, in the Desktop or Web app, go back to the first screen with the QR code (you may need to click Back to start or Clear data) and scan the QR code on your PC’s screen with your mobile device. You will not need to enter a password or any other credentials.
4. Or you can reset the personal password using the Reset password button during login.


Attention! If you reset your personal password, you will irrevocably lose access to all your correspondence because of new encryption keys are generated. If you change your personal password, your correspondence will remain, since the encryption keys will remain the same.
Resetting your personal password terminates current active sessions on your devices (“kicks you out” of the app), but changing your personal password does not do that (you will remain logged in to the app).

If you have a personal password, you can refuse it without losing your correspondence in the app settings (Settings (avatar button) > Additional data protection), but this is not recommended, as you will lose a data protection factor.
If you don't see the Refuse password button in the Additional data protection section, you've already rejected your password or simply haven't created it.

What to Do if You Forgot Your PIN Code

On the screen where you are asked for your PIN, select Forgot your PIN?. When you press it, the current PIN code will be deleted, the current session in the app will be terminated, and you will need to log in to the app again. Your data will not be lost. If necessary, you can set a new PIN code.

❓Related Topics:
• “Require PIN” Role Model Rule

The problem with registration and login to the app can be solved by clearing the local cache in the client app.

If clearing the cache did not help and you failed to troubleshoot error using the instructions below, please collect the app's authentication logs and ask the eXpress Support for help.

Error After Requesting an SMS Code | The SMS Code is Incorrect or Does Not Arrive

(“The server is temporarily unavailable”, “The server with the specified host name could not be found”, “Error sending SMS, try again later”)

Try the following:

• Turn off VPN or proxy, try to connect to another network.
• If you have recently changed your SIM card or switched to another mobile network operator, you will need to wait for 24 hours from that moment.
• Check the phone number you have entered. You could accidentally write your number incorrectly. Only mobile phone numbers are supported. Check that you have selected the correct country. Some SMS providers have disabled sending messages to mobile operators in some countries.
• Make sure that you have not exceeded the limit for receiving SMS codes. For eXpress users, the number of attempts to receive an SMS code is limited: no more than 7 requests per day. If your organization uses a dedicated custom ETS client app, the limit may be different. Contact Support if your SMS requests have been blocked due to the number of attempts.
  For Administrators: The User Has Exceeded the Limit For Receiving SMS

  For RTS or CTS, the number of attempts to receive an SMS message is limited. You can check whether the user has exceeded the limit in the ETS or RTS Admin Panel (via eXpress Support). For the SMS provider on ETS, the administrator may set other restrictions.
  To check the SMS limit in the RTS/ETS Admin Panel, go to the Security section and try to unblock the number: if a message appears about deleting the blocking record, it means the number was blocked by the server. To check the daily limit from your SMS provider, in the SMS Statuses section, enter the user's phone number (with the country code, but without the plus symbol) in the search field. For example, the error one_number_limit_exceeded means that the limit has been reached. The user will be able to try again to receive the SMS the following day, after midnight. The user can also be advised to log in via QR code if they have several devices.
  For more information, see the description of the corresponding section of the Admin Panel.
  For Administrators: “Bad request” error with “Reason: Blocked”

  Bad Request error with Reason: Blocked in the Mobile app logs or in the Web app console indicates that the phone number was added to the block list due to frequent attempts to receive SMS in a short time or due to a prohibition set by the administrator.
  
  You can remove the block by the number of attempts if the user is blocked by the ETS: in the Admin Panel, select SMS > Security > Unblock user). If you do not have ETS (not a dedicated custom ETS client app, but the eXpress app), contact eXpress Support to unblock your number on RTS. The limits that control this lockout are changed in the ETS and RTS Admin Panel: SMS > Security > Request Rate Limiter by IP Adress and Max. requests limit per phone number.
  
