Skip to main content
Question

Unable to install client on Windows using IDP

  • November 26, 2025
  • 5 replies
  • 100 views
selva.rathinam-97293132
Netskope Partner

We are trying to install the netskope clinet via IDP using the below command. But somehow it is not successful.

 

msiexec /I NSClient.msi tenant=XXX domain=goskope.com installmode=IDP mode=peruserconfig enrollauthtoken=XXX enrollencryptiontoken=XXX (/qn - we removed the qn just ot see the live progress what is happening).
 

With Email-Invite it is working on the same PC, but we are trying to install via IDP for bulk installation without users intervention to enter the credentials. 

We have configred the token at MDM distribution and also created the SAML authentication under Forward Proxy. 

When we see the logs and didn’t found anything resolvable. 

"event_details": "Installed client version 132.0.7.2513",        "actor": "System"    }}
2025/11/26 11:13:04.911 stAgentSvc p155c tc24 info addonmanapi.cpp:756 addonmanapi posting client status
2025/11/26 11:13:04.911 stAgentSvc p155c tc24 error addonmanapi.cpp:759 addonmanapi Post Client Status addon userkey is empty
2025/11/26 11:13:04.911 stAgentSvc p155c tc24 error clientStatusHandler.cpp:452 clientStatusHandler [sessId 1] Failed to post Client status
2025/11/26 11:13:04.911 stAgentSvc p155c tc24 error clientStatusHandler.cpp:949 clientStatusHandler [sessId 1] Failed to post client status from cache
2025/11/26 11:13:04.911 stAgentSvc p155c tc24 info clientStatusHandler.cpp:988 clientStatusHandler [sessId 1] Posted 0 events from cache out of 1
2025/11/26 11:13:04.911 stAgentSvc p155c tc24 info clientStatusHandler.cpp:994 clientStatusHandler [sessId 1] Failed to post any event from cache
2025/11/26 11:13:04.916 stAgentSvc p155c tc24 info config.cpp:7288 Config OTP request succedded m_otpTime set to 1764141244
2025/11/26 11:13:04.917 stAgentSvc p155c tc24 info epdlpSvcStub.cpp:472 EpdlpSvc service epdlp does not exist
2025/11/26 11:13:04.917 stAgentSvc p155c tc24 info epdlpSvcStub.cpp:472 EpdlpSvc service epdlp does not exist
2025/11/26 11:13:06.517 stAgentSvc p155c t3dac warn npaConfig.cpp:1506 CNpaConfig Can not find session -1 from npa sessions

 

 

 

At the client we see below error

“Configuration Download Failed
Please authenticate again”


So we able to successfully authenticate when prompt along with OTP.

 

Also we were able to successfully test authenticate from SAML page in Netskope when we click test 

Forward Proxy-->SAML-->entry-->three dot→ test.

 

But when we do the same operation from Entra ID → netskope user authentication app→ Test, it is not successful. It says ERR_PARAM_Failed..
We are using the below attributes

user.userprinciplename

user.mail

 

Kindly correct me is the configuraitons are good?

5 replies

notskope
  • notskope
  • New Member III
  • December 16, 2025

You should not need the enrollment auth token with IDP enrollment.

 

I would check that your user’s email is what is returned with the SAML assertion. I have seen where organizations have provisioned a user’s email to Netskope and then use a UPN that does not match as the user’s ID in the SAML assertion. This is really only a problem when the UPN and email do not match.

 

But when we do the same operation from Entra ID → netskope user authentication app→ Test, it is not successful. It says ERR_PARAM_Failed..

I don’t think you can do an IDP-initiated login for forward proxy auth.

Former Netskope PS Consultant, Current Netskope customer
    selva.rathinam-97293132
    Netskope Partner

    You should not need the enrollment auth token with IDP enrollment.

     

    I would check that your user’s email is what is returned with the SAML assertion. I have seen where organizations have provisioned a user’s email to Netskope and then use a UPN that does not match as the user’s ID in the SAML assertion. This is really only a problem when the UPN and email do not match.

     

    But when we do the same operation from Entra ID → netskope user authentication app→ Test, it is not successful. It says ERR_PARAM_Failed..

    I don’t think you can do an IDP-initiated login for forward proxy auth.

    So we need to create the SAML entry under Client Configurations? instead of a Forward proxy?

    notskope
    • notskope
    • New Member III
    • December 17, 2025

    So we need to create the SAML entry under Client Configurations? instead of a Forward proxy?

    No, I’m just saying that you shouldn’t expect any tests from the IDP to be successful. This is a login flow that can only be initiated by Netskope. You will always see an error when testing from the IDP.

    Former Netskope PS Consultant, Current Netskope customer
      selva.rathinam-97293132
      Netskope Partner

      So we need to create the SAML entry under Client Configurations? instead of a Forward proxy?

      No, I’m just saying that you shouldn’t expect any tests from the IDP to be successful. This is a login flow that can only be initiated by Netskope. You will always see an error when testing from the IDP.

      Ohh, Good, thank you for your reply. I thought it should show successful when initiating the TEST from both ends. I even have a ticket where the support engineer is trying to find a solution to the issue and at the end, he was unable to find it.

      notskope
      • notskope
      • New Member III
      • December 18, 2025

      There could be some scenario where the test will work, maybe support will find it and add to the documentation.

       

      I have IDP client enrollment working just fine, but trying to authenticate by testing or clicking the IDP tile results in the same error you described. So having the test via the IDP work is not necessary for having successful client enrollment.

       

      Hopefully that helps save you and support some time chasing a non-issue.

      Former Netskope PS Consultant, Current Netskope customer

      Badges Winner

      Show all badges

      Not finding what you're looking for?

      Don't be shy and let us know about your challenge.

      Ask your question here!
      Terms & ConditionsCookie settingsAccessibility statement