question

mi1an avatar image
0 Votes"
mi1an asked SteinIP edited

PasswordResetService ended with an error but the password was changed

I encountered a strange behaviour in the PasswordResetService. We have a Hybrid AAD configuration with the AAD Premium P1 licenses. We have enabled the password writeback in our AAD Connect. I checked the permissions required in our AAD Connect sync account (Reset password, Write lockoutTime, Write pwdLastSet). I checked the SSPR configuration too and everything is okay.
In the real situation when our user want to change his password through his M365 profile or when our user want to reset his password through the SSPR, it's just not working. After approx. 20 seconds our users receive the error: We could not change your password. I checked the AAD audit logs and found this error:
Status Reason: OnPremisesConnectivityFailure
So I went to the server where is our AAD Connect installed and I checked the Application logs. I found logs from the ResetPasswordService and there is no error. In the Application logs i can see these statuses from the ResetPasswordService:
ChangePasswordRequestStart (with a username)
ChangePasswordSuccess, Details: Context: cloudAnchor (with a username)

I don't know what to do or how to solve this. I think the error which is shown to our user after clicking on the Submit button is just Timeout (TimeoutException) or the information about PasswordChange in our AD DS is not delivered back to AAD - to the user.
Any ideas?

azure-ad-sspr
· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

SteinIP avatar image SteinIP ·

We experienced the same issue, where password change from MyAccount.microsoft.com failed, but SSPR worked without a flaw. Turned out that AADSync needed FQDN for our DC's!! We have several AD sites, and found it reasonable to steer AADSync to certain DC's, but using Netbios names did not work.

We found our solution here:
https://janbakker.tech/kb-selfservicepasswordreset-write-back-problem-error-hr80230818/


0 Votes 0 ·

1 Answer

JamesHamil-MSFT avatar image
1 Vote"
JamesHamil-MSFT answered mi1an commented

Hi @mi1an , please perform the following steps and let me know if it resolves your issue:


  1. Restart the Azure AD Connect Sync service on the machine where the AD Connect is installed.

  2. Check the connector's permissions: make sure the account you are using is an admin with the highest possible permissions on premises, and is a member of the enterprise admin group in your AAD and has the reset password permissions that are required for the password writeback to work.

  3. Ensure Network Connectivity. Check if the following addresses are allowed for outbound HTTPS access:
    .passwordreset.microsoftonline.com
    .servicebus.windows.net

  4. Disable and re-enable the password writeback option from the Azure AD Connect Configuration wizard

If this answer helped you please mark it as "Verified" so other users may reference it.

Thank you,
James

· 2
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

mi1an avatar image mi1an ·

Hi @JamesHamil-MSFT

  1. I tried but not helped.

  2. AAD Connect sync account should not have Enterprise or Domain administrator role:
    - As of build 1.4.###.# it is no longer supported to use an enterprise admin or a domain admin account as the AD DS Connector account. If you attempt to enter an account that is an enterprise admin or domain admin when specifying use existing account, you will receive an error. Source: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-accounts-permissions

  3. I ran this command from PowerShell:
    Test-NetConnection -ComputerName ssprdedicatedsbprodscu.servicebus.windows.net -Port 443
    with TcpTestSucceeded: True
    (source: https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback)

  4. I tried this too but not helped.

I will try to update the AAD Connect. I hope it will solve this.

Thanks anyway.



0 Votes 0 ·
mi1an avatar image mi1an mi1an ·

I tried updating the AAD Connect but not helped.

I tried to refresh AD scheme in ADsync and reconfigure the AAD Connect sync account permissions in our AD. Then I disabled and enabled the password writeback and now it is working. Thank you for suggestions and help.

0 Votes 0 ·