I am currently trying to sync my on-premise Active Directory (hosted on Windows Server 2012 R2) with Azure's AD using the AD sync tool. However, I cannot get past the "Windows Azure Active Directory Credentials" step.
I have two accounts (for the sake of this post, let's call them A and B), both of which are global administrators on Azure. When I enter the credentials for account A, the sync tool insists that "The user name or password is incorrect" even though I can log onto the Azure portal with those exact credentials on my browser. It may be worth noting that account A does not require additional verification to sign on.
Account B has additional security verification and thus I created an app password for the sync tool (this feature is not present on account A since it does not require verification). Whenever I use the generated app password, I am greeted with the configuration error: "Unable to establish a connection to the authentication service. Contact Technical Support." Anything else in the password field will return "The user name or password is incorrect", leaving me to assume that the app password is valid, but my request is just not going through.
Each log-in attempt with account B and the app password has generated the following errors in my Server Manager logs:
System.Management.Automation.CmdletInvocationException: Unable to establish a connection to the authentication service. Contact Technical Support. ---> Microsoft.Online.DirSync.Common.DirectorySyncConfigurationException: Unable to establish a connection to the authentication service. Contact Technical Support.
at System.Management.Automation.MshCommandRuntime.ThrowTerminatingError(ErrorRecord errorRecord)
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at Microsoft.Online.DirSync.PowerShellAdapter.PowerShellCommand.ExecuteCommand(Command command, Boolean refreshPath)
Unable to establish a connection to the authentication service. Contact Technical Support.
Unable to establish a connection to the authentication service. Contact Technical Support. AuthIdentityToService() failed for adminwebservice.microsoftonline.com site with MBI_SSL policy. HResult:-2147186590. Contact Technical Support. (0x80048862)
So far, I have tried:
restarting my server
re-installing the sync tool
clearing my DNS cache
restarting the Azure sync service
disabling all firewalls
If anyone could help me interpret the errors or even provide me with a possible solution, I would greatly appreciate it!
The endpoint used by Azure AD Sync (and DirSync) does not allow the use of app passwords. Only a username/password combination can be accepted and it has to be a global administrator. If you follow our guidance to create a strong password for "account B", you have essentially created the same thing as an app password.
/Andreas Kjellman
Senior Program Manager, Microsoft, Identity and Access Management, sync services
Related
I followed instructions here: https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
And also double checked same instructions here https://www.youtube.com/watch?v=Ur0WNjnXJrU
Everything went fine. When I download the Azure VPN Client, and import the xml profile that Azure gave me, I log in, and then i get an error
Failure in acquiring AAD Token: Keyset does not exist
Why is it asking about a keyset? Nowhere did I set up certs. This is Azure AD Authentication type (not Radius and not Azure Certificate type which asks for root certs). So there is no place to select a cert. And the instructions do not indicate a certificate is needed with this Azure AD Authentication type.
Inside the VPN profile azurevpnconfig.xml, I can see a
<serversecret>[...]</serversecret>
and
<cert>
<hash>[...]</hash>
<issuer
i:nil="true" />
</cert>
where did those come from? I never set up any keys or certs. Is it just part of Azure?
The cause was the cached user/pass on the Microsoft Login. Instead of clicking in my remembered login in the list they provide, I clicked "Log in as different user", and I was able to log in. This may be due to MFA which is on.
Completely non-helpful error messages though!
I have problem integrating jFrog Artifactory with an Azure LDAPS.
Azure side is successfully configure, I get response by telnet on port 636.
Logs in the artifactory show this error:
Error connecting to the LDAP server:
org.springframework.security.authentication.AuthenticationServiceException:
User name.surname#bi****.de failed to authenticate
I understand that this error points to my user. But credentials for this user are 100% correct since I have enabled Azure Active Directory Services with user, enabled LDAPS and so on.
Can anyone specified in more detail what I was doing wrong on this picture below?
