Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Issues with SSO since User Name change from UPN to MAIL

June 14, 2015, 3:16 pm
$
0
0

Having major issues with SSO on Office 365.


A little history.

I originally set up DirSync with AAD using our UPN, which because of a bunch of old Unix apps we use is set to a max of 8 characters. Because of this, our email addresses are different to our UPN's (although the domain is identical). After setting up AAD to use the UPN as the sign on name, SSO back to our ADFS server worked perfectly.

I decided that it would be a better user experience for our staff for this to match their email address, as this would allow users in external companies to search for users in Lync much easier.

The DirSync was changed, and I can see the all users in AAD have had their User Name changed to their email address. I've also followed the instructions to change the ADFS Relying Party Trust rule to point to 'mail' as opposed to 'UserPrincipalName'. I've also run the following command successfully:

Set-AdfsClaimsProviderTrust -TargetIdentifier "AD AUTHORITY" -AlternateLoginID mail -LookupForests <forest domain>

When I run the Microsoft Connectivity Test, it passes successfully with the email address.


However... when I attempt to log on to http://portal.office.com, when the auto redirect attempts to take place after I enter my email address, I am simply returned to back to the Office Portal website.

If I attempt to sign in to Lync with the correct credentials, I get a "Can't sign in, the user name, password or domain appears to be incorrect'. If I attempt to sign in to Lync with an incorrect password (using the email address) I get the below error:

Token validation failed. 

Additional Data


Token Type:

http://schemas.microsoft.com/ws/2006/05/identitymodel/tokens/UserName

%Error message:

DOMAIN\UPN-The user name or password is incorrect

 

Exception details:

System.IdentityModel.Tokens.SecurityTokenValidationException: DOMAIN\UPN ---> System.ComponentModel.Win32Exception: The user name or password is incorrect

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

  --- End of inner exception stack trace ---

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateToken(SecurityToken token)

 

System.ComponentModel.Win32Exception (0x80004005): The user name or password is incorrect

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserHandle(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, SafeCloseHandle& tokenHandle, SafeLsaReturnBufferHandle& profileHandle)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUserInfo(SafeHGlobalHandle pLogonInfo, Int32 logonInfoSize, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String authenticationType, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.LsaLogonUserHelper.GetLsaLogonUser(UserNameSecurityToken token, DateTime& nextPasswordChange, DateTime& lastPasswordChange, String issuerName)

  at Microsoft.IdentityServer.Service.Tokens.MSISWindowsUserNameSecurityTokenHandler.ValidateTokenInternal(SecurityToken token)

I have been stuck on this issue for three days now, can ANYONE assist? Apologies if this is long winded (or doesn't have enough info).



Search

No information on choosing either Create New or use Existing Directory

November 3, 2015, 1:46 pm
$
0
0

Hello All,

My greatest frustration is that there does not seem to be any clear information on the internet on creating an Azure AD to synch with onsite existing AD. There is a billion things on Azure AD Connect which I have instructions for, but nothing on the Azure AD setup. So when I go use "Existing Directory", does it find my on premise AD and connect to it? And also, it looks like it add my domain name to the Microsoft domain which I guess is temporary.  If so, what are the steps for getting it to only be on my domain such as DNS? In other words, please send me the instructions to follow that will leave me just before the Azure AD Connect portion.

Cheers,

RT




Receiving "invalid_grant" message when trying to refresh oauth token

November 8, 2015, 10:08 pm
$
0
0

From Ronnie Kessler

@RonnieKessler via Twitter

"Hi, I'm having major difficulty a) refreshing my oauth token with AzureAD (using ruby) and b) making requests to your API. Can someone please URGENTLY help me??

at the moment I am getting a token back but it's the same token i already had

but once it expires I can't get one

i get an 'invalid grant' message

the client_id is fine"

Over Direct Messaging

Thanks,

@AzureSupport

Join Azure AD button does nothing

October 22, 2015, 4:48 pm
$
0
0

When I click on the Join Azure AD button from the System Settings screen my screen flashes briefly but nothing happens.  I never get presented with the next screen...

My laptop was originally Windows 8.1Pro then upgraded to Windows 10Pro

Azure AD API to access Sharepoint via .net CSOM in MultiTenant Webforms App

November 3, 2015, 10:39 pm
$
0
0

I am trying to create a multi-tenant app in Webforms that authenticates to Azure AD to obtain a bearer token to access sharepoint.

There are some folks out there that say this can be done such as Jeremy Thake.

Unfortunately, the samples use .net MVC which uses OWIN vice the connected service model in Webforms.

Attempting to make this work, I continue to get 401 errors from sharepoint.

