- Article
This article provides information on how to troubleshoot common Azure AD gateway authentication issues.
Important
If pass-through authentication is having problems signing in users, do not disable the feature or uninstall pass-through authentication agents without a cloud-only global administrator account or a hybrid identity administrator account to fall back on. LearnAdding a cloud-only global administrator account. This step is critical and ensures that you will not be locked out of your tenant.
General problems
Check the status of the feature and authentication agents
Make sure the pass-through authentication feature is still enabledAllowedon your tenant and the status of the authentication agents is displayedActive, and movedInactive. You can check the status by going toAzure AD Connectblade onEnter the administrative center.
User-side login error messages
If a user cannot sign in using pass-through authentication, one of the following user-related errors may appear on the Azure AD sign-in screen:
| Error | Description | resolution |
|---|---|---|
| AADSTS80001 | I cannot connect to Active Directory | Ensure that the agent servers are members of the same AD forest as the users whose passwords need to be validated and that they can connect to Active Directory. |
| AADSTS80002 | The connection to Active Directory has timed out | Verify that Active Directory is available and responsive to agent requests. |
| AADSTS80004 | The username passed to the agent is not valid | Verify that the user is trying to log in with the correct username. |
| AADSTS80005 | An unpredictable WebException occurred during validation | Temporary error. Repeat the request. If it still doesn't work, contact Microsoft Support. |
| AADSTS80007 | An error occurred while communicating with Active Directory | Check the agent logs for more information and verify that Active Directory is working as expected. |
Users receive an "Invalid username/password" error message.
This can happen when the user's on-premises UserPrincipalName (UPN) is different from the user's UPN in the cloud.
To confirm that this is the problem, first verify that the pass-through authentication agent is working correctly:
Create a test account.
Import the PowerShell module to the machine:
Import-Module „C:\Programme\Microsoft Azure AD Connect Authentication Agent\Modules\PassthroughAuthPSModule\PassthroughAuthPSModule.psd1“Run the Invoke PowerShell command:
Invoke-PassthroughAuthOnPremLogonTroubleshooterWhen prompted for credentials, enter the same username and password used to log in to ().https://login.microsoftonline.com).
If you get the same username/password error, it means that the authentication agent is working correctly and the problem may be that the local UPN is not routable. For more information seeConfigure an alternate login ID.
Important
If the Azure AD Connect server is not joined to a domain, the requirement specified in appliesPrerequisites for Azure AD Connect, there is an invalid username/password problem.
Reasons for failed sign-in to the Azure portal (Premium license required)
If your tenant has an associated Azure AD Premium license, you can view that as wellApplication Activity ReportalreadyEnter the administrative center.
Navigate toAzure Active Directory->ApplicationsalreadyAzure-Portaland click on a particular user's login activity. to ask forCODE OF REGISTRATION ERRORField. Map the value of this field to the error reason and solution using the following table:
| Login error code | The reason for the unsuccessful application | resolution |
|---|---|---|
| 50144 | Active Directory user password has expired. | Reset the user's password in your local Active Directory. |
| 80001 | No authentication agent available. | Install and register the authentication agent. |
| 80002 | Authentication agent password verification request timed out. | Make sure your Active Directory is accessible through an authentication agent. |
| 80003 | An invalid response was received from the authentication agent. | If the problem is repeated consistently for multiple users, check your Active Directory configuration. |
| 80004 | An incorrect User Principal Name (UPN) was used in the login request. | Ask the user to sign in with a valid username. |
| 80005 | Authentication Agent: An error occurred. | Temporary error. Try again later. |
| 80007 | The authentication agent could not connect to Active Directory. | Make sure your Active Directory is accessible through an authentication agent. |
| 80010 | The authentication agent could not decrypt the password. | If the problem is consistently reproducible, install and register a new authentication agent. And uninstall the current one. |
| 80011 | The authentication agent could not retrieve the decryption key. | If the problem is consistently reproducible, install and register a new authentication agent. And uninstall the current one. |
| 80014 | The validation request was answered after the maximum elapsed time was exceeded. | The authentication agent has timed out. Please open a support ticket with the error code, correlation ID, and timestamp for more details about this error |
Important
Pass-through authentication agents authenticate Azure AD users by validating their usernames and passwords against Active Directory by callingWin32 LogonUser-API. Therefore, if you have set the Log on to preference in Active Directory to restrict login access to a workstation, you must also add the servers that host transient authentication agents to the Log on to servers list. Otherwise, your users will be blocked from signing in to Azure AD.
Problems installing the authentication agent
An unexpected error occurred
Collect agent logsfrom the server and contact Microsoft Support with your problem.
