I've installed the latest version of MS AAD Connect Provisioning Agent (1.1.997.0), however the authentication step fails with the error "Please provide the Azure AD credentials of a global administrator or a hybrid administrator." I've tried both types (a gAdmin account as well as a hybrid identity admin) with no success. Is there a known issue?
I just followed the instructions as documented by MS.
downloaded and installed the latest version of the agent from AAD Connect cloud sync provisioning blade.
Once the agent installs the AAD authentication wizard launches but no matter which creds I use (global or hybrid admin), the error persists.
Instructions: https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-pilot-aadc-aadccp
I tried to reproduce the same in my environment and got below error with Non-Admin Account credentials
Steps to Create AAD Connect Configuration:
1)Download the AAD Connect tool here and install.
2)Select Customize -> Choose any sign in method (For testing I selected password hash synchronization) -> Next
3)Make sure to enter Global admin credentials to sync to Azure AD.
4)Enter your On-Prem DC Admin credentials to verify the DC access, you will get below screen once you validate both Azure AD Global and DC Admin Credentials.
5)Complete next steps and finish the installation.
6)Verify Sync after completing the AAD installation.
7)Open Synchronization Service Manager and check sync Status.
8)Also check the status in Azure Portal
To disable IE Enhanced Security, you can follow below steps:
Go to Server Manager -> Local Servers -> IE Enhanced Security Configuration -> Select Off
Related
I'm currently trying to implement openvpn server authenticated with keycloak.
This part is actually working well with user added in keycloak but now I want to authenticate my openvpn user with azure AD.
I made the configuration to be able to authenticate user with keycloak and azure AD has identity provider so this part work well but not I want to conbine both
I would like that my user will be authtenticated with azure AD throw keycloak when they execute OpenVPN client.
I have 1 realm. The account clients work properly with Azure AD and I have a Clients for OpenVPN but How to link both
• As per the described query, you want to authenticate with Azure AD through Keycloak while connecting with OpenVPN client. Thus, accordingly, you will have to configure the VPN client for P2S OpenVPN protocol connection in Azure AD first. For that purpose, kindly follow the below documentation link which describes the steps to be followed for registering and configuring ‘Azure VPN’ as an application in Azure AD and further configuring the VPN configuration settings on it as well: -
https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-point-to-site-azure-ad
• Once, the above-mentioned steps are done as stated, then you will have to register an application as a client service principal in your Azure AD, create a client secret for it and register the same in keycloak administration console as mentioned in the below link. This will ensure that your keycloak integration with Azure AD is complete and working fine as well as the authentication for your Azure AD users through keycloak is possible over OpenVPN client such as Azure VPN client.
https://blog.hcltechsw.com/versionvault/how-to-configure-microsoft-azure-active-directory-as-keycloak-identity-provider-to-enable-single-sign-on-for-hcl-compass/
The above document states for ‘HCL Compass’ as the target application to be connected via keycloak via Azure AD identity but you can configure the same as per your own SaaS application to be integrated.
So we have Azure AD synced with our on-premise domain. We have an Azure SQL Server configured with the active directory admin. We also have a non Azure SQL server running on a virtual machine in Azure that is domain joined to this same domain. The following are the results of using the various authentication mechanisms offered by SQL Management Studio (SSMS). Can someone explain why the failures occur with the various options that should be supported?
Facts about environment:
Passthrough authentication is the sign-in method configured on AD Connect
Password hash sync is also enabled so password hashes are stored in Azure AD
Azure SQL is configured with Active Directory admin
Latest version of SSMS was downloaded when performing these test
On premise account was used to test all scenarios
Domain joined client connecting to Azure SQL from SSMS
Active Directory Password (PASS)
Active Directory Universal (PASS)
Windows Integrated (FAIL - not supported by Azure SQL)
Active Directory Integrated (FAIL – see error below)
Failure when client is standard domain joined client
Failure when client is Azure domain joined client
Domain joined client connecting to non-Azure SQL hosted on same domain
Active Directory Integrated (PASS)
Windows Integrated (PASS)
Active Directory Password (FAIL – Login failed for user ‘’)
Active Directory Universal (FAIL – Login failed for user ’’)
This issue may be related with the AD Syncing options. Verify in your environment that AD is not syncing passwords into the tenant. This prevents AD Integration Authentication and AD Password Authentication. The only authentication that works on these cases is AD Universal Authentication, as your test shows.