Anyone have a solution written that overcomes this issue?

Role and Permission set based user provisioning for salesforce

November 9, 2015, 10:04 am
$
0
0

Hi,

We are looking at Azure AD premium subscription purchase but we would like to check if the Role and Permission set based user provision is possible with Salesforce APP?

Please let me know.

Thanks.

Dirsync upgrade to AADConnect side by side

November 9, 2015, 10:11 am
$
0
0

Hello everybody,

I'm currently trying to upgrade the old dirsync to AADConnect by installing the new version on a new server and when I check the connector space for the Azure Directory Connector then filter the pending export to check that it will not do anything, I see that all users are waiting to be added.

Did I miss something ? I configured the same filter and the same OU, I don't want my users to be added again.

Thank you.

Jack

Can I replace my domain controller with Azure Active Directory?

July 6, 2015, 7:34 am
$
0
0

I currently have a small network with a few servers and about 25 client PCs. We are using Office365 and have AD synchronisation setup from our on-premise server. We also have single-sign-on setup using ADFS.

We have recently replaced all but 2 of our servers with Azure virtual machines.

The only thing we now use our internal servers for is the Active Directory and ADFS.

So - my question is this... Can I setup an Azure Active Directory, sync my on-premise directory to it, get Office365 to talk to the Azure Active Directory and then decommission my on-premise servers?

Will my local client PCs authenticate against the Azure Active Directory?

If the answer is, "Yes" - any suggestions for how to achieve this would be great. If the answer is, "No" - some information on why not would be great!

Thanks!

Search

Azure AD MFA Connectivity issues - Error determining the master multi-factor authentication server. User interface will now close

November 9, 2015, 9:35 am
$
0
0

Hi there,

I am setting up Azure MFA for a client to work with ADFS.  This client has a very limited connection to the internet and they are very specific into what ports need to be open and what certificates are required for all outgoing and incoming traffic.

So, Long story short, I have this issue when I try to run the configuration wizard where my on-prem MFA server is not able to communicate with the Azure Cloud Services.   I receive this error: "Error determining the master multi-factor authentication server. User interface will now close"

The client has SSL inspection for all outgoing and incoming internet traffic due to statutory requirements and the connection seems to be dropped while communicating with the master MFA server.   I think this is related to certificate as per forum thread below.  I was wondering how do I go about getting this GLobalSign Cert?  Does anyone have the same issue which I a experiencing?

https://social.technet.microsoft.com/Forums/office/en-US/13292985-7546-46c1-ad46-c253f1bed831/azure-multifactor-authentication-activate-fail?forum=windowsazureaditpro

Azure AD Connect throws "unexpected error"

November 9, 2015, 9:14 am
$
0
0

We're trying to sync to Azure AD using Azure AD Connect, and have installed the connector on Windows Server 2012 R2. We followed all the steps in the instructions (verified our domain, etc.), but:

The connector dies at the first step under Express Settings at "Connect to Azure AD"

When try to sign on with our "username@domain.onmicrosoft.com" credentials, or with a separate "global-admin-user@ourdomain.com" we get a nebulous error: "Unable to validate credentials. An unexpected error has occurred."

Is there any way to debug this further? It's completely preventing us from adopting Azure.

Unexpected error in Azure AD Connect

On-Prem DL not availble for permission on Exchange Online

November 9, 2015, 6:28 am
$
0
0

I have several DL in my on-prem AD which we are syncing via the new AAD Connect tools. I can see the group in Exchange Online and Azure AD, but I cannot get them to be available when we are trying to set permissions on Public Folders.

Deprovisioning options in AD Connect

October 7, 2015, 6:02 am
$
0
0

Hi all,

I have installed the new AD connect and configured synchronization from local AD to the cloud. every time a user is deleted or moved out of the sync OUs in AD, the joined cloud user is being deleted too. In the DirSync, we had the option to configure deprovisioning to either delete or disconnect user without deleting it. I don't want the cloud users to be deleted when the on-premise AD user is deleted. how can we configure the deprovisioning options in the AD connect tool.

Thanks.

MM

DirSync with default domain limitations and issues !

November 9, 2015, 10:49 pm
$
0
0

Hi all ,

I am new in SharePoint and AAD , and I was trying out connecting my active directory with (run in a VM) to the office 365 SharePoint. But when I try to connect , I did not have any domain to verify and connect so I use the Default domain by activating it with Synchronization page in MS intune (https://account.manage.microsoft.com/DirSync/DirectorySynchronization.aspx) and log with my office365 login and just active it.now every this work ok !! . but I did not do this for a Development , I am just trying tolearn SharePoint right way . so what is the down side of not having a separate domain ? is this will have any license issues ? is this secure ?