  The number specified in the Filter by phone in the SMS > Security section, will get the same lockout. There will be the following record in the authentication service logs for such a number Blocked by phone number XXXXXXXXXXX. If a number needs to be removed from the filter, remove the number from the list below this field and restart the authentication service on ETS/RTS.
• If your account is linked to a non-functional corporate server, contact eXpress Support to verify this hypothesis.
• There may be problems on the side of the SMS provider or mobile operator, or the operator has a blocking set up — contact eXpress Support to check the availability of sending SMS, and also make sure that the mobile operator has not enabled the automatic SMS blocking service and is allowed to receive SMS codes.
  For Administrators: Problems on the Side of the SMS Provider or the User’s Mobile Operator

  You can check whether SMS messages have been sent to the user's number in the Admin Panel in the SMS Statuses section. For more information, contact the SMS provider through which messages with codes are sent to users. For example, a subscriber may have a service for blocking automatic SMS messages connected.
• Make sure the SMS code is entered correctly. Each code is valid until a new code is requested. The SMS code must be entered from the last received SMS. A request for an SMS code can be sent no more than once per minute, but the validity period of the SMS code is not limited.

“URL Not Supported” Error when Requesting SMS Code on iOS

Reinstall the Mobile app on iOS. If reinstallation does not help, contact eXpress Support.

unhandled_service_error | “An error occurred” after Entering the SMS Verification Code

In some cases, this error is only visible in the app's authentication logs.

The account is linked to a corporate server that is currently unavailable, or its data needs to be corrected. This problem may also occur due to an expired or incorrectly issued server certificate. In rare cases, deleting your account will help.

Contact your organization's support or eXpress Support to resolve the issue.

For Administrators: The User Is Registered On a Corporate Server That is Down

There are cases when the corporate server on which the user was registered becomes unavailable. The user will not be able to log in to another corporate server, since the RTS will retain a record that the user is registered on this server.
In this case, check the server status via eXpress Support, which, if necessary, releases the account from being linked to a non-working server.

For Administrators: The User Has a Duplicate Account on RTS Due to the 2022 Failure

As a result of an RTS failure, some accounts on RTS were duplicated. This issue affected a small portion of users who registered during the summer-fall of 2022.
With the help of eXpress Support, find out whether the user’s account on RTS has been duplicated. If yes, wait for the error to be corrected and further recommendations.

For Administrators: The Certificate on the User’s Corporate Server Was Issued Incorrectly, Has Expired or not Found on the Device

In the Web app, open the browser console: (Fn +) F12 > the Console tab > find the ERR_CERT_AUTHORITY_INVALID error. ts presence means that there is a problem with the certificate chain on the corporate server.

The Trust anchor for certification path not found or javax.net.ssl.SSLHandshakeException: Handshake failed in the authentication logs mean that there is a problem with the certificates on your mobile device or on the server.

Check the status of the certificate and/or install it on the user's device if necessary (more details here).

If the server certificate is expired or issued incorrectly, it must be replaced. The instructions are available in the administrator guides.

For Administrators: The User on RTS Uses a Different HUID

The eXpress Support will check that and make a fix if it is necessary.

For Administrators: Account Deletion and New Registration Required

If the above reasons are not confirmed, it is needed to delete user account and register again. The steps are following:
    1. If the error occurred in a branded ETS client app (not in eXpress), log out user of ECTS. Next, ask the user to install the eXpress app and log in to it using the same mobile phone number.
    2. In eXpress: Settings (avatar button) > Profile > three dots menu > Delete account > enter phone number and confirm deletion.
    3. Ask the user to register again in eXpress or your organization's branded ETS client app.

“Login without phone number is not allowed”

This error occurs when you try to log in to the app using your e-mail address or corporate server address.

It means that the corporate server administrator has disabled login without a phone number in the registration settings. Select the login method using your phone number.

Incorrect Login or Password for Corporate Account

Make sure you are entering the correct credentials to connect to the corporate server.

The corporate server address, login and password for the corporate account (or domail password — the same password you enter when logging in to your workstation) can be clarified with your organization's Support team.

