Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

ManagementException Provider load failure

October 30, 2015, 10:34 am
$
0
0

I had Azure AD connect working, in preparation for an on-premises Exchange 2010 to Office 365 hybrid migration.  Then Azure AD stopped working.  When I tried a repair, I get the following:

An error has occurred

An error has occurred on the Root page, preventing Azure AD Connect from continuing.  To protect your existing data, the wizard must be closed.

ManagementException

| Provider load failure

The log file shows at the end:

[11:28:26.379] [  1] [ERROR] Caught an exception while creating the initial page set on the root page.
Exception Data (Raw): System.Management.ManagementException: Provider load failure 
   at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode)
   at System.Management.ManagementObjectCollection.ManagementObjectEnumerator.MoveNext()
   at System.Linq.Enumerable.<CastIterator>d__b1`1.MoveNext()
   at Microsoft.Azure.ActiveDirectory.Synchronization.SyncServiceProvider.SyncServiceProvider.IsRunInProgress(String& connectorName)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.DetectInstalledComponents.ValidateConfigChangesArePermitted()
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.DetectInstalledComponents.Execute(String& message)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPagesCore()
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.RootPageViewModel.GetInitialPages()
[11:32:58.956] [  1] [INFO ] Opened log file at path C:\Users\jsparks\AppData\Local\AADConnect\trace-20151030-112824.log

The Microsoft Azure AD Sync service is present, but will not start.  It gives an error:

Windows could not start the Microsoft Azure AD Sync service on Local Computer.

Error 1053: The service did not respoond to the start or control request in a timely fashion.

I tried changing the log on user account, but when I do I get the same error.

I have rebooted the server, and retried the repair but get the same error.

Any suggestions?




Search

Azure AD Connect + password synchronization = "Your account is temporarily locked ..."

October 2, 2015, 3:41 am
$
0
0

Hey,

I just set-up an Azure Active Directory using the tool Azure AD Connect to synchronize my on-premise users/passwords.

Everything seems to work so far,  but when I'm trying to log on Azure Portal, My apps, with one of the user synchronized, I'm getting the following message: 

"Your account is temporarily locked to prevent unauthorized use. Try again later. Contact Customer Support if the problem persists."

What I already checked and did:

- The account is not locked on AD

- The account seems to be well synchronized on AAD

- I reseted the password for one user on AD (and tried it on my domain), and forced a password synchronization to AAD

- Restart the server hosting Azure AD connect

- Change the setting in AAD "Allow user to sign in and access services" to block and save, then put it back on Allow

- Remove and add again the user in AAD (by removing it from the Group used to sync user to AAD on the on-premise AD, force a synchronization and add it again to the group) 

So far, nothing helped. I'm still getting exactly the same message and cannot unlock this account.

Do you have any ideas how to fix this issue? 

Need of Reply URL/ Redirect URL , Sign On URL , APP ID URL while creating Application in Active Directory

November 2, 2015, 12:19 pm
$
0
0

Hi,

I need some clarity of Reply URL or Redirect URI. As per MSDN document, My understanding is, After azure AD authenticate user, AD sends back response along with token if success. But when we create Application which is of type WEB APplication and or WEB API, documentation or every one says we can give dummy url for sign-in url or App ID URL which is dummy or really exists, If that is the case, after authenticating, Azure AD will send response to above mentioned dummy URL which doesnot exists, how does client either native or webapi gets the token

Azure AD Connect fails to launch; FIPS Group Policy

November 2, 2015, 11:02 am
$
0
0

Hello All,

We are currently implementing new Group Policies to comply with the information security department's mandate.  I have found one in particular that seems to cause problems with the Azure AD Connect tool

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options ->System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing (Enabled)

When that setting is enabled, there seem to be some difficulties synchronizing (strange errors in synchronization manager) and the Azure AD Connect app fails to launch with this error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

The InfoSec guy is being stubborn on this one...any ideas on workarounds or an update to address this?


Affect users to an application by powershell instead of Azure AD Management GUI

November 2, 2015, 10:54 am
$
0
0

HI,

We have an application that is using our Azure AD to authenticate and we can use the Azure AD Applications Management part of the GUI to affect users so they can use it.  Problem is we don't have Premium so that we cannot affect by group, we can add user individually with a maximum of about 25 a shot....number of user per page show on the GUI. And there is a significative delay when going from page to page. Since we have more than 2000 users to add....my question is there a way to affect users to an application in Azure AD by first provisioning say a .CSV file to input to a powershell command to do so?

Azure AD connect tool

November 2, 2015, 2:50 am
$
0
0

Hi All,

I have been trying to setup SharePoint Hybrid between SPO and cloud VM.  I have single VM on which every thing installed like share point , SQL server , ADDS , ADFS.  Can we install  Azure AD connect tool this VM ? because it is domain controller ?

Is there any known issue ? Please reply.

