Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

trying to verify domain on the classic portal using a TXT dns record and get a very simplistic error message

February 5, 2016, 8:35 am
$
0
0

From@jasonfolkensvia Twitter

 

I'm trying to verify <...........>on the classic portal using a TXT dns record and get a very simplistic error message: "Could not verify the domain". Is there a better error message available? I can query the TXT record using NSLOOKUP successfully.

@AzureSupport shared this documents:aka.ms/d940647, aka.ms/d9406472 and aka.ms/d9406473 .

Customer came back with:In the last half of that first link you sent me, it refers to an Admin page in the classic azure portal. How do I navigate to the admin page? It supposedly has a "troubleshoot domain" tool.

 @AzureSupportasked to navigate to the Azure Active Directory and then click on the Domains Tab on the top.

Customer came back with:The domains tab doesn't show up until I select the directory from the leftnav. Once I select directory, I see a list of domains that I've tried to associate with this directory. One of those is"...." I can click that, but I don't see any link for "troubleshoot domain".

Thanks,

@AzureSupport

Search

Azure AD Connect Upgrade - Error!

February 5, 2016, 9:49 am
$
0
0

Hi,

I'm doing an upgrade for our dirsync server and bump into an error:



I check on the logs ans this is what I found:

[ERROR] CallExportDirSyncConfig: caught exception while exporting Dirsync configuration

Exception Data (Raw): System.Runtime.Interopservice.COMException {0x80070001}: Incorrect Function. {Exception from HRESULT: 0x80070001

I hope someone can shed some light on this.  I can't seem to find additional information about this error.

ACCessing Graph APIs

February 4, 2016, 5:38 am
$
0
0

Hi,

I am accessing the graph api -

"https://graph.windows.net/microsoft.com/users/?$filter=startswith(mailNickname,'"

+ loggedinuser +"')&$top="+"10"+"&api-version=1.5");

- and I am getting forbidden error 403 - but when I am trying to access the api with "me" attribute , the data is returned.And , one more thing is I am giving the credentials as

ClientCredential credentials = newClientCredential( app 1 details ), for one my apps its coming ok,,but for another application the error thrown is 403 ( for app2 details ). and I am the owner for both these apps. Is there any thing to be checked.

 

ADDS - DNS doesn't resolve external names

February 5, 2016, 10:08 am
$
0
0

Hello,

We are running the free Azure trail to test proof of concept running ADDS. We intend to move all our server into the cloud once concept has been successfully proven.

We have an Office 365 implementationm and the AD tenant is being populated using ADConnect (latest Version)

We are then using Active Directory Domain Services instead of having Virtual DC's, this provides two IP address as the DNS source for the virtual network we have, in this case 10.0.0.4 and 5.

We two virtual machines sitting in two Clouds service, one in each. VM's were created and attached to the Virtual network so cloud services should also have been bound to the virtual network (according to the documentation)

One of the servers is trying to communcate back to an onsite server using the host name but will not resolve the address. If we put the IP address in everything works as expected.

Why don't our virtual machines resolve the host names. The host names are registered externally so can be resolved over the internet without issue.

If we try to do an NSLOOKUP on the host name this just fails. We can ping the DNS servers but not the default gateway, and we can ping between the two virtual machines?

Other people that have reported the problem are running Virtual domain controlers and their own DNS servers and the fix is to remove any forwarders and relieve on root hints. We don't have any DNS servers as we are relying on the those provided by Active Directory Domain Services so why is name resolution not working?

Many thanks

Darren.

NWEH



Q: How do I configure the OpenID Connect authorization_endpoint for a particular tenant/namespace?

February 6, 2016, 5:01 am
$
0
0

I'm attempting to use OIDC in a Federated namespace and was wondering how I would go about using an external OpenID Connect Provider for authentication (testing Office 2013/2016 Modern Authentication).

Thanks in advance!

Sincerely,
//Adam

Issue with Syncing users from my onpremise to Office 365

February 5, 2016, 12:53 pm
$
0
0
I set up Azure AD to sync users from my on-premise to Office 365, filtering by an OU in AD. It's not working. When I log into the azure portal and I look under users, I see the set up users that were created in Office 365 instead of the users that I put into the OU. I'm not sure where I went wrong in my set up. Any tips?

upgrade DirSync to AD Connect in parallel stage mode

February 6, 2016, 1:46 am
$
0
0

After the installation of AD Connect in parallel stage mode I followed the guidance steps below as on the article below at steps "Verify the configuration of a server" section on the following article: https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-aadconnectsync-operations/#staging-mode

Import and Synchronize

1.Select Connectors, and select the first Connector with the type Active Directory Domain Services. Click on Run, select Full import, and OK. Do this for all Connectors of this type.

2.Select the Connector with type Azure Active Directory (Microsoft). Click on Run, select Full import, and OK.

