Encountered error during federation passive request.

Additional Data

Protocol Name:

Relying Party:

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/oauth2/token to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

↧

Unable to connect Azure AD during upgrade to version 1.2.67.0

November 22, 2018, 11:15 am

≫ Next: Unable to retrieve the Azure Active Directory Configuration. Field not found:

≪ Previous: getting error while calling for token in oauth2 adfs 3.0 2012 R2

Hi -

well MS support alerted and "solution" was trad.
luckily we had already ongoing project to move sync to an another machine - so guys "moved" configuration to another harware andanother Windows version....
...hunch is that Win2008 (std at least) might get you somewhere you really don´t want to go.

highly recommended to put that staging server waiting next to prod one.

/jc - Have a nive weekend

EOF

hi - were getting error after "upgrade part" of the upgrading AADConnect to version 1.2.67.0 - so the latest and gratest .msi package is used ..
Have you heard any errors when connecting to Azure ??
or any ideas where this might come...?

Br,

/jc - jc@clavert.fi

Error message received in phase "Connect to Azure AD"
-->
Unable to retrieve the Azure Active Directory configuration. Field not Found:
"Microsoft.Azure.ActiveDirectory.Client.Framework.MicrosoftOnlineInstance.AzureOneBox"

↧

Unable to retrieve the Azure Active Directory Configuration. Field not found:

November 5, 2018, 7:12 am

≫ Next: Azure sync errors

≪ Previous: Unable to connect Azure AD during upgrade to version 1.2.67.0

I was attempting to upgrade our Azure Active Directory Connect tool to the latest version released at the end of October. The upgrade starts fine until I get to the point that I need to "Connect to Azure AD" and enter my login credentials. I enter my credentials and an internet explorer box opens and I log in. I then go back to the Azure AD Connect window and it tells me:

Unable to retrieve the Azure Active Directory configuration. Field not found:

'Microsoft.Azure.ActiveDirectory.Client.Framework.MicrosoftOnlineInstance.AzureOneBox'.

Tried using different accounts

Rebooted the server

Re-ran the upgrade/installer

Running Server 2008 R2

↧

Azure sync errors

November 30, 2018, 4:46 am

≫ Next: Graph API not returning userPrincipalName correctly for reports

≪ Previous: Unable to retrieve the Azure Active Directory Configuration. Field not found:

Hello!

Sorry if I choose wrong section. Not found a more appropriate.

Problem №1

I have two uses - makarov_ai.otk and makarov_ai.vst. On portal.azure.com i receive synchronization error QuarantinedAttributeValueMustBeUnique

Proxy-adresses
<svg aria-hidden="true" class="fxs-portal-svg" focusable="false" role="presentation" style="fill:rgb(0, 0, 0);" viewBox="0 0 9 9" xmlns="http://www.w3.org/2000/svg" xmlns:svg="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink"><g style="fill:#000;"><circle class="msportalfx-svg-c22" cx="4.5" cy="4.5" r="4.5" style="fill:#e81123;"></circle><circle class="msportalfx-svg-c01" cx="4.5" cy="6.438" r="0.697" style="fill:#fff;"></circle><path class="msportalfx-svg-c01" d="M 4.604 2.186 h -0.729 l 0.186 3.232 h 0.878 l 0.186 -3.232 Z" style="fill:#fff;"></path></g></svg>
smtp:makarov_ai.vst@pharm.onmicrosoft.com

smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com

smtp:makarov_ai.otk@pharm.com;smtp:makarov_ai.otk@XN--80AF0AGCBOAFGH.XN--P1AI;SMTP:makarov_ai.otk@pharm.ru;X500:/o=First
Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=user91f3b7ee;smtp:makarov_ai.vst@pharm.onmicrosoft.com

get-aduser -Identity makarov_ai.vst -Properties * | fl -Property SamAccountName,UserPrincipalName,mail,proxyAddresses

