Azure Active Directory Connect Provisioning Agent - credentials error

PatrickEl 21 Reputation points
2022-04-12T10:48:53.447+00:00

hello guys,

we are using Workday user provisioning to AD, the Enterprise Application gets an alert for two days now:

192280-2022-04-12-12h34-59.png

Event log (occures every 5 min.):
192296-2022-04-12-12h37-22.png

When I start the installed cloud provisioning agent it forces me to use or create a gMSA Account,
which back in the day wasn't a thing. we used another account to run it.

i will update my case if I have new informations, but my questions would be:

  1. any of you recieved a DCOM error before in combination with user provisioning?
  2. is the release history for the provisioning agent incomplete because it seems the gMSA Account is now forced to create/use in order to get the app running?
    I did not create a gMSA Account yet, I will wait till i get some response :-).

Thanks a lot.

Regards
Patrick

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,691 questions
0 comments
Accepted answer
  1. Chetan Desai 971 Reputation points Microsoft Employee
    2022-04-20T19:15:06.837+00:00

    @PatrickEl
    Regarding your question:

    is the gMSA account forced for the provisioning agent? it doesn't seem a way around it.

    We recommend using gMSA account as a best practice. If for some reason there are constraints around using gMSA account, you can use a normal account by configuring the registry option documented here - https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/how-to-manage-registry-options#skip-gmsa-configuration

    Thanks,
    Chetan

    1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,461 Reputation points Microsoft Employee
    2022-04-20T18:47:07.543+00:00

    @PatrickEl
    Thank you for following up on this!

    Based off your DCOM event ID, it looks like this might be a Windows Client issue where these 10016 events are recorded when Microsoft components try to access DCOM components without the required permissions. In this case, this behavior is expected and by design.

    DCOM event ID 10016 is logged in Windows:

    Symptom:
    On a computer that's running Windows 10, Windows Server 2019, or Windows Server 2016, the following event is logged in the system event logs. 

    Source:        Microsoft-Windows-DistributedCOM    
Event ID:      10016    
Description: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID    
{D63B10C5-BB46-4990-A94F-E40B9D520160}    
and APPID    
{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}    
to the user NT AUTHORITY\SYSTEM SID (S-1-5-18) from address LocalHost (using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool.d

    Cause:
    These 10016 events are recorded when Microsoft components try to access DCOM components without the required permissions. In this case, this behavior is expected and by design.

    A coding pattern has been implemented where the code first tries to access the DCOM components with one set of parameters. If the first attempt is unsuccessful, it tries again with another set of parameters. The reason why it doesn't skip the first attempt is because there are scenarios where it can succeed. In those scenarios, it's preferable.

    Workaround:
    These events can be safely ignored because they don't adversely affect functionality and are by design. It's the recommend action for these events.

    If desired, advanced users and IT professionals can suppress these events from view in the Event Viewer. To do it, create a filter and manually edit the filter's XML query similar to the following one: 

    <QueryList>  
  <Query Id="0" Path="System">  
    <Select Path="System">*</Select>  
    <Suppress Path="System">  
      *[System[(EventID=10016)]]  
      and  
      *[EventData[  
        (  
          Data[@Name='param4'] and Data='{D63B10C5-BB46-4990-A94F-E40B9D520160}' and  
          Data[@Name='param5'] and Data='{9CA88EE3-ACB7-47C8-AFC4-AB702511C276}' and  
          Data[@Name='param8'] and Data='S-1-5-18'  
        )  
        or  
        ( Data[@Name='param4'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}' and  
          Data[@Name='param5'] and Data='{260EB9DE-5CBE-4BFF-A99A-3710AF55BF1E}'  
        )  
        or  
        (  
          Data[@Name='param4'] and Data='{C2F03A33-21F5-47FA-B4BB-156362A2F239}' and  
          Data[@Name='param5'] and Data='{316CDED5-E4AE-4B15-9113-7055D84DCC97}' and  
          Data[@Name='param8'] and Data='S-1-5-19'  
        )  
        or  
        (  
          Data[@Name='param4'] and Data='{6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}' and  
          Data[@Name='param5'] and Data='{4839DDB7-58C2-48F5-8283-E1D1807D0D7D}' and  
          Data[@Name='param8'] and Data='S-1-5-19'  
        )  
      ]]  
    </Suppress>  
  </Query>  
</QueryList>

    I've also reached out to our Provisioning PG team to see if they can look into this issue and will update as soon as possible.

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    ----------

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
  2. Vineet Kumar Gupta 161 Reputation points
    2022-04-12T14:51:01.463+00:00

    Please reset your credentials and try with new password and make sure you are global administrator .

    Then try