question

rami1989 avatar image
0 Votes"
rami1989 asked ·

Inactive azure authentication agent

Hello,

After an active directory domain migration, I face a strange behavior with azure authentication: they are always inactive (but user connection are OK). If I restart the azure authentication service where the PTA is installed, both agent are seen as "active" on azure portal and came back inactive (30min later approx).
I have seen this error because after 10 days, inactive direct authentification are automatically deleted from azure portal. So, no one can log to o365. With the service restart, both PTA had been recreated and user can log on again.

Domain migration from 2008R2 to 2016.
One PTA was deleted from an old 2012 DC and reinstalled on a new 2016 without problem during the installation.
On direct authentication portal, both PTA show good public IP and FQDN.

Someone had faced this issue ?
Thank you!

azure-ad-connectazure-ad-authentication
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

vipulsparsh-MSFT avatar image
0 Votes"
vipulsparsh-MSFT answered ·

@rami1989 Few others customer seems to be facing this. Can you try something like this to repair your Azure AD connect setup and see if this fix it for you.
The inactive agent indeed gets removed by Azure portal automatically after some time.

Let me know how it goes for you.




· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

rami1989 avatar image
0 Votes"
rami1989 answered ·

Thank you for your answer, but the repair didn't solve the issue: same effect as restart the service (active for 30min then go back inactive).

I go deeper and see that the day I add a new DC 2016 on the domain, the AZUREADSSOACC (used for direct authentication) add been modified. Maybe, it is related to this.
So I tried the steps to roll over the Kerberos decryption key of the AZUREADSSO computer account (link = https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sso-faq#how-can-i-roll-over-the-kerberos-decryption-key-of-the-azureadssoacc-computer-account).

But error on steps one :
Get-AzureADSSOStatus : https://[...].registration.msappproxy.net/register/GetDesktopSsoStatus can't accept this message. Maybe du to incorrect address or incorect SOAP action. (translation here)

On event viewer:
Event ID 12020: The Connector was unable to connect to the service due to networking issues. The Connector tried to access the following URL: 'https://[...].bootstrap.msappproxy.net:8080/', Request ID: '{...}'. See Connector troubleshooting for more information: http://go.microsoft.com/fwlink/?LinkID=512316&clcid=0x409

On logs (%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace), I can see the IP from where the authentication agent want to communicate (100% Microsoft).

Hard to figure it out when never work with azure ! Maybe, I will try to open a case on MS.
Than you








· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

rami1989 avatar image
0 Votes"
rami1989 answered ·

I Didn't notice that you want I had to repair the AzureAdConnect.
Anayway I cannot, at it seems that there is already a newer azure ad connect installed.
In fact, there is only the azure ad connect v 1.4.18.0 (check with powershell and same version as control panel).

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@rami1989 This would need a deeper investigation, I would suggest to open a support case with us.

0 Votes 0 ·