You can change your login and domain password only through your organization's support team or administrator. After changing the password, all active app sessions will be terminated, and the screen for entering data for connecting to the corporate server will be displayed. After successfully logging in with your new password, your chats will be downloaded from the server back again.

In the authentication logs you will see the invalidCredentials error.

For Administrators: User is Absent on the Corporate Server

The Incorrect Login and/or Password error during NTLMv2 authentication may mean not only incorrect data entry by the user, but also the absence of the user in the corporate server Admin Panel. You need to either set up synchronization with Active Directory, or wait for it to complete.

For Administrators: “User Must Change Password at Next Logon” is On

The error may occur if, when resetting the password in AD, the User must change password at next logon box has not been unchecked. If you uncheck this box, the user will be able to log in with the new password without any errors.

For Administrators: user principal name != user logon name

If the user in AD has different fields: user principal name != user logon name, when logging in, the user needs to enter their e-mail in the Login field, their domain password in the Password field, and leave the Domain field blank.

Maximum Number of Authentication Attempts Exceeded

Login to the app is temporarily blocked if you enter an incorrect corporate account password several times. This blocking is removed automatically after 10 minutes.

If you're already logged in on another device, use the QR Code to avoid waiting. If you don't remember your domain password, contact your organization's support team.

“User not found”, “User not registered on the server”, “E-mail or login not found”

This error may mean the following:

• the login, password or e-mail address for logging in to the app is entered incorrectly;
• there is no account for you on the corporate server, or there is a problem with synchronization with the directory service.

Please check your data, try entering your corporate e-mail in lowercase letters. If this does not help, contact your organization's support team.

For Administrators: The User Is Not Registered On the Corporate Server They Are Trying to Log In To

1. 1. Look up the user’s name in the Admin Panel on CTS or ECTS in the Users section.
2. 2. In the Activations section, make sure that the user has not been registered yet, that their e-mail is specified and that it is correct.
3. 3. If the user has been already registered, provide their phone number to eXpress Support, so that they can compare it with the current number that the user is trying to log in with.

For Administrators: User’s Account Has Been Blocked in AD

If the user’s account was manually locked by the administrator in AD, the user is taken to the corporate server address entry screen, and a logout confirmation request is displayed in the Admin Panel. And when the user tries to enter their credentials again to connect to the corporate server, they will receive the error Incorrect login or password or User not found.

Unblock the user’s account in AD or manually synchronize a new account with the corporate server: Registration settings > Sync.

For Administrators: The User Has Specified Incorrect Login/E-mail for Authentication

Verify the full name, login, and e-mail with which the user is trying to log in. You can request a screenshot of the screen where the error occurs — it will show the server name. If everything is specified correctly, ask to clear the data or reinstall the app and log in from scratch again.

For Administrators: The AD User Did Not Appear in the Admin Panel on the Corporate Server

1. 1. Check if the user is present in the AD group used for synchronization.
2. 2. Wait until the AD synchronization ends or conduct it manually: Registration settings > Sync.
3. 3. If the user is present in the group, but the error persists, collect the logs of the ad_integration service and forward the issue to eXpress Support.

For Administrators: The AD User Is Displayed in the Admin Panel Without E-mail Address

1. 1. Check the number of accounts for this user in the Admin Panel. It is possible that after changing the user’s last name, a new account was created. If two accounts exist, log out the old account and start synchronization with AD: Registration settings > Sync. After synchronization, the e-mail address should be displayed
2. 2. If this doesn't help or there is only one account, enable the debug logging for the ad_integration service, if presumed that the problem is in eXpress and not with the account in AD. Next, collect the logs of the ad_integration service and forward them to the eXpress Support.

