Error: Adobe Sign Authentication Error: access_denied
This error message indicates that the user is attempting an action that is not permitted due to an authority issue on the Adobe Sign side of the equation.
There are two common scenarios where this error is generated:
- During installation of the package into the Salesforce organization
- When a sender first sends an agreement from the Salesforce integration
Environment
Adobe Sign for Salesforce (All versions)
Scenario 1: Installation issues
During the installation processes, there are three elements that can be the root cause of the access_denied error:
- The userID in Adobe Sign is incorrect or restricted
- The Adobe Sign account (that the userID is in) is not properly configured as an enterprise account
- The channel that the account is in is not correct
Check your userID
Adobe Sign and Salesforce sync the user in each system by the email address (not the Username value, which can be different in Salesforce).
Trial accounts and Sandboxes can easily create situations where the actual userIDs that are connecting are different than the intended IDs.
Always start troubleshooting access errors by ensuring the userIDs involved are the ones you expect, and that they are correctly provisioned with administrative authority.
Emails must match, and you must be an account admin
The email value in your Salesforce profile dictates the userID that is authenticating the process on the Adobe Sign side.
- Open your Salesforce profile and copy your email value to a notepad
- Log into Adobe Sign using the same email address
- If you cannot log in, click the I forgot my password link and establish a new password so that you can
- If you have any trouble resetting your password, or you still cannot log in once the password is reset, contact your success manager to assess your user in the Adobe Sign system
- Click the Account tab and select Users from the left rail of options
- If you do not have an Account tab, then you are not an account admin. Contact another Adobe Sign admin (or your success manager) to have your authority elevated
- Double click the user (that matches your email address) to open the user properties
- Verify that you are looking at the correct user by checking the email value
- Verify that the user is enabled as an account administrator
If you are not enabled as an account administrator, you must be elevated before you can complete the linkage between Adobe Sign and Salesforce.
Only an account admin can elevate your privilege in the system. Contact another Adobe Sign admin (or your success manager) to have your system privilege enabled at the account level.
Generally speaking, Support and Success agents are only allowed to discuss and manipulate the account with a designated account admin.
If you must troubleshoot beyond the user, you still should be an account admin in the system so you can freely engage with the support/success teams.
Check your Adobe Sign service plan
Your admin userID must be in an account with an enterprise level service plan.
To verify this:
- Click the Account tab
- Select the Personal Preferences option from the left rail
- Select the My Profile menu option
The service plan is listed at the top-right of the My Profile window:
If your Adobe Sign plan is not Enterprise (or Enterprise Trial), then either your userID is in the wrong account, or your account hasn't been upgraded to enterprise yet.
Contact your success manager with your account admin email:
- Indicate that you are installing the Salesforce package
- Provide the email address of your SFDC admin
- Indicate that you logged in to Adobe Sign and the account your user is in does not appear to be an Enterprise plan
- Request that the agent also verify that the account is in the proper channel
Verify that your Adobe Sign account is in the correct channel
If the user checks out, and your account is an Enterprise plan, then odds are good that your account is in the wrong channel.
Channels grant types of authority to the accounts within their scope. Salesforce requires access to several API settings that are enabled by channel configuration.
Only support or your success manager can correct a channel issue. When you contact support/success, please:
- Contact the team from the email address that corresponds to the account admin in Adobe Sign
- Inform them that you have checked the user in the system, and that the service plan is correct
- Provide the error message and what you were doing when the error was triggered
Scenario 2: User issue
Users of the Adobe Sign for Salesforce integration run into access issues when:
- The user isn't in the correct Adobe Sign account
- The user has had their Sending authority revoked
Checking the user in the Adobe Sign system should quickly identify the root issue.
Check that the user is in the Adobe Sign account, and that the emails match
Only an account or group admin will be able to check the userID in Adobe Sign.
If you are not an admin, you will need to relay this process to someone that has the authority to review the users in Adobe Sign.
First, verify the user's email in Salesforce.
- Log in to Salesforce as an admin
- Navigate to: Home > Administration > Users > Users
- Click the Full Name link of the user in question to open the user profile
- Copy the Email value to a notepad
- Do not capture the Username value. The link to Adobe Sign is based on the Email value
- Do not capture the Username value. The link to Adobe Sign is based on the Email value
To verify a user in Adobe Sign:
- Log in to Adobe Sign as an admin (account or group)
- Navigate to the Users tab: Account > Users
- Use the Search field to search for the users email address
- This email value must match the Salesforce email value, or you are looking at the wrong userID
- If you do not find the user at all, then the user is likely in another group or account (possibly a trial)
- You can try to create the user to move the user to your group/account
- If you cannot create the user, contact your success manager and provide them with the email address of the user
Verify that the Adobe Sign userID has the authority to Send agreements
If you find the user, double click the row that has the same email value as the Salesforce user. This opens the user properties.
- Verify the Status of the user is Active
- If the status is Inactive, the user must be re-activated
- If the status is any other value, the user will need to reset their password
- Verify that the user can send documents
- If the user is not enabled for sending documents, enable them
Additional information
Integrations such as Adobe Sign for Salesforce can only be installed with an Adobe Sign enterprise or enterprise trial service plan.
Developer accounts can install integrations, but must be moved to the correct channel by support/success before they can be activated.