It looks to me that his is an ADAL problem (WSTrust) related to network configuration. Please create a support case and work with the support team to solve this problem
I am trying to access the Azure AD graph API. I have successfully added users to my test environment (ADFS) and changed their domain to {mytestdomain}.onmicrosoft.com. The password synchronization using Azure AD Connect works.
Now I have setup the production environment (including ADFS) accordingly and I am now synchronizing the users, but obviously can't change the domains to {mydomain}.onmicrosoft.com. The users now have {mydomain}.net and I am synchronizing the users to a verified domain in Azure AD.
When trying to access
https://login.microsoftonline.com/{mydomain}.net/oauth2/token
using the following (yes, I know that grant_type is not recommended, but that's not the point)
grant_type: password
username: {user}#{mydomain}.net
password: XXXX
resource: https://graph.windows.net
client_id: {Guid}
I get:
AADSTS70002: Error validating credentials.
AADSTS50126: Invalid username or password
If I use an administrator like admin#{mydomain}.onmicrosoft.com it works fine.
In the Azure portal I have tried changing the primary domain from {mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a difference.
It says in the management portal:
"To configure {mydomain} for federated sign-on to your Azure Active Directory, run Azure AD Connect on your local network."
Does that apply when using the graph API as well? Do I have to setup federation on my local network or is there another way around?
In the azure portal I have tried changing the primary domain from
{mydomain}.onmicrosoft.com to {mydomain}.net, but it does not make a
difference.
I'm not clear the details of your Syncing steps. Besides verified you custom domain in Azure AD, you also need some other configurations, like Azure AD sign-in configuration. You can see more details in this document.
Does that apply when using the graph api as well? Do I have to setup
federation on my local network or is there another way around?
Yes, Since you're using ADFS, you need to use Federated SSO (with Active Directory Federation Services (AD FS)) to allows your users to sign in to both cloud and on-premises resources by using the same passwords.
You can also see more details about Azure AD Connect user sign-in options in this official document.
Hope it helps!
When I deploy my app to a server, I'm getting the Login failed message. My DB and app are located on two separate physical machines. However this has not posed a problem when developing and testing locally and connecting out to the DB server; only after publishing.
Steps I've taken To attempt to resolve
In my Web.Config I've set Integrated security to false. When integrated security was true, it was giving the same error but with the machine name in place of the user name.
I placed valid credentials in the User ID: and Password: fields of the Web.Config. The credentials placed in Web.Config are also used to log into Sql Server Management Studio directly.
Within SSMS I've also verified those credentials will work under Windows Authentication and SQL Server Authentication.
Those credentials I've set in the app work when I log into the SSMS using Windows Authentication. Advice on how to resolve this would be greatly appreciated. Thanks!
By default, IIS runs your application under a local machine account. This account does not have any permissions to access your SQL Server. In order to achieve integrated security, you need grant it access. There are a few ways to do it, the thread Add IIS 7 AppPool Identities as SQL Server Logons will get you started.
Another way, which is preferred over adding the IIS account, is to create a service account in Active Directory and setting the App Pool Identity in IIS to the service account. Depending on your environment, you should work with your network admin and or DBA to set this up.
Your last option would be to simply use SQL Authentication.
I am accessing my server through remote desktop connection and have configured a webservice in IIS. I am able to see the methods but when I click on the button to "Invoke" I get the following error:
System.Data.SqlClient.SqlException: Login failed for user 'SOLDev\Server02$'.
at ShareWare.Web.Service.WebAPI.Reservation.GetInfo()
Why is it taking the machine name as the user?
My windows authentication user is User1Dev.
Also my directory security in IIS is setup as follows:
Option "Enable anonymous access" -- it's disabled
Option "Integrated Windows Authentication" -- checked off
I am using .NET framework 2.0
Your web service connects to the SQL using Windows authentication as the principal running the service. In this case it appears to be BUILTIN\System or BUILTIN\Network Service, both of which authenticate in the domain as the machine account, ie. 'SOLDEV\Server02$' which corresponds to a machine named Server02 in the domain SOLDEV.
If you wish to authenticate on the SQL Server with your own login, then the IIS must flow the authentication information, in a process called Constrained Delegation. See Configuring Constrained Delegation for Kerberos (IIS 6.0). or How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.
If you want the web service to authenticate to SQL Server as itself, then you must grant login permission to the web service principal on SQL: CREATE LOGIN [SOLDEV\Server02$] FROM WINDOWS.
It's because the web service is running as the Network Service id, not as the logged in user. You probably also need to have <identity impersonate="true" /> in your web config if you are planning to use the user's credentials to connect to SQL Server.