“The user is already registered”, “This login is already used”, “This user is already in the system”

Troubleshooting:

• o You are trying to log in with a new phone number, not the one you originally registered with. Return to the beginning or close the session in the app and, on the app's login screen, enter the number that was used when you initially registered your account.
  If you need to add a new number to an existing account, add the desired number in the profile settings (this action must be permitted by your organization's system administrator).
  For Administrators: The user is trying to log in to a corporate account with a different phone number

  Verify the phone number with which the user logs in to the app. eXpress Support can find the user on RTS and check if this number is linked to CTS, or the ETS administrator can check if this number is linked to ECTS. If this number is not linked, ask the user to return to the beginning and enter the phone number with which they initially registered.
  For Administrators: Old phone number was cached during authentication

  This error is typical when the user has previously entered a number and forgot which one, and they are now in the middle of the authentication procedure. They need to go back to the beginning of authentication and try again.
  
  If the number is entered correctly, look at the logs of the ad_integration container with the help of eXpress Support on RTS or with the help of the ETS administrator. If the logs show an old number, ask the user to log in to the app again.
• The phone number you log in with is linked to another account on this or another server. This is possible if the previous employer has not logged out your previous corporate account.
  
  If you recently started your current job and were using eXpress or a dedicated custom ETS client app from your previous employer, contact your previous employer or eXpress Support to log out your previous account from your previous server. Since corporate correspondence is the property of the company, when employees are dismissed, the user must be logged out by the former employer. Please note that the app may be named differently in different organizations.
  For Administrators: The phone number is linked to an account on another corporate server

  This situation most often occurs when a user leaves one organization which uses the app and moves to another.
  
  Verify the phone number with which the user logs in to the app. eXpress Support can find the user on RTS and check which CTS the number is linked to, or the ETS administrator can check which ECTS the number is linked to. Next:

  • If the number is linked to another corporate server, contact eXpress Support. The support team will ask the administrators of that server to log out the user from their server.
  • If the number is linked to the required corporate server, check the user's HUID in the CTS or ECTS Admin Panel to make sure that the user is logged in to the correct corporate account.
• Your domain login or password has changed in Active Directory, but you have not been logged out of your previous account — contact your organization's support team.
  For Administrators: The user's login in Active Directory has changed

  This is relevant when accounts are synchronized with AD. This can happen when the user’s surname changed and the user has been provided with a new login.

  1. 1. Log out the old corporate account of the user.
  2. 2. Start synchronization in the Admin Panel: Registration settings > Sync.
  3. 3. Check if the user’s e-mail address is displayed in the Admin Panel.
  4. 4. Ask the user to log in again. Correspondence will remain if they logs in the same server with the same phone number.
  For Administrators: The user gets this error after changing their password in AD

  If this error occurs for a user after changing the password in AD, and the user is blocked due to the password change, click the Clear cache button on the user's profile page in the Admin Panel.
  
  To prevent such an error in the future, you need to uncheck the User must change password at next logon box in the user's properties in AD. After unchecking this box, the users will be able to log in to the app with the new AD password without error.
• You initially logged in to a corporate server without using a phone number, then tried to log in to the same server using a phone number. Technically, these will be different accounts, so you will get this error when trying to enter the account details that are already linked to an account without a phone number.
  
  To link this phone number to an existing account, sign in to eXpress using your phone number and skip entering corporate data. Delete the account you just logged in to with a phone number. Next, log in to your account without using your phone number via e-mail or corporate server address and add the phone number to your profile (this action must be permitted by your organization's system administrator).
  For Administrators: The user first logged in using a phone number, then without it, or vice versa

  Find out whether the initial registration was performed with a phone number, and if so, with which one. If necessary, ask user remove or change their phone number in the profile. You may also ask user to delete an extra personal account on RTS if it was created when trying to log in using a phone number to a corporate account not having a phone number or to which another phone number have been already added.
• You initially logged in to a corporate server using a phone number, then tried to log in to the same server without a phone number and entered a different phone number in the confirmation screen — technically these will be different accounts, so you will get an error that means the corporate account is already taken. Starting from the app's version 3.17, this situation is no longer be possible.
• You are trying to log in to an account created for an external client. You can check this with your organization's administrator.
  For Administrators: The user is attempting to log in using an external client account

  User accounts created in the External Client Users section are intended for login only from the videoconferencing terminal. These accounts are created for computers in conference rooms or other situations where you need to log in to the app using a non-personalized account.
  
