Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

SAML SSO to custom IDP - bad request (AADSTS90011)

February 24, 2016, 8:41 pm
$
0
0

Hi,

I am trying to configure Azure AD for federated authentication with our IdP. Using the Set-MsolDomainAuthentication cmdlet I've been able to apply the desired configuration, with PreferredAuthenticationProtocol = SAMLP.

I am POSTing to https://login.microsoftonline.com/<tenant ID>/saml2

The SAML2 response I am sending looks OK to me, however I am consistently seeing the same error:

AADSTS90011: Expected parameter estsrequest not found

I can't find any information about this estsrequest parameter or where it is expected. AADSTS90011 looks related to OAuth, which shouldn't be relevant. 

Thanks
Mark

Search

Microsoft Graph API have query time

February 24, 2016, 6:06 pm
$
0
0

I user the microsoft graph api "https://graph.microsoft.com/beta/me/people" query people list.

I can get the Communication History which people in my sended mails.

But,If i send a mail to 'aaa@aaa.com',i can't get him by the graph api some minutes later.

I can get him after one day.

So,i think,use this microsoft graph api query people info not real time.

Is right?

Staging installation Error- Value Cannot be null. Parameter name:value

February 22, 2016, 2:09 pm
$
0
0

Hello Azure AD forums. I'm in the process of trying to do a staged migration from Dirsync. I've exported my dirsync configuration file, copied it to my azureadc server and ran the Executable as admin with the /migrate option. After putting in credentials for MSOL, and an Enterprise admin account it runs through the set up, creating the SQL Express databases, and then begins to process the rest of the jobs. After the task 'Single Forest Dir Sync PWD Sync Root Task' finishes execution I get the lovely Eror Value cannot be Null. Param value Below is set-up log file. I would love some ideas on where to go from here. The Sync Service appears to start according to the event viewer but I can't open up the Sync Application.

I am currently using the latest version of Azure Ad Connect MSI (1.1.105.0) Looking for an older download to maybe give it a try and see if it's just a bug in this release, but I haven't been able to find one yet.

Below is the tail end of my log file for the portion where it fails. Has anyone seen this, or have any ideas how we can fix it?

Thanks!


[12:52:43.606] [ 20] [VERB ] Cleanup: Starting cleanup for task 'Deploy AAD Sync'
[12:52:43.606] [ 20] [VERB ] Task 'Deploy AAD Sync': No cleanup defined
[12:52:43.606] [ 20] [VERB ] Marking task 'Deploy AAD Health Agent' as Skipped
[12:52:43.606] [ 20] [VERB ] Marking task 'Configure Auto Upgrade Version' as Skipped
[12:52:43.607] [ 20] [VERB ] Rolling back task Check Installed Components
[12:52:43.607] [ 20] [VERB ] Task 'Check Installed Components': No rollback defined
[12:52:43.607] [ 20] [INFO ] Task 'Single Forest Dir Sync Pwd Sync Root Task' has finished execution
[12:52:43.646] [ 10] [ERROR] Value cannot be null.
Parameter name: value
Exception Data (Raw): System.ArgumentNullException: Value cannot be null.
Parameter name: value
   at System.String.IndexOf(String value, Int32 startIndex, Int32 count, StringComparison comparisonType)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.<>c__DisplayClass1a.<GetLowestPrecedenceRuleMatchingImmutableTag>b__15(SynchronizationRule r)
   at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
   at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.GetLowestPrecedenceRuleMatchingImmutableTag(String immutableTag)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.SetRulePrecedence(SynchronizationRule rule)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRulePrecedenceEngine.SetRulePrecedences(IEnumerable`1 desiredRules)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Config.SyncRuleUpgradeEngine.PersistSyncRulesForConnector(Guid connectorIdentifier, IEnumerable`1 desiredSyncRules, String pathToLogFiles, Dictionary`2 precedenceImmutableTagMappings)
   at Microsoft.Online.Deployment.Types.Providers.TemplateEngineProvider.PersistSynchronizationRules(Guid connectorID, List`1 synchronizationRules)
   at Microsoft.Online.Deployment.Types.Configuration.Utility.ConnectorUtility`1.UpdateConnector(IAdSyncConfigExecutionContext`1 executionContext, ConfigurationItem configChange, ConnectorAdapterBase connectorAdapter, IAadSyncContext syncContext, Boolean isNewConnector, Boolean forceUpdateSchema, IAadSyncConfigurationResults& results, List`1 attributeExclusions, ConnectorSpecificPolicy connectorPolicy, Boolean retryOnFailure)
   at Microsoft.Online.Deployment.Types.Configuration.AdConnectorConfigurationItem.Execute[TContext](IAdSyncConfigExecutionContext`1 executionContext, IAadSyncConfigurationResults& results)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.ConfigureSyncEngine(TContext context)
   at Microsoft.Online.Deployment.PSModule.Tasks.AADSync.ConfigureAADSyncTask`1.Execute()
   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
[12:52:43.652] [ 10] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed
[12:52:43.715] [ 14] [INFO ] Starting Telemetry Send





