problem enabling SSPR in AD Connect Server

Javier I. Uribe 111 Reputation points
2020-12-01T14:52:45.153+00:00

Hello; when I try to enable password reset in the AD Connect server, in the "Configure" last step or "Configuration complete" screen, show this message:

  • "Unable to configure password writeback. Please consult the event log for additional information"

I check the event viewer and these event with errors are listed:

Event ID: 32001 Source: PasswordResetService

"TrackingId a6841cf7-7bb0-4ebc-93f0-4f38707ec056, Couldn't connect to any service bus endpoint(s). Details:

----------

Event ID: 31044 Source: PasswordResetService

"TrackingId a6841cf7-7bb0-4ebc-93f0-4f38707ec056, Password writeback service is not a healthy state. No serviceHost for service bus endpoints are in running state. Please refer aka.ms/ssprtroubleshoot, Details: Version: 5.0.682.0"

----------

And these events with warnings are in the event viewer too:

Event ID: 31031 Source: PasswordResetService

"TrackingId a6841cf7-7bb0-4ebc-93f0-4f38707ec056, ServiceHost for Namespace ssprdedicatedsbprodscu, Endpoint: 99f7b55e-9cbe-467b-8143-919782918afb_42e1680c-c215-467c-af04-911914242a46 is not running. Details version: 5.0.682.0"

----------

Event ID: 32014 Source: PasswordResetService

"TrackingId: a6841cf7-7bb0-4ebc-93f0-4f38707ec056, Listener for Namespace: ssprdedicatedsbprodscu, Endpoint: 99f7b55e-9cbe-467b-8143-919782918afb_42e1680c-c215-467c-af04-911914242a46 offline Event. Last error encountered System.ServiceModel.CommunicationException: The client and server cannot communicate, because they do not possess a common algorithm ---> System.IO.IOException: The client and server cannot communicate, because they do not possess a common algorithm ---> System.ComponentModel.Win32Exception: The client and server cannot communicate, because they do not possess a common algorithm
at System.Net.SSPIWrapper.AcquireCredentialsHandle(SSPIInterface SecModule, String package, CredentialUse intent, SecureCredential scc)
at System.Net.Security.SecureChannel.AcquireCredentialsHandle(CredentialUse credUsage, SecureCredential& secureCredential)
at System.Net.Security.SecureChannel.AcquireClientCredentials(Byte[]& thumbPrint)
at System.Net.Security.SecureChannel.GenerateToken(Byte[] input, Int32 offset, Int32 count, Byte[]& output)
at System.Net.Security.SecureChannel.NextMessage(Byte[] incoming, Int32 offset, Int32 count)
at System.Net.Security.SslState.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.BeginAuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
at System.Net.Security.SslStream.BeginAuthenticateAsClient(String targetHost, AsyncCallback asyncCallback, Object asyncState)
at Microsoft.ServiceBus.ServiceBusClientWebSocket.ConnectAsyncResult.<>c__DisplayClass23_0.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,543 questions
Accepted answer
  1. Javier I. Uribe 111 Reputation points
    2020-12-15T16:23:38.407+00:00

    Hello; thank you people for try to help me. I found the fix. The "sad" solution is: Enable TLS 1.0 in the Ad Connect server.

    Enabling TLS 1.0 allowed to run the password writeback feature in the Ad Connect Server. The events of errors and warnings dissapear from the event viewer.

    I tested the service and works perfect.

    The unhappy history and question, is Why i need to enabled deprecated cryptographic protocol for a password service?

    3 people found this answer helpful.

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Don Dao 26 Reputation points
    2021-06-04T18:53:41.79+00:00

    We recently had corporate wide disablement of TLS 1.0 and enablement of TLS 1.2, the fix for me was to added the following registry key, and rebooted the server per this article:

    https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites#enable-tls-12-for-azure-ad-connect

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
    "SchUseStrongCrypto"=dword:00000001

    No more Event ID: 31044, 31031, 31045, 32014 cannot communication errors in event viewer now.

    5 people found this answer helpful.
  2. Javier I. Uribe 111 Reputation points
    2020-12-01T14:56:46.387+00:00

    An update for the problem. I did this procedure:

    • Restarted the Azure AD Connect Sync Service.
    • Disabled and re-enable the Password Writeback feature

    But the problem persist.

    Thank you for your collaboration.

    0 comments
  3. Oner Ziya Bas 81 Reputation points
    2020-12-08T13:47:22.02+00:00

    Make sure that the time isn't skewed

    Make sure that the time on the server on which Azure AD Connect is installed matches the time on the authoritative time server.

    0 comments