  Since external client users cannot be deleted (yet), the user needs to select another account to sign in to the app, or change the e-mail of the external client user to another one in the Users section.
• You are trying to log in to an account that does not have a phone number after your administrator prohibited sign-in without a phone number.
  For Administrators: The user did not add a phone number to the account

  If you have prohibited login without a phone number, but some of your users have not yet added it to their profile, they will receive the error “Use a dedicated custom app” or “User is already registered” when logging in with their phone number. To resolve the issue, contact eXpress Support for assistance in correctly transferring the number to the correct user account.

“Network error, check your connection to the server”, “The server with the specified hostname could not be found”, “Pairing error” when Scanning a QR Code, "Your Internet connection may have been interrupted", "Could not resolve host"

The error usually indicates a problem with your network connection, your Internet service provider, or a problem with the server/certificate. Please try the following troubleshooting steps:

• On your mobile device, switch from Wi-Fi to LTE mobile Internet or vice versa, or turn off the airplane mode.
• Try sharing Internet from another device with an active connection to the server, try connecting to Internet from another ISP.
• Turn off VPN, ViPNet, proxy, firewall, AV protection or add an exception for the app there. Check and provide network access for the app.
• For the Web app, check if there is no browser extension or proxy interfering with traffic (for example, friGate).
• If your organization uses a third-party certificate, install it (contact your organization's support or the eXpress Support for assistance).
• Try clearing cache or reinstalling the app.
• Wait a few minutes, go back to the start and try to log in again.

If none of the above steps helped resolve the issue, contact your organization's support team or eXpress Support.

For Administrators: The User Trues to Log In without Phone Number on an Outdated Server

Regularly and timely update the server side software.

For Administrators: The Diagnostic Link for Checking the Register Method or Certificate

Try opening the following link in the browser on the user's device and on your machine: https://cts_fqdn/api/v2/ad_integration/register_methods

• If the link does not open for the user only, then there is no access to the server from the user's device. Try to turn off or configure any VPN, VIPNet, proxy, AV protection, or browser extention, interfering the network connection. Check the network access. Troubleshoot networking equipment, if there are any issues. In the Web app, you can check for errors in the browser console: (Fn +) F12 > the Console tab > look for any errors, e.g. CORS.
• If the link opens, but the browser notifies of problems with the certificate, it is needed to check the certificate.
• If the link opened, but register_metod_not_set error is displayed, you need to select the user registration method and sync source in the server's Admin Panel: Registration settings > Save.

For Administrators: The Desktop Client Is Incorrectly Configured (The Web App Works via a Special Link)

In organizations with limited Internet access the Desktop app configuration must contain the correct host name, corresponding to the proxified Web app.

For Administrators: An Incorrect Number of CTS Keys Have Been Created for the User

1. 1. Open the Web app, open the browser console: (Fn) F12 > the Console tab > look for the 400 error for the register_confirm request.
2. 2. Get the logs of the ad_integration service on the corporate server and check the following:

   
   2021-10-19T12:52:34.998418907Z 2021-10-19 12:52:34.991 request_id=Fq9vp4IcJ-0j9u0AiWUB [info] POST /api/v1/ad_integration/register_confirm
   2021-10-19T12:52:35.138010731Z 2021-10-19 12:52:35.133 [error] The number of cts keys isn't one: []
   2021-10-19T12:52:35.142127307Z 2021-10-19 12:52:35.133 request_id=Fq9vp4IcJ-0j9u0AiWUB [info] AdIntegrationWeb.Api.RegistrationController.register_confirm error: %ApiController.Error{code: 400, error_data: %{}, errors: [], reason: :keys_error}
   

3. 3. The user may create new keys by resetting the personal password for the encryption keys.

“Corporate email not found” Error After Entering E-mail Address

This error occurs in two cases:

• On the first screen you select to log in via corporate e-mail and enter your e-mail. In this case, the error means that simplified authentication for quick discovering your corporate server has not been configured. You need to choose another login method or contact your organization's support team or the eXpress Support for assistance.
• On the e-mail confirmation screen after entering your e-mail. Check that you have entered your e-mail address correctly or contact your organization's support team for assistance.