 

Constructed attributes and AD Connect

February 25, 2016, 12:26 pm
$
0
0
Any chance to get constructed (and other read-only types of) attributes recognized by the AD connector?

AAD C# client request returns "Your browser is currently set to block Javascript error!"

February 25, 2016, 5:01 am
$
0
0

I have been using AAD just fine in a web app and in a web api app, but I had the need to combine these two recently.  Everything is fine from the browser, but I tried to reuse my native client application and am stumped.

AuthenticationContext ac = newAuthenticationContext(authority);
AuthenticationResult ar = ac.AcquireToken(resource, clientID, redirectUri, PromptBehavior.Always);
^ Login screen pops up.  Everything looks great and I see the access token, but...

HttpResponseMessage response = httpClient.GetAsync("https://localhost:44313/api/hello").Result;
if (response.IsSuccessStatusCode)
{
    result = response.Content.ReadAsStringAsync().Result;

    ^^ this returns an html error page that says "We can't sign you in.Your browser is currently set to block JavaScript. You need to allow JavaScript to use this service."

I saw the sticky post on something VERY similar with AAD and Azure PowerShell, so I tried adding the 3 suggested websites to the Trust list in IE, but that didn't help.  It's VERY easy to reproduce.  Just create an MVC project, add a web controller and configure a native client app in the portal.


Azure AD Join with Windows 10 devices

February 23, 2016, 1:35 am
$
0
0

I have few questions regarding to Azure AD Join. 

We don't have on-premise AD. We have Windows 10 devices in workgroup, Office 365, Intune and Azure AD Premium.

We want to join our Windows 10 devices to Azure AD so users can sign in with Office 365 credentials.

When I join Windows 10 device to Azure AD it succeeds but after I log in with my Office 365 credentials but I'm forced to add a pin code to my account before I can log in. We don't want this. How this can be disabled?

Also we don't want that users are joining there devices to Azure AD with their own credentials. What kind of account we should use to join all the devices to Azure AD?


Azure AD: Could not validate this directory for deletion.

February 25, 2016, 3:17 pm
$
0
0

Hello,

I'm currently trying to delete one of my Directories from the Azure Management Portal and when I click delete I see "Could not validate this directory for deletion".

Does anyone have any ideas on what may be going on? Or is there another way besides the GUI to attempt to delete this(i.e. PowerShell)?

Thanks

Error when Deploying additional Federation Server

February 25, 2016, 4:18 pm
$
0
0

I am trying to create another ADFS server. I have upgraded my primary to the newest version of Azure AD Connect. I received an IndexOutofRangeException but was able to work past it using the information here: https://social.msdn.microsoft.com/Forums/vstudio/en-US/6b94b062-9888-4c15-b9ed-5a9c71c718d7/error-after-update-111050-azure-ad-connect?forum=WindowsAzureAD

I now receive the following error when trying to deploy / install the additional Federation server:

[16:47:45.059] [ 29] [VERB ] Executing task Configure Join ADFS Task

[16:47:45.076] [ 11] [VERB ] Waiting for task to complete: Deploy ADFS

[16:47:45.077] [ 11] [VERB ] Waited 0:00:00.0010034 for task to complete: Deploy ADFS

[16:47:45.805] [ 11] [INFO ] The Active Directory username was converted from REDACTED to REDACTED after calling ConvertUpnToSam().