3.Make sure Connectors is still selected and for each Connector with type Active Directory Domain Services, click Run, select Delta Synchronization, and OK.

4.Select the Connector with type Azure Active Directory (Microsoft). Click Run, select Delta Synchronization, and then OK.

Now I have some (for me) unexpected results and need some guidance before i put this new server in production (out of stage mode);

Step 1. Result of step 1. I've got 340 unchanged , 61605 adds and 13 updates? This is a new ad connect server that does his full import for the first time, so I should expect only adds. What are unchanged and adds in this step?

Step 2. Result of step 2. I've got 1 unchanged and 50729 adds. Why are there only 50729 adds and not 61605 as the full import from AD in step 1? And why 1 unchanged , again this is a new ad connect server running his first full import?

Step 3. Result of step 3. I've got 59949 projections, 1656 disconnectors and 59975 connectors with flow updates. What do 'disconnectors' mean in this step? How can i see what these 'disconnectors' are? What do 'projections' mean in this step? and why no 61605 projections? Should there be no joins?

Step 4. Result of step 4.13 joins, 347 disconnectors and 50367 connectors with flow updates and 4 connectors without flow updates. Again why no projections? What do the 347 disconnectors mean and not same as above step? What does connectors with flow updates mean? why 13 joins and what do joins mean? and what about the 4 connectors without flow updates?

Hope someone can help me and guide me on this journey.


AADConnect (GA) Sync-Generic-Failure The object located by DN is a phantom

June 26, 2015, 5:04 am
$
0
0

Hi folks,

I have a single user that is failing to sync to AAD (where there is currently an in-cloud account) using the GA release of AADConnect (Express settings). The error is Sync-Generic-Failure, and the stack trace reports that "The object located by DN is a phantom".

All other in-cloud users have synced and are now "Synced with Active Directory".

I have run a metaverse search for the user and it does not come up in the results.  The account definitely does exist in the on-prem AD, and I have even made some minor changes to it - the user is logged in and working fine with on-prem services.

Does anyone know how I can resolve this issue?

Thanks,

Aidan.

Search

Connect SQL Azure DB using Azure Active Directory Authentication

February 6, 2016, 11:59 pm
$
0
0

Hi All . 

I am trying to Connect SQL Azure DB using Azure Active Directory Authentication . referring to below article 

https://azure.microsoft.com/en-in/documentation/articles/sql-database-aad-authentication/

i have logged in as base account but still can not see Azure Active Directory Preview in portal .Is there any special permission or setting i have to do to get this feature ( Azure Active Directory Authentication)

Thanks

Neeraj

Location of signature node in SAML response

February 7, 2016, 4:46 am
$
0
0


I'm developing SAML federated login support for my app.

And i have been having problems with Azure AD SAML login (Azure is the IDP). When comparing the SAML response i'm receiving from Azure to the ones from other IDPs, i'm seeing the Signature node is inside the Assertion node, while for other IDPs it's one level higher, directly under the root node.

Is there a way to configure this on the Azure site?

Thanks

Blog: http://www.dotmad.net

Azure Active Directory Domain Services: Portal Created Accounts sync different than GraphAPI Created Ones

February 7, 2016, 5:08 am
$
0
0

Hi @All

We created a nice looking registration Page to allow specific users to create an account in our Azure AD which has DS enabled. The registration Page is an trusted "App" in the AAD and creates users by using the Azure Graph Libraries as described here http://justazure.com/azure-active-directory-part-5-graph-api/.

When it comes to account creation, everything works fine, expect one neat detail. Accounts created via the Azure Management Portal own the attribute "userName" which gets populated to the AAD DS, where as accounts created via the Graph API don't have such an attribute.

See the POST request to the Azure Management Portal when creating a new user, not sure if this only UI, but probably this is additional information which is user for defining the username in DS.

Compared with users create by the Graph API, the attributes synced to the AAD DS are significantly different.

Max Muster was create by using the Portal (like one one above) whereMichael Schnyder was created by the Graph API.

What i found is different

- CN
- distinguishedName
- name
- sAMAccountName

Question: How can the Graph API be called to that the AAD DS behaves the same as for users create in the Management Portal?

BTW: This editor is a too small. buggy just a shame for such a modern and forward looking company. Please update / migrate asap... How do you appreciate customer feedback when this channel is almost unusable?

AAD not showing in portal - load is timming out

February 7, 2016, 10:31 pm
$
0
0
From @kjacobsen Kieran Jacobsen via Twitter
 
Anyone else seeing issues loading #Azure directories in manage.windowsazure.com? All I get is a exclamation icon. Getting the exclaimaiton mark when trying to use AADs, It appears the load is timming out.

https://twitter.com/kjacobsen/status/696551813365927936
 
Thanks,
@AzureSupport

Computer login issue with password writeback

February 8, 2016, 9:05 am
$
0
0

I recently configured the Azure AD premium password writeback feature, and when users change their passwords via the cloud it is recognized by our on premises domain controller as well as our office 365 applications. However, when a user is working remotely and changes their password via the cloud they can't login to their computer using the new password. Is there something that needs to be configured so the cached login password on the local computer is also updated when end user's aren't connected to the on-prem domain?