Authentication agent registration problems
Authentication agent registration failed due to blocked ports
Verify that the server where the authentication agent is installed can communicate with our specified service urls and portsHere.
Authentication agent registration failed due to token or account authorization errors
Ensure that you are using a cloud-only global administrator account or a hybrid identity administrator account for all installation and registration operations of Azure AD Connect or the standalone authentication agent. There is a known issue with global administrator accounts enabled for MFA. To work around this issue, temporarily disable MFA (only to complete operations).
An unexpected error occurred
Collect agent logsfrom the server and contact Microsoft Support with your problem.
Problems uninstalling the authentication agent
Warning message when uninstalling Azure AD Connect
If you have pass-through authentication enabled on your tenant and you try to uninstall Azure AD Connect, the following warning message appears: "Users cannot sign in to Azure AD unless they have other pass-through authentication agents." on installed on other servers. "
Make sure your setting is correctvery accessibleBefore uninstalling Azure AD Connect to avoid disrupting user login.
Problems activating the feature
Failed to enable the feature because no authentication agents were available
You need at least one active authentication agent to enable pass-through authentication on your tenant. You can install the authentication agent by installing Azure AD Connect or by installing the standalone authentication agent.
Failed to enable the feature due to blocked connections
Verify that the server where Azure AD Connect is installed can communicate with our specified service urls and portsHere.
Feature activation failed due to token or account authorization error
Be sure to use a cloud-only global administrator account when you enable the feature. There is a known issue with global administrator accounts with multi-factor authentication (MFA) enabled. To work around this issue, temporarily disable MFA (just to complete the process).
Collect logs of transient authentication agents
Depending on the nature of the problem, you need to look for authentication broker records in different places.
Protokol Azure AD Connect
For installation-related errors, review the Azure AD Connect logs at%ProgramData%\AADConnect\trace-*.log.
Authentication agent event logs
For authentication agent related errors, open the Event Viewer application on the server and check belowApplication and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin.
For detailed analysis, enable the "Session" log (right-click in the event viewer to find this option). Do not run the authentication agent during normal operation when this protocol is enabled. Use only for troubleshooting. The content of the log is visible only after deactivating the log again.
Detailed tracking logs
To debug user login errors, look for trace logs at%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\. These logs contain the reasons why a particular user's login using the transient authentication feature failed. These errors also map to the login failure reasons listed in the login failure reasons table above. The following is an example of a log entry:
AzureADConnectAuthenticationAgentService.exe Error: 0: The transient authentication request failed. Request ID: "df63f4a4-68b9-44ae-8d81-6ad2d844d84e". Reason: '1328'. ThreadId=5 Datetime=xxxx-xx-xxTxx:xx:xx.xxxxxxZYou can get descriptive details about the error ("1328" in the previous example) by opening a command prompt and running the following command (note: replace "1328" with the actual error number you see in your logs):
Net help message 1328
Domain controller logs
If audit logging is enabled, you can find additional information in the security logs of your domain controllers. A simple way to query login requests sent by transient authentication agents is as follows:
Performance monitor counter
Another way to monitor authentication agents is to monitor specific performance monitor counters on each server that has an authentication agent installed. Use the following global counters (# PTA authentication,#PTA failed authenticationI#PTA successful authentication) and error counter (# PTA authentication error):
Important
Pass-through authentication provides high availability by using multiple authentication agents andit isload balancing. Depending on your configuration,it isAll your authentication agents are fetchedevenrequest number. It is possible that a particular authentication agent will not receive any traffic at all.
FAQs
How do I troubleshoot connectivity issues with Azure AD Connect? ›
Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.
How do I fix Azure AD Connect sync errors? ›- Remove the Azure AD account (owner) from all admin roles.
- Hard delete the quarantined object in the cloud.
- The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user is now no longer a Hybrid Identity Administrator.
Azure AD Connect requires proper installation and configuration to function properly. Common issues include incorrect credentials, network connectivity issues, and firewall settings.
How do I reset my Azure AD authentication? ›Sign in to the Azure portal. Search for and select Azure Active Directory, then select Password reset from the menu on the left side. From the Properties page, under the option Self service password reset enabled, select None. To apply the SSPR change, select Save.
How do I check my Azure AD Connect sync errors? ›Sign in to the Microsoft 365 admin center with a global administrator account. On the Home page, you'll see the User management card. On the card, choose Sync errors under Azure AD Connect to see the errors on the Directory sync errors page.
How do I know if my Azure AD Connect is working? ›You can check the status in the Microsoft 365 admin center. If there are no errors present, the DirSync or Azure AD Connect Status icon appears as a green circle (successful).
How do I force a sync in Azure AD Connect? ›- Open Azure AD Connect.
- Open Manage Azure AD cloud sync.