[16:47:46.650] [ 11] [INFO ] Task 'Configure Join ADFS Task' has finished execution

[16:47:46.651] [ 29] [ERROR] System.InvalidOperationException: Nullable object must have a value.

   at System.ThrowHelper.ThrowInvalidOperationException(ExceptionResource resource)

   at Microsoft.Online.Deployment.PSModule.Tasks.ADFS.ConfigureJoinADFSTask`1.Execute()

   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()

Exception Data (Raw): Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskException: The task 'Configure Join ADFS Task' has failed. ---> System.InvalidOperationException: Nullable object must have a value.

   at System.ThrowHelper.ThrowInvalidOperationException(ExceptionResource resource)

   at Microsoft.Online.Deployment.PSModule.Tasks.ADFS.ConfigureJoinADFSTask`1.Execute()

  at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()

   --- End of inner exception stack trace ---

   at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTaskGroup.CheckTaskCompletion(Int32 currentTaskIndex)

[16:47:46.652] [ 29] [VERB ] Cleanup: Starting cleanup for task 'Configure Join ADFS Task'

[16:47:46.653] [ 29] [VERB ] Task 'Configure Join ADFS Task': No cleanup defined

Any ideas on how to get past this?

Thank you,

Randy

Search

Error Running Initialize-ADSyncDomainJoinedComputerSync

November 4, 2015, 5:48 am
$
0
0

I upgraded to Azure AD Connect 1.0.9125.0 this morning. At the end of the upgrade I see the message please run ADSyncPrep:Initialize-ADSyncDomainJoinedComputerSync I imported the ADSyncPrep module, ensured that the MSOnline module is installed, ensured that the Active Directory module was installed, installed the RSAT AD Tools and opened an Azure active directory module for powershell command as administrator. I am still getting the message "The term Initialize-ADSyncDomainJoinedComputerSync is not recognized"

I did everything in this blog post and in the comments and I still can't run Initialize-ADSyncDomainJoinedComputerSync

https://bnehyperv.wordpress.com/2015/06/29/azure-active-directory-connect-ga-upgrade-road-test/comment-page-1/

John Marcum | Microsoft MVP - Enterprise Client Management
My blog: System Center Admin | Twitter:@SCCM_Marcum | Linkedin: John Marcum

AzureADConnect upgrade fails with: Index was outside the bounds of the array

February 19, 2016, 6:06 am
$
0
0

Trying to upgrade my AADC to the newest version. The file runs and files are extracted and everyrhing seems good. Then the GUI launch and stops with the following error: 

IndexOutofRangeException

Index was outside the bounds of the array.

The log shows the following errors:





Azure AD Athentication

February 25, 2016, 3:12 am
$
0
0

Hello Guys, hope you can help.

I have successfully synchronized local AD with Azure AD, using Azure AD Connect.

Question is: when I create a machine from gallery i.e. server 2008 R2 and enable FTP services on that VM, how can I get authentication working against Azure AD, instead of me creating local users on that machine, so they can access FTP?

Thanks in advance

Date on NextSyncCycleStartTimeInUTC is wrong?

February 26, 2016, 12:45 am
$
0
0
My NextSyncCycleStartTimeInUTC is way off: 01-01-0001 00:00:00 after install. So when I set the SyncCycleEnable to True it fails due to time and date issues. The server time is correct though. How do i correct the NextSyncCycleStartTimeInUTC? (I am in GMT+1)

AADSTS50020: User account 'arvindkpal@hotmail.com' from identity provider 'live.com' does not exist in tenant

February 23, 2016, 11:14 pm
$
0
0

Hi ,

I want to login using the live account id without adding the user in the active directory. I am getting this error AADSTS50020: User account 'arvindkpal@hotmail.com' from identity provider 'live.com' does not exist in tenant . 