"Corporate server address not found" After Entering Server Address

This error will be displayed if the corporate server entered in the address field is not found on RTS or ETS. Check if the correct server address has been entered, or contact your organization's support team or the eXpress Support for assistance.

For Administrators: Diagnosing a Server Address Error

Possible causes:

• The corporate server address was indeed entered incorrectly.
• Server-side software version is below 3.13.
• The registration type has not been selected in the corporate server Admin Panel, in the Registration settings section.
• There is no access to this corporate server from the user's device. Check the troubleshooting steps here.

"Please use special application for this corporate server”, "Please use special application with this account”, "Please use other application version with this account”

This error means that you are trying to connect to an eXpress corporate server (CTS) while your account is linked to a corporate server that requires a custom ETS client application (ECTS), or vice versa.

It's possible that you recently changed jobs, and your previous employer haven't log you out on a previous server. In this case, contact your previous employer or contact the eXpress Support to get help with the logout. Additional information can be found here.

Or you may be trying to log in to an account that does not have a phone number associated with it after your administrator has disabled sign-in without a phone number. Additional information can be found here.

For Administrator: User Can't Login In to the custom ETS App after Logout (Backend below 3.9)

If the user has switched from one ETS to another (from one custom ETS app to another), but on the new ETS the old ETS ID is displayed in their profile in the Admin Panel, a special console command must be used to change the ets_id to null in the ets_phonebook_prod database. This has been fixed in server-side software version 3.9 and above.

If you have access to the database, this is done with the following command: ets_phonebook_prod=# update users set ets_id = null where huid = 'user_HUID';
If there is no access to the database, then use the following two commands:

• Go to the ets_phonebook_1 console:
  docker exec -it ets_phonebook_1 sh ./bin/ets_phonebook remote_console or:
  dpl --dc exec phonebook sh ./bin/ets_phonebook remote_console
  
• Next: defmodule ETSPhonebookWeb.ClearIds do use ETSPhonebookWeb, :command alias ETSPhonebook.Models.User alias ETSPhonebook.Queries.UsersQueries alias ETSPhonebook.Repo def execute(huid) do with {:ok, user} <- UsersQueries.by_huid(huid), {:ok, _} <- update_local_user(user) do :ok end end defp update_local_user(user) do user |> User.changeset(%{cts_id: nil, ets_id: nil}) |> Repo.update() end end
• In the end: ETSPhonebookWeb.ClearIds.execute("user_HUID")

"cts_registration_not_supported” Error when Logging In via QR Code

There is a problem with the corporate server. Contact your organization's support team or eXpress Support to get your server back up and running.

“Connection error, please contact your administrator” when Logging In via E-mail or Server Address

Contact your organization's support team to update the server part of the app (backend software) to the latest version. Until then, you will only have the options to log in via mobile phone number or QR code.

“Can't read RTS keys” Error when Logging In via QR Code from iOS to Web/Desktop App

The Mobile app contains incorrect keys (an old version of the app is used, or a problem occurred at the stage of logging in to the app).

The following will help:

1. Terminate your session in the app for iOS.
2. Log in to the app again from scratch without using the QR code.
3. Then log in to the Web or Desktop app using the QR code from the app for iOS.

“Error loading public keys” in the App for iOS

Reinstall the app, try to log in to the app again. If the issue persists, contact the eXpress Support.

“Error while connecting to Active Directory via NTLM”

There is a problem with the group policy settings. Contact your organization's support team.

For Administrators: Configuring Group Policy or Changing the Registration Method

If an error related to NTLMv2 occurs on different user devices after entering the domain login and password, uncheck the Require NTLMv2 session security box in the domain group policies settings, or change the registration method on the corporate server from NTLM to E-mail.