- Select your configuration (domain)
- Click Start or Restart Sync.
Ensure you have an active internet connection
One of the first things that trigger the "Sync is currently experiencing problem" notification on Android is a poor internet connection. Your phone needs an active internet connection to sync information across your accounts.
The new default synchronization frequency is 30 minutes. The scheduler is responsible for two tasks: Synchronization cycle.
How do I check my Azure AD Connect health? ›- In the Azure portal, search for and select Azure AD Domain Services.
- Select your managed domain, such as aaddscontoso.com.
- On the left-hand side of the Azure AD DS resource window, select Health.
How do I check my Azure AD Connect logs? ›
- Open Event Viewer.
- Expand Windows Logs, and then expand Application.
- In the Actions pane, select Filter Current Log.
- In the Event sources box, select the Directory Synchronization check box.
- Select OK.
Azure AD Connect must be installed on a domain-joined Windows Server 2016 or later. You can deploy Azure AD Connect on Windows Server 2016 but since Windows Server 2016 is in extended support, you may require a paid support program if you require support for this configuration.
How do I troubleshoot ad authentication? ›- Run diagnostics on domain controllers. ...
- Test DNS for signs of trouble. ...
- Run checks on Kerberos. ...
- Examine the domain controllers.
2482.0 or later): Sign in to the Azure portal with your tenant's Global Administrator credentials. Select Azure Active Directory -> Azure AD Connect -> Pass-through Authentication -> Download agent. Accept the terms of service and download the latest version of the Authentication Agent.
How do I enable strong authentication in Azure AD? ›In the Azure portal, search for and select Azure Active Directory, and then select Users. Select Per-user MFA. Under multi-factor authentication at the top of the page, select service settings. On the service settings page, under verification options, select or clear the appropriate checkboxes.
How frequently does Azure AD Connect sync? ›How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.
How do I restart Azure AD Connect sync? ›Go to Windows Service Control Manager (START → Services). Select Microsoft Azure AD Sync and click Restart.
Is Azure AD Connect a two way sync? ›By default, the sync is one way: from on-premises AD to Azure AD. However, you can configure the writeback function to sync changes from Azure AD back to your on-premises AD.
How do I force Azure AD Connect to update? ›If you want to install a newer version of Azure AD Connect: close the Azure AD Connect wizard, uninstall the existing Azure AD Connect, and perform a clean install of the newer Azure AD Connect.
Is Azure AD Connect outdated? ›As of August 31, 2022, all 1. x versions of Azure AD Connect are retired because they include SQL Server 2012 components that will no longer be supported. Upgrade to the most recent version of Azure AD Connect (2. x version) by that date or evaluate and switch to Azure AD cloud sync.
What happens when Azure AD Connect is down? ›
AAD Connect takes user accounts, and maybe passwords, from your on-premises Active Directory and copies them into Azure Active Directory. If your AAD Connect server goes down, you don't lose any data or very much functionality. There really isn't any need for a high availability configuration for AAD Connect.
What is the difference between Delta Sync and full sync in Azure AD Connect? ›Azure Active Directory Sync. There are two types of sync in Azure Active Directory Connect: delta sync and full sync. A delta syncs synchronizes only the latest changes while a full sync is only necessary when changing Azure AD Connect configuration.
How do I manually sync Azure Active Directory? ›- Navigate to Administration > User Management > Import & Sync > Azure Active Directory.
- Choose What to Sync (same as above).
- Choose How to Sync (same as above).
- Click Search Now. ...
- Click Sync Active Directory.
To synchronize your users, groups, and contacts from the local Active Directory into Azure Active Directory, install Azure Active Directory Connect and set up directory synchronization. In the admin center, select Setup in the left nav. Under Sign-in and security, select Add or sync users to your Microsoft account.
What are the types of Azure AD Connect Sync? ›Azure AD Connect has two installation types for new installation: Express and customized. This topic helps you to decide which option to use during installation.
Does Azure AD Connect update automatically? ›Azure AD Connect automatic upgrade is a feature that regularly checks for newer versions of Azure AD Connect. If your server is enabled for automatic upgrade and a newer version is found for which your server is eligible, it will perform an automatic upgrade to that newer version.
What is the precedence rule in Azure AD Connect? ›The precedence for Synchronization Rules is set in groups by the installation wizard. All rules in a group have the same name, but they are connected to different connected directories. The installation wizard gives the rule In from AD – User Join highest precedence and it iterates over all connected AD directories.
How do I check my ad connect configuration? ›Open the “Azure AD Connect ” link to the Microsoft Azure Active Directory Connect wizard, found on the desktop or start menu. Select the View current configuration task on the Additional tasks page and click Next.