Many Thanks .

An error has occured

November 9, 2015, 6:23 am
$
0
0

An error has occurred on the Root page, preventing Azure AD Connect from continuing. To protect you existing data, the wizard must be closed.

COMException

That is all it says.

I just clicked on the icon to start the app and it generated the error above.

Any clues as to why?

Prepare to provision users through directory synchronization to Office 365

November 10, 2015, 1:16 am
$
0
0

Hi,

I am looking to sync an existing Office365 client with Active Directory. What I would like to know is what (fields) are most important for the synchronization between the already existing Office365 accounts and the newly created Active Directory Objects.

This is part of a migration where the client already has Office365 and we are wanting to run Azure AD Connect to sync to AD. Generally we do the AD and then sync up the new accounts to the cloud and thus populating Office365. This time around I need them to match-up when the sync takes place.

At the moment I have limited access to the clients Office365 admin center and can only see the fields (Display name/User name/Status). S

My question here is, is this enough to then create the Active Directory objects in preparation for the sync, or would I need to know more. Right now I have created the new AD objects with:

User logon name (AD) = User name (Office365)

Display name (AD) = Display name (Office365)

E-mail field in (AD) = User name field (Office365)

How about ADSI Edit (ProxyAddresses) - does this need to match the user's e-mail address?

Another question - What happens to all the aliases if I don't add those in AD - will they be lost...

Any help much appreciated.

Thanks - Travis

Search

Move existing domain to azure account

November 10, 2015, 12:59 am
$
0
0

I have my domain at loopia.se and want to move to the domain to azure. Not just let loopia.se point to my azureurl or IP. I want azure to control the domain.

Can anyone give a step for step answer to do this.

How long the AAD takes to provision the Domain Controllers and DNS servers?

November 9, 2015, 10:29 am
$
0
0

From: Wals Dubbel @walsdubbel viat Twitter

How long the AAD takes to provision the Domain Controllers and DNS servers?

Thanks,

@AzureSupport

How to change the delivery email address of Azure scheduled maintenance notifications?

November 10, 2015, 2:21 am
$
0
0

Currently these scheduled maintenance notifications are sent to one of our email addresses. But now we need to change the delivery address of these notifications. How can we request this from Microsoft? Please see a sample maintenance notifications below.

================================================

Upcoming maintenance will affect deployments of Azure Virtual Machines in availability sets and Cloud Services.

 

 
 

 

As part of our ongoing commitment to performance, reliability, and security, we sometimes perform maintenance operations in our Azure regions and datacenters. We want to notify you of upcoming maintenance operations that will impact Virtual Machines in an availability set and Cloud Services.

Note: Currently, we're only able to provide 2 days' advance notice for updates that impact Virtual Machines in availability sets and Cloud Services. We're working to provide more advance notice in the future.

The following are the planned start times for infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) maintenance operations, provided in both Coordinated Universal Time (UTC) and United States Pacific Daylight Time (PDT). Impacted deployments are listed at the bottom of this email.

 

 

 

 

 

 

Region

 

PDT

 

UTC

 

 

West Europe

 

08:00
Monday, June 8, 2015

 

15:00
Monday, June 8, 2015

 

 

Central US

 

08:00
Tuesday, June 9, 2015

 

15:00
Tuesday, June 9, 2015

 

 

South Central US

 

08:00
Wednesday, June 10, 2015

 

15:00
Wednesday, June 10, 2015

 

 

 

 

 

 

Microsoft Azure Virtual Machines (IaaS)
Maintenance operations are split between virtual machines (VMs) that are and are not in an availability set. This maintenance will impact VMs in an availability set. VM deployments referenced below will reboot during this maintenance operation, but temporary storage disk contents will be retained. We expect the update to finish within 48 hours of the start time.

DNS Settings in Azure AD Domain Services

November 10, 2015, 2:25 am
$
0
0

Hey Guys,

I evaluate the new ad domain services in microsoft azure preview. I think it's a good product. until now it works fine for windows workstations.

Today I try to integrate a linux based workstation. Have anybody an idea how I can register this workstation in the windows dns server? I can't connect to the dns server with microsoft dns administration console.

Which Microsoft accounts can be used that are supported by Azure RMS ?

November 10, 2015, 2:52 am
$
0
0

Hello,

Presently we are setting up Azure RMS, however we are not sure which Microsoft Accounts are really supported by Azure RMS.

Can some one help me to get the clear list/type of supported and non-supported Microsoft Accounts by Azure RMS ?

Thanks in advace!

Regards,

Sagar Acharya 

Regards, Sagar Acharya acharya.sagar@hotmail.com

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>