LDAP Integration screen
The search filter is incorrect, but the correct value will depend on what the users will log on with. If it's their AD username, you would use "sAMAccountName={0}" but the test ID you are using appears to be an e-mail address. To authenticate with your primary e-mail address, use "mail={0}" as the search filter.
Most likely "manager DN" / "manager password" needs a value as well. When you attempt to authenticate, the server connects to the LDAP service and binds with the "manager" account. It then searches for mail= and retrieves the fully qualified DN (FQDN) of the located object. The user supplied password is then validated by attempting to bind with the retrieved FQDN and user supplied password. If anonymous users have read access to the directory, you wouldn't need a manager dn/password. Anonymous read access is atypical for AD/Azure AD.
I use a "service" (i.e. non-user) account for my manager account -- using an actual user's account means someone has to come back and change the config every time the user updates their password. I set a long/complex password on service accounts and increase the password expiry time-frame so admins aren't re-configuring their applications monthly.
we got to work MFA on Windows Server 2016, with NPS, IIS, MFA, Azure etc. and the verification via phone call works great. Now we have problem with Mobile phone authentication.
When I log in to the appropriate web site with my domain\login and password (which is synchronized to Azure), I authenticate via phone call and in the next step I click on "Activate Mobile App" and then "Generate authentication code". I get a QR code, which I scan with MFA mobile application. After few seconds I get an error message "Unable to add the account" - Unexpected error. Please contact your local IT administrator to resolve the problem."
In the MultiFactorAuthSvc log is this message:
WMI error: -2147217394
Couldn't read credential identified by 'PfSmtp'. Element not found.
The time in log is 1 hour late. I don't know if this could be the problem.
We used this tutorial to install MFA:
https://learn.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice
Thank you for any advice.
Ok, after many hours of trying, here is the solution:
As next troubleshooting made sure the Mobile App Web Service site host name on the MFA server resolves to internal MFA server IP.
And here is the link to the article:
https://s4erka.wordpress.com/2018/01/24/mobile-app-authentication-with-azure-multi-factor-authentication-server-error-calling-the-local-authentication-service-troubleshooting/
We have created a dns for external and internal employees to visit an application website. They can both reach the website hosted in iis. they can both download the application that has been deployed using clickonce.
Issue is we want to password protect for external employees.. Internally its ok because we use windows authentication and have a group of users for specific applications.
we created an ad account and password. when i setup windows auth and restrict to this one ad account. i enter in username and password when going to the external dns. thats fine.. i click on the application to install.. and when its trying to install i get + The remote server returned an error: (401) Unauthorized.i'm getting a security error even after i put in the credentials , it somehow still fails when going to install.. what can i do to better password protect applications that will be accessed from the outside using clickonce.. or fix this issue thanks
I have a server which is part of a domain. When I publish a web application from Visual Studio with a domain user everything is ok. But when I try to publish with a local machine user (not part of a domain) I get ERROR_USER_NOT_ADMIN. Both users are in Administrators group. I tried specifying user as username, .\username and machinename\username but it's not working. Is there anything else I should do to be able to publish with a local machine user?
I received this error when I published with an incorrect password.
Not the best answer in the world but I post this to point out that an incorrect password does indeed return this exact error though you would never know it when you read the error message.
This error can also be received when deploying ASP.NET Core application with Visual Studio 2015. In order to fix the problem in this case, add the following lines in the .pubxml file:
<ADUsesOwinOrOpenIdConnect>False</ADUsesOwinOrOpenIdConnect>
<AuthType>NTLM</AuthType>
You can't do that, server you aim to publish in to needs an authorized domain account to allow access to your Visual Studio publishing service. Local accounts are specific to your local machine regardless whether they are administrator logins. They are just local admin login not domain admin logins.
Get your administrator to set up a domain user (don't use domain admin accounts this is a security risk) for publishing purposes or use your current domain user account