I’ve encountered an interesting issue that may be well useful to troubleshoot and how to fix it
Issue : Users are unable to login to http://portal.office.com. They get the following error
The error message itself is not very useful. So, i had to collect few information to know what is going on
- AAD Connect for that tenant is still running. There is a recent delta sync success in the logs
- Everyone including the Global administrator cannot login
- I can login with the cloud-only account
- Checked with other tenants, and there is no news from MS on the message center (this rules out if this is a Microsoft issue)
- Password change seems to be replicating. There are some logs for the users who recently changed their password
- The AAD connect version is 1.1.5
The information collected was not so very useful at all except one thing
Full/Delta Synchronization is working without any issue
Ran Fiddler from the machine where i tried logging to office 365 and found an interesting information.
If you closely look at it, the authentication is being redirected.
So, this generally happens if there is an ADFS server.
There is another instance that this could happen which is “Pass-Through Authentication” Feature enabled on AAD Connect.
To know more about it,
User sign-in with Azure Active Directory Pass-through Authentication
Long story short about the process,
- The user tries login to https://portal.office.com or trying to access any office application
- Once the credentials are provided by the user, Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.
- An on-premises Authentication Agent retrieves the username and encrypted password from the queue.
- The agent decrypts the password by using its private key.
- The agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be either the on-premises default username, usually
userPrincipalName, or another attribute configured in Azure AD Connect (known as
- The Agent cannot send evaluation request back to Azure AD and failed to respond if the authentication is (success, failure, password expired, or user locked out)
The pass-through authenticate is failing for some reason. This proves the fact that “Full/Delta Sync” is working because the service account is cloud only account.
Disabled the pass-through authentication on AADConnect using AAD Connect wizard and revert it to password-hash synchronization