SamAccountName : makarov_ai.vst
UserPrincipalName : makarov_ai.vst@hq.pharm.com
mail : makarov_ai.vst2@pharm.ru
proxyAddresses : {smtp:makarov_ai.vst@pharm.mail.onmicrosoft.com, smtp:makarov_ai.vst2@pharm.com, SMTP:makarov_ai.vst2@pharm.ru}
get-aduser -Identity makarov_ai.otk -Properties * | fl -Property SamAccountName,UserPrincipalName,mail,proxyAddresses

SamAccountName : makarov_ai.otk
UserPrincipalName : makarov_ai.otk@pharm.ru
mail : makarov_ai.otk@pharm.ru
proxyAddresses : {smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com, SMTP:makarov_ai.otk@pharm.ru, smtp:makarov_ai.otk@pharm.com}
Makarov_ai.vst couldn't be found on 'AMSPR07A002DC03.EURPR07A002.prod.outlook.com'.

Get-Recipient makarov_ai.otk@pharm.ru | fl -Property WindowsLiveID,PrimarySmtpAddress,EmailAddresses

WindowsLiveID : makarov_ai.otk@pharm.ru
PrimarySmtpAddress : makarov_ai.otk@pharm.ru
EmailAddresses : {smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com, smtp:makarov_ai.otk@pharm.com, SMTP:makarov_ai.otk@pharm.ru...}
Get-MsolUser

Get-msoluser -UserPrincipalName makarov_ai.otk@pharm.ru | fl -Property UserPrincipalName,ProxyAddresses

UserPrincipalName : makarov_ai.otk@pharm.ru
ProxyAddresses : {smtp:makarov_ai.otk@pharm.mail.onmicrosoft.com, smtp:makarov_ai.otk@pharm.com, SMTP:makarov_ai.otk@pharm.ru...}

I've tried to make full synchonization, but got "exported-change-not-reimported" error

Azure canot export makarov_ai.vst@pharm.onmicrosoft.com value.

Problem №2

I have two users Olga and Disp. The error is that in Azure Olga have UPN and mail specified data of Disp. And Disp have Olga's UPN and mail. But in local AD they both have correct values.

↧

Graph API not returning userPrincipalName correctly for reports

November 30, 2018, 9:53 am

≫ Next: Logon Hours in Azure AD?

≪ Previous: Azure sync errors

Hi, Im working on a application to build reports for our company using the Graph API but having issues where the reports call does not return the userPrincipalName correctly (appears to be encrypted), eg when calling https://graph.microsoft.com/beta/reports/getTeamsActivityUserDetail(period='D7')?$format=application/json

But when calling https://graph.microsoft.com/beta/users I get the userPrincipalName as the users email as expected. My application has been granted both User.Read.All and Reports.Read.All for our tenant.

Is there some other permission that needs to be granted to the app to see the userPrincipalName in reports? Or maybe there is a security setting blocking it? Id appreciate pointers on this, thanks

↧

Logon Hours in Azure AD?

September 2, 2015, 3:06 pm

≫ Next: Azure AD B2C

≪ Previous: Graph API not returning userPrincipalName correctly for reports

I'm looking to implement a cloud-only AD using Azure AD and Windows 10 devices. Is it possible to implement logon hours per user account similar to the function in on-premise AD? I searched the forums and found only references to doing it using coding from an AP.

I was hoping for a way to set it in the GUI like on-prem, but PowerShell would also work.

Thanks

↧

Azure AD B2C

December 1, 2018, 7:16 am

≫ Next: Who will be announced as the next Azure Active Directory Guru? Read more about December 2018 competition!!

≪ Previous: Logon Hours in Azure AD?

How does Azure AD B2C allows users outside of the organization to login into Applications using their Social Media account Identity.

↧

Who will be announced as the next Azure Active Directory Guru? Read more about December 2018 competition!!

December 1, 2018, 8:46 am

≫ Next: Add Enterprise Mobility + Security E5 and Enterprise Mobility + Security E5

≪ Previous: Azure AD B2C

What is TechNet Guru Competition?