Anupam soni

Azure AD Premium Reports are not working

November 3, 2015, 3:13 am
$
0
0

Hello,

 I've signed up for a trial of Azure AD Premium, which is linked to my Office 365 subscription. 

There are a number of users who have changed their password, in addition, I've changed their password as an administrator. If I run a "password reset activity" report, I get a "No data is available for this report" - this seems to happen for most of my users, but I don't know why.

I've assigned a licence to myself for Azure AD Premium, my Office subscription is a Office 365 E3. How does the licensing work for AD premium?

Let's say I have 1000 users and 25 Azure AD premium licences, to run reports against my users, does that mean I need to 1000 users? 

If I only assign 25 licences, but 100 users login from multiple geographies, does the report "sign in from multiple geographies" only show those 25 licensed users?

Thanks

Added 'Moodle' app doesn't display in 'My Apps'

November 2, 2015, 8:12 am
$
0
0

Hello

I've added the Moodle app to our Active Directory, but despite the encouraging message on theQuick Start page – Your app has been added! – things aren't working as I would expect them to do!

I want all existing and future users to see and access this app in their My apps, but despite the message above the list of users – User assignments are not currently required to access Moodle. Use configure to change– only those users who I manually assign can do so.

Clearly something's not right, but what?

BTW, this is my first outing with Office 365 and Azure, so need leading by the hand please!

Thanks

Russell

Search

Facial Authentication - WebAccess

November 3, 2015, 7:47 am
$
0
0

Hi,

I'm looking for some sample code on how to use my Intel RealSense camera with Facial Recognition to authentication users to my web application.

Any help would be appreciated!

Thanks a lot!

Nic

e-commerce membership subscription

November 2, 2015, 8:47 pm
$
0
0 
My company has an interest in the development of a cloud-based membership subscription service hosted on an Azure Active Directory platform that uses a full Lightweight Directory Access Protocol (LDAP) to look up the identity of each member.

Membership to the service is generated after payment of an online subscription fee, authentication by an authorize.net gateway.

In this regard, can you recommend an e-commerce Azure platform to host the LDAP subscription service?

Hal

Azure AD Application Proxy and Sharepoint 2007 Error - "Authorization failed. Make sure the user has permissions to the internal application."

October 27, 2015, 6:38 am
$
0
0

I am working to implement Azure AD Application Proxy to replace an aging TMG server in my environment. I've successfully setup application proxy roles for my RDWeb site, a SharePoint 2013 server, a handful of other IIS servers we maintain, but can't get our old SharePoint 2007 server to play nice. I had the same type of issues with our SharePoint 2013 server, but converting it to use Kerberos Authentication resolved the issue.   I've converted my SharePoint 2007 server to Kerberos but am getting an error after double checking every setting I can think of: 

This corporate app can't be accessed. You are not authorized to access this application

Azure AD Application Proxy
Status code: Forbidden
Url: <myexternal URL>
TransactionID:
18f62d3a-4c37-4c41-947d-3e5f7f8fcc41
Timestamp: 10/27/2015 1:30:24 PM

Authorization failed. Make sure the user has permissions to the internal application.

I have created an SPN and added it to the Delegation tab on my Connector server in its computer account in AD. I have Azure AD Application Proxy set to Integrated Windows auth with the relevant SPN set on the SharePoint 2007 server.  I'm thinking the error must be in the permission setup in SharePoint 2007, but I've confirmed the service account setup for Kerberos authentication is running the web application pool, is a farm administrator and can access any page we are testing with.   No errors in the security or applications logs to go off of, checked the SharePoint server, the Azure AD connector server and the workstation failing to login.

Any advise for where to go on this?

No information on choosing either Create New or use Existing Directory

November 3, 2015, 1:46 pm
$
0
0

Hello All,

My greatest frustration is that there does not seem to be any clear information on the internet on creating an Azure AD to synch with onsite existing AD. There is a billion things on Azure AD Connect which I have instructions for, but nothing on the Azure AD setup. So when I go use "Existing Directory", does it find my on premise AD and connect to it? And also, it looks like it add my domain name to the Microsoft domain which I guess is temporary.  If so, what are the steps for getting it to only be on my domain such as DNS? In other words, please send me the instructions to follow that will leave me just before the Azure AD Connect portion.

Cheers,

RT




Powershell to set msRTCSIP-PrimaryUserAddress AD attribute in format 'sip: primary SMTP address'

November 3, 2015, 7:06 am
$
0
0

Hi,

I am trying to build a powershell script. Which will read users provided in a csv file. And set the msRTCSIP-PrimaryUserAddress attribute in such a way that it should be "sip: primarysmtpaddress". My first goal was to provide the 'mail' attribute since it always has got the primary email of the user and concatenate in below way:

sip:+mail. However somehow its not working. Can anyone please help.

Regards

BM

how to differentiate between on premise user and cloud user azure

November 3, 2015, 11:47 am
$
0
0

Hello Experts,

how to differentiate between on premise user and cloud user azure ? I mean which property in user entity can tell me if user is synced from On Premise AD or in Azure AD.