What port does Azure AD Connect Health require? ›The latest Azure AD Connect Health agent versions only require port 443.
What is the service name for Azure AD Connect? ›The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements.
Where are Azure AD Connect logs stored? ›
You can find these trace logs in the following folder: C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace.
Where is Azure AD Connect database? ›Go to the folder <drive>\program files\Microsoft Azure AD Connect. Run the command . \AzureADConnect.exe /useexistingdatabase to start the Azure AD Connect wizard in Use existing database setup mode.
Where are ad connect logs stored? ›1) On the server you wish to view logs for (AD Master or AD Slaves), open Windows Explorer and navigate to ADSync's log folder. By default this will be C:\Program Files (x86)\Exchange2010ADSync\ADSyncService\logs\gui.
How many instances of Azure AD Connect are needed? ›Azure AD Connect supports syncing from multiple forests. It supports only one instance of Azure AD Connect syncing to Azure AD. In cases where Azure AD is already installed in one forest, the existing instance of Azure AD Connect must be updated to sync from the other forest.
Is it OK to install Azure AD Connect on domain controller? ›It's possible to install Azure AD Connect on your domain controller, but only if you have a small tenant and your server has enough performance. Otherwise, it's better to install the Azure AD Connect tool on a separate domain-join server.
Can I install Azure AD Connect on multiple domain controllers? ›It's possible to install AD Connect on domain controllers, and that's what we had done with our initial, on-prem AD Connect server, Server A. But in most cases, it's best practice to use a dedicated server to avoid conflicts between the two roles.
How do I test Azure connectivity? ›- Sign in to the Azure portal.
- In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.
- Under Network diagnostic tools, select Connection troubleshoot. ...
- Select Test connection.
You can also use the Network troubleshooter to troubleshoot the connection issues for the apps in the App Service. To open the network troubleshooter, go to the app service in the Azure portal. Select Diagnostic and solve problem, and then search for Network troubleshooter.
How do I check my current Azure AD Connect configuration? ›Open the “Azure AD Connect ” link to the Microsoft Azure Active Directory Connect wizard, found on the desktop or start menu. Select the View current configuration task on the Additional tasks page and click Next.
How do I test the connectivity between servers? ›- Open a command prompt.
- Type in "telnet <IP ADDRESS OF SERVER PC> <PORT>" and press enter.
- For example, you would type “telnet 123.45.67.89 1521”
- If a blank screen appears then the port is open, and the test is successful.
- If you receive a connecting...
How do you run a connectivity test? ›
- Type “cmd” to bring up the Command Prompt.
- Open the Command Prompt.
- Type “ping” in the black box and hit the space bar.
- Type the IP address you'd like to ping (e.g., 192.XXX.X.X).
- Review the ping results displayed.
Select the Start button, then type settings. Select Settings > Network & internet. The status of your network connection will appear at the top.
How do I check Azure AD Connect logs? ›Go to Solution. Have not checked, but the AAD Activity Log should show this activity: Access activity logs in Azure AD - Microsoft Entra | Microsoft Docs. If this does not help, you can raise an advisory request (see my signature) to ask where to find this kind of log data) for AAD Connect.
What port does Azure AD Connect health require? ›The latest Azure AD Connect Health agent versions only require port 443.
How do I check my Azure AD permissions? ›- Log in to your Azure Account through the Azure portal.
- Select Azure Active Directory.
- In Azure Active Directory, select User settings.
- Check the App registrations setting. ...
- Select Overview and Find a user from Quick tasks.
- Search for your account, and select it when you find it.
Go to Windows Service Control Manager (START → Services). Select Microsoft Azure AD Sync and click Restart.
How do you Diagnose and solve problems in Azure function? ›Open App Service diagnostics
In the left navigation, click on Diagnose and solve problems. For Azure Functions, navigate to your function app, and in the top navigation, click on Platform features, and select Diagnose and solve problems from the Resource management section.
To authorize any pipeline to use the service connection, go to Azure Pipelines, open the Settings page, select Service connections, and enable the setting Allow all pipelines to use this connection option for the connection.
How do I verify my domain in Azure AD Connect? ›- Sign in with a user account that is a global administrator of your Azure AD directory.
- Open your directory and select the Domains tab.
- Select the domain name that you want to verify and select Verify on the command bar.
- Select Verify in the dialog box to complete the verification.
The Microsoft Azure AD Sync synchronization service (ADSync) runs on a server in your on-premises environment. The credentials for the service are set by default in the Express installations but may be customized to meet your organizational security requirements.
Where is Azure AD Connect configuration stored? ›
Export Azure AD Connect settings
By default, the settings are exported to %ProgramData%\AADConnect. You also can choose to save the settings to a protected location to ensure availability if a disaster occurs.