Does i need to add this user into my active directory or is there any way to configure it?


Unable to create the Connector from file

February 23, 2016, 4:50 am
$
0
0

I'm trying to do some testing (both the server and the tenant are strictly for testing purposes), and I'm trying to make sure the AADConnect export and import of connectors works properly so I can make backups.  I can export the connector to the XML file without and issue, but when I then delete it and try to reimport the XML I get an error

Not sure what Im doing wrong - help would be appreciated 

[Active Directory] Get the count of matching results for a search

February 25, 2016, 10:35 pm
$
0
0
Hi All,

This is regarding getting the count of matching results for a LDAP search we execute.​

For example, before retrieving the results for a user search to get all the users with given name as "*silva*", I need to first check who many results will be retrived for the search.

I could find that few other LDAP implementations support this using "numSubordinates and numAllSubordinates" attributes. Does Microsoft Active Directory supports same or what would be the way to retrieve this information?

Thanks in advance.
Thanks,
Pushpalanka​
Search

Azure AD account / Microsoft Account how to select Azure account when adding a user to Windows 10 device

February 26, 2016, 1:22 am
$
0
0

I've joined a laptop to Azure AD using an admin account.

Now I want to add a user from same Azure AD to the same laptop, but not as a local admin.

Problem is that the user account user@mydomain.com is both an Azure AD account (synced from my on prem AD) AND a Microsoft Account.

The add user dialog in Windows 10 give me no way of defining which sort of account I want to use. I am pretty sure that if I just type inuser@mydomain.ch it is using the MSA because the password is the MSA password, not the Azure one.


Crosspost from TechNet Azure forum

CarolChi

Customized Company Branding for Azure Active Directory

February 8, 2016, 2:48 pm
$
0
0

We are using Azure Active Directory Basic edition to manage user authentication to our Enterprise application. For Company branding, we have customized the Sign In Page Illustration and Banner Logo, these elements are getting updated on the Sign In Page.

The issue that we are facing currently is how to remove the Microsoft logo and other corresponding elements like "Don't have an account assigned by your work or school? Sign in with Microsoft account" from our login page.

Also towards the page end, Microsoft has inserted links like @2016 Microsoft, Microsoft Logo, Terms of User and Privacy & Cookies. 

We are preparing a customized login page for our enterprise application, is there some way to remove these elements through customization of Azure AD Sign In page?

Thanks & Regards, Deep

Authentication loop on classic portal when using B2C Active Directory

February 26, 2016, 3:15 pm
$
0
0

I'm using the classic portal and looking at the settings of my B2C directory.

I log in to the portal with a Personal (not work account). 

When I use the URL below, I get immedately logged out. This URL is created by selecting my B2C directory and selecting applications.

https://manage.windowsazure.com/@XXXXXXXXXX.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/5ca6317c-534a-4d79-893a-14082580193d/apps

Azure AD account / Microsoft Account how to select Azure when adding a user to Windows 10 device

February 26, 2016, 1:18 am
$
0
0

I've joined a laptop to Azure AD using an admin account.

Now I want to add a user from same Azure AD to the same laptop, but not as a local admin.

Problem is that the user account user@mydomain.com is both an Azure AD account (synced from my on prem AD) AND a Microsoft Account.

The add user dialog in Windows 10 give me no way of defining which sort of account I want to use. I am pretty sure that if I just type inuser@mydomain.ch it is using the MSA because the password is the MSA password, not the Azure one.

Not sure is this is the correct forum. I will crosspost to the Azure forums

CarolChi

Office 365/Active Directory Sync

February 27, 2016, 12:41 am
$
0
0

Hello,

connect the local MS Active Directory to an Office 365 tenant and synchronize AD passwords without losing the ability to use Exchange online.

if i use Active directory sync tool will it override the user with the new password and sync them without losing the data in exchange online??

Regards,

Ayesh.

Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>