“Request_invalid_signature” Error when Logging In to a Corporate Server

On an iOS device, this error is displayed immediately in this form; on an Android device, you need to check the app's authentication logs; in the Web/Desktop app, this error is visible in the detailed error report.

The error is related to the time settings on a device. To resolve the issue:

• Android. Enable automatic time and time zone setting in the time settings on your device. After that, log in to the app again.
• iOS. Enable automatic time and time zone setting in the time settings on your device. You can also try turning the automatic time setting off and on. After that, reinstall the app and log in again.
• Web/Desktop. Enable time synchronization with the NTP server on your PC (with your organization’s support team help, if nececcary). After that, log in to the app again.

“SSL Error”, “Server connection error”, “Connection error” on Android when Entering Phone Number, E-mail Code or Corporate Server Address

To resolve the issue, update the app to the actual version. If it doesn't help, contact your organization's support team or the eXpress Support.

For Administrators: how to check the certificate.

"Authentication error. Please try again later" when Scanning a QR Code in Web or Desktop App

If you opened the Web/Desktop app on a screen with a QR code, scanned the QR code with the Mobile app and received the error, and, nevertheless, you can log in by manually entering your mobile phone number, contact your organization's support team to check the settings on the corporate server.

For Administrators: Check the Registration Attempts Limit

Collect console logs from Web/Desktop app from the user. If there is the registration_confirm_attempts_exceeded error, then in the Admin Panel, go to Registration settings section > E-mail and make sure that an integer greater than 0 is specified in the Maximum number of login attempts field. It is recommended to specify 5 or higher.

If you leave the field empty, the default number of attempts is 3.

Getting Kicked Out of the Session to the Login Screen

The reasons may be as follows:

• The session was manually terminated by the corporate server administrator. To check this, contact your organization's support team.
• The session was terminated in the Web app due to the site cache being cleared in the browser (some organizations are configured to automatically clear the cache after restarting user workstations). If VDI is used, it may be required to configure VDI.
• The session was terminated in the Desktop app due to clearing the cache folder or deleting the credential keys (Windows) or keychain (Mac, Linux). If VDI is used, it may be required to configure VDI.

If above recommendations do not help, contact your organization's support team or the eXpress Support to resolve the issue.

For Administrators: Additional User Kicking Out Diagnostics

You can diagnose the causes in the Audit section in the Admin Panel. Other reasons of the kicking user out may be the following:

• The session ended automatically due to Active Directory synchronization settings on the corporate server. For example, when the user is kicked out of a session when changing a domain password, or if there is no group for synchronization, or the user was removed from the group.
• The lifetime of user activations (sessions) is limited on the corporate server — this is configured in the Admin Panel in the Activations section.
• The KeyCloak token has expired.

Error creating profile | "Cannot decrypt RTS access token" Error

If the Web and Desktop app displays an error after logging in to the corporate server, and on Android, after entering the data to connect to CTS, the profile creation screen displays with the error "Error creating profile", then the account needs a fix on the server. Contact your organization's support team or the eXpress Support for assistance.

For Administrators: Fixing an RTS ID

If a user initially registered on a Russian RTS, then changed the interface language to another in the Web app, or registered on a foreign RTS and then started logging in on a mobile device, then their registration request could be sent to a different RTS than the one they initially registered on, which will result in an error. The logs show the following: { "error_data": {}, "errors": [ "Cannot decrypt RTS access token" ], "reason": "request_invalid_signature", "status": "error" } The solution would be to update rts_id or the user on their CTS — make it the same as in the personal account on RTS: check the user's rts_id with the eXpress Support and run the following commands in the console: cd /opt/express dpl --dc exec postgres psql -U postgres \c ad_phonebook_prod update users set rts_id = 'corresponding_rts_id' where huid = 'user_HUID';

This behavior has been fixed in version 3.22 of the server and client software.

“Add a telephone number: The administrator has prohibited login without a telephone number” Warning

If you receive this message when logging in to the app, add your phone number to your profile or contact your administrator (via your organization's support team) — they may need to turn off this warning in corporate server settings.