Thanks,
EJ

 

Azure AD Roles in token don't appear immediately on account creation

February 7, 2016, 7:36 pm
$
0
0

We are using Azure AD with the free pricing tier for multiple tenants while we develop.

On each tenant, we are using Application roles to map roles to use groups.  This is provided as a convenience to our web developers so they can receive an auth token that includes a "roles" collection and thus avoid having to call Graph API to determine the groups to which a user belongs.

This has been working well but we discovered some time back that if a user attempts to authenticate within 20 seconds of account creation, the token they receive does NOT contain the "roles" collection in the claims.   After about 20 seconds, if they re-authenticate they will get a token that contains the roles collection.  The problem manifests itself because the client app tries to login in immediately after calling our API which, among other things, creates the user account and adds it to groups.  At this point they get a token without a "roles" claim.  About 20 secs later (but may be up to 50 secs) if they try again the token has the roles claim.

Is this expected behaviour?  Is it something that may go away when we go to "basic" tier pricing? 

Thanks


Azure AD App problems

February 8, 2016, 9:57 am
$
0
0

I'm trying to convert what was a fairly simple Office 365 SharePoint Add in project to an Azure AD and am having lots of authentication issues. I've built the new app using the standard MVC template with organisational accounts and it loads and runs fine, until I do any sort of post, at which I get:-

Additional information: A claim of type 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier' or 'http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider' was not present on the provided ClaimsIdentity.

Following several articles online I've tried setting AntiForgeryConfig.UniqueClaimTypeIdentifier to different types and even added the above to our ADFS server. I'm finding that if I tamper with that part of the app then most browsers start failing on 400 - request too long errors. Oddly, the Edge browser works.

Any ideas as I think I've missed something obvious?

 
Search

Add Additional OU to Sync

February 8, 2016, 12:22 pm
$
0
0

Hello, we are using OU filtering and everything is synchronizing perfectly.  We would like to include an additional OU but, before we do I was hopeful someone could provide the best practice.  I have already selected the new OU but, after several days the objects are still not appearing in AAD.

Do I need to perform a "Full Synchronization"?  What about a "Full Import"?  What is the difference between the two?  We have two connectors (AAD and Domain)... does this need to be run on both connectors?  Does it matter which one you run first?

Are there any "gotchas"?  Do we need to be concerned with duplicate records?

Thank you very much for your assistance!

How to get UserName of current session after connect-msolservice?

February 8, 2016, 12:01 pm
$
0
0

Once a user is authenticated with 'connect-msolservice', the session is started and there seems no way to kill it.  There appears no cmdlet for 'disconnect-msolservice'.  This creates a situation where I need to know the user that is currently activated in the session. Is there a cmdlet that will return the username of the last user that was authenticated?

get-pssession does not return sessions started with connect-msolservice.

Thanks,

Jason

I have question on Azure Active Directory B2C

February 2, 2016, 3:25 pm
$
0
0

           I successfully implement Azure AD B2C and get user's first name and last name but I could not figure out a way to get Job Title or Street Address, Office Number. I follow the following code

// Controllers\HomeController.cs[PolicyAuthorize(Policy="b2c_1_sign_in")]publicActionResultClaims(){Claim displayName =ClaimsPrincipal.Current.FindFirst(ClaimsPrincipal.Current.Identities.First().NameClaimType);ViewBag.DisplayName= displayName !=null? displayName.Value:string.Empty;returnView();}

Do I need to use Active Graph or something else to get the information coming back from token?

I follow this tutorial 

https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-web-dotnet/

Thank you very much

Liferay with Azure AD as an SSO

February 9, 2016, 2:13 am
$
0
0

Hi,

I am struggling in using Azure AD as an SSO for Liferay enterprise version-6.2. I have used SAML Plugin but haven't been able to configure Liferay with Azure AD as an SSO.

Kindly if anyone has done Azure AD as an SSO with Liferay please mention the detailed steps.

Thanks & Regards,

Alok Thaker

AAD Connect password sync for ADMT migrated users

February 9, 2016, 5:03 am
$
0
0

Hello,

Users were migrated with ADMT with PES to a new domain. That domain is then synced to Office365. Objects do get synced, but users migrated, can not login to Office portal.

Initial sync was performed with "Change password at next logon" attribut set. Then attribut was removed from AD, users synced to Azure again and the login is unsuccessfull. But, if I retype users password than the login to Office portal is successfull.

Any idea?

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>