Unable to login to Office 365 Tenant

I’ve encountered an interesting issue that may be well useful to troubleshoot and how to fix it

Issue : Users are unable to login to http://portal.office.com.  They get the following error

Login-Error

Analysis :

The error message itself is not very useful.  So, i had to collect few information to know what is going on

  1. AAD Connect for that tenant is still running.  There is a recent delta sync success in the logs
  2. Everyone including the Global administrator cannot login
  3. Checked with other tenants, and there is no news from MS on the message center (this rules out if this is a Microsoft issue)
  4. Password change seems to be replication.  There are logs for the users who recently changed their password
  5. The AAD connect version is 1.1.5

The information collected was not so very useful at all except one thing

Full/Delta Synchronization is working without any issue

Troubleshooting:

Ran Fiddler from the machine  where i tried logging to office 365 and found an interesting information.

Fiddlerlog

If you closely look at it, the authentication is being redirected.

So, this generally happens if there is an ADFS server.  There is also another instance that this could happen which is “Pass-Through Authentication” Feature on AAD Connect.

To know more about it,

User sign-in with Azure Active Directory Pass-through Authentication

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

Long story short

  1. The user tries login to http://portal.office.com or trying to access any office application
  2. Once the credentials are provided by the user, Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.
  3. An on-premises Authentication Agent retrieves the username and encrypted password from the queue.
  4. The agent decrypts the password by using its private key.
  5. The agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be either the on-premises default username, usually userPrincipalName, or another attribute configured in Azure AD Connect (known as Alternate ID).
  6. The Agent cannot evaluate the request back to Azure AD and failed to respond if the authentication is (success, failure, password expired, or user locked out)

Solution:

The pass-through authenticate is failing for some reason.  This also proves the fact that “Full/Delta Sync” is working because the service account is cloud only account.

Disabled the pass-through authentication on AADConnect using AAD Connect wizard and revert it to password-hash synchronization

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.