I am confused whether to user  dirSyncEnabled or immutableId.

or  there is some other way. Please provide some guidence.

Thanks,

Ritesh



Graph Client : Throwing "insufficient privileges to complete the operation" on creating ad user

October 12, 2015, 6:12 am
$
0
0

All of sudden, when we try to add user using graph client (version 2.1.0 of Microsoft.Azure.ActiveDirectory.GraphClient), we get Authorization_Request denied "insufficient privileges to complete the operation".

We do have permission set right for the ad application, and there has been no change in it:




Please help why all of a sudden this issue started without any changes.

Thanks in advance!
Search

Azure AD API to access Sharepoint via .net CSOM in MultiTenant Webforms App

November 3, 2015, 10:39 pm
$
0
0

I am trying to create a multi-tenant app in Webforms that authenticates to Azure AD to obtain a bearer token to access sharepoint.

There are some folks out there that say this can be done such as Jeremy Thake.

Unfortunately, the samples use .net MVC which uses OWIN vice the connected service model in Webforms.

Attempting to make this work, I continue to get 401 errors from sharepoint.

Anyone have a solution written that overcomes this issue?

SAML- Azure as idp and ssl vpn as SP (Pulse secure ssl vpn)

November 4, 2015, 1:38 am
$
0
0

Hi,

i am qualifying Pulse secure ssl vpn as SP and Azure AD as idp using SAML 2.0 Protocol.

Added a new application to my default directory ,configured sign-in url and app id url, took the metadata of idp and imported to pulse secure ssl vpn, tried to login as user , redirected to identity provider ID and user enters the credentials after this i am getting error message the "no valid assertion received"-

is it must to have custom domain since my using the default onmicrosoft domain

 do we need to configure some acs or acls to generate assertions

Regards,

nishit

Error Running Initialize-ADSyncDomainJoinedComputerSync

November 4, 2015, 5:48 am
$
0
0

I upgraded to Azure AD Connect 1.0.9125.0 this morning. At the end of the upgrade I see the message please run ADSyncPrep:Initialize-ADSyncDomainJoinedComputerSync I imported the ADSyncPrep module, ensured that the MSOnline module is installed, ensured that the Active Directory module was installed, installed the RSAT AD Tools and opened an Azure active directory module for powershell command as administrator. I am still getting the message "The term Initialize-ADSyncDomainJoinedComputerSync is not recognized"

I did everything in this blog post and in the comments and I still can't run Initialize-ADSyncDomainJoinedComputerSync

https://bnehyperv.wordpress.com/2015/06/29/azure-active-directory-connect-ga-upgrade-road-test/comment-page-1/

John Marcum | Microsoft MVP - Enterprise Client Management
My blog: System Center Admin | Twitter:@SCCM_Marcum | Linkedin: John Marcum

"Pin to app launcher" is missing in Office 365

October 29, 2015, 4:25 am
$
0
0

I've registered new application in Azure AD and assigned it to the specific users.

After that they are able to find it see it inside "My Apps" section, but the context menu ("three dots") shows nothing, so that there is no option to "Pin to app launcher".

Can this it be mitigated somehow to add the application the home page?

Issues with SSO since User Name change from UPN to MAIL

June 14, 2015, 3:16 pm
$
0
0

Having major issues with SSO on Office 365.


A little history.

I originally set up DirSync with AAD using our UPN, which because of a bunch of old Unix apps we use is set to a max of 8 characters. Because of this, our email addresses are different to our UPN's (although the domain is identical). After setting up AAD to use the UPN as the sign on name, SSO back to our ADFS server worked perfectly.

I decided that it would be a better user experience for our staff for this to match their email address, as this would allow users in external companies to search for users in Lync much easier.

The DirSync was changed, and I can see the all users in AAD have had their User Name changed to their email address. I've also followed the instructions to change the ADFS Relying Party Trust rule to point to 'mail' as opposed to 'UserPrincipalName'. I've also run the following command successfully:

Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests <forest domain>

When I run the Microsoft Connectivity Test, it passes successfully with the email address.


However... when I attempt to log on to http://portal.office.com, when the auto redirect attempts to take place after I enter my email address, I am simply returned to back to the Office Portal website.

If I attempt to sign in to Lync with the correct credentials, I get a "Can't sign in, the user name, password or domain appears to be incorrect'. If I attempt to sign in to Lync with an incorrect password (using the email address) I get the below error:

Token validation failed. 

Additional Data


Token Type:

http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName

%Error message:

DOMAIN\UPN-The user name or password is incorrect

 

Exception details:

System.IdentityModel.Tokens.SecurityTokenValidationException: DOMAIN\UPN ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

  --- End of inner exception stack trace ---

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

 

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

I have been stuck on this issue for three days now, can ANYONE assist? Apologies if this is long winded (or doesn't have enough info).



Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>