Each month the TechNet Wiki council organizes a contest of the best articles posted that month. This is your chance to be announced as MICROSOFT TECHNOLOGY GURU OF THE MONTH!

One winner in each category will be selected each month for glory and adoration by the MSDN/TechNet Ninjas and community as a whole. Winners will be announced in dedicated blog post that will be published in Microsoft Wiki Ninjas blog, a tweet from the Wiki Ninjas Twitter account, links will be published at Microsoft TNWiki group on Facebook, and other acknowledgement from the community will follow.

Some of our biggest community voices and many MVPs have passed through these halls on their way to fame and fortune.

If you have already made a contribution in the forums or gallery or you published a nice blog, then you can simply convert it into a shared wiki article, reference the original post, and register the article for the TechNet Guru Competition. The articles must be written in December 2018 and must be in English. However, the original blog or forum content can be from before December 2018.

Come and see who is making waves in all your favorite technologies. Maybe it will be you!

Who can join the Competition?

Anyone who has basic knowledge and the desire to share the knowledge is welcome. Articles can appeal to beginners or discusse advanced topics. All you have to do is to add your article to TechNet Wiki from your own specialty category.

How can you win?

Please copy/Write over your Microsoft technical solutions and revelations to TechNetWiki.
Add a link to your new article on THIS WIKI COMPETITION PAGE (so we know you've contributed)
(Optional but recommended) Add a link to your article at the TechNetWiki group on Facebook. The group is very active and people love to help, you can get feedback and even direct improvements in the article before the contest starts.

Do you have any question or want more information?

Feel free to ask any questions below, or Join us at the official MicrosoftTechNet Wiki groups on facebook. Read More about TechNet Guru Awards.

If you win, people will sing your praises online and your name will be raised as Guru of the Month.

PS: Above top banner came from Vimal Kalathil.

Thanks,
Kamlesh Kumar

If my reply is helpful please mark as Answeror vote as Helpful.

My blog | Twitter | LinkedIn

↧

Add Enterprise Mobility + Security E5 and Enterprise Mobility + Security E5

December 1, 2018, 8:47 am

≫ Next: Why We need to sync user to Office 365

≪ Previous: Who will be announced as the next Azure Active Directory Guru? Read more about December 2018 competition!!

How to add Enterprise Mobility + Security E5 and Enterprise Mobility + Security E5 ''as permanent NOT as trial''?

Regards

↧

Why We need to sync user to Office 365

December 1, 2018, 9:20 am

≫ Next: Why We need to sync user to Office 365 in case of ADFS & office 365 federation

≪ Previous: Add Enterprise Mobility + Security E5 and Enterprise Mobility + Security E5

I am using ADFS for authentication and Trying to setup replying party office 365 for SSO.

I am confused If someone can help here, I used ADFS to federate other application and they did not ask to create any user on their database or to sync.
Is it mandatory to setup AAD connect tool for office 365 and ADFS federation?

↧

Why We need to sync user to Office 365 in case of ADFS & office 365 federation

December 1, 2018, 9:21 am

≫ Next: Unable to login via "access work or school"

≪ Previous: Why We need to sync user to Office 365

I am using ADFS for authentication and Trying to setup replying party office 365 for SSO.

↧

Unable to login via "access work or school"

December 1, 2018, 9:34 am

≫ Next: Information on AAD Connect - Scheduler and sourceAnchor attribute

≪ Previous: Why We need to sync user to Office 365 in case of ADFS & office 365 federation

My user account is able to login and manage the Azure portal, but when I attempt to link my desktop to my work account, it says the password is invalid. I've attempted a password reset to clear server-side cache but I'm still getting the error. Has anyone experienced this or have proper google terms for me to look at for troubleshooting?

↧

Information on AAD Connect - Scheduler and sourceAnchor attribute

December 1, 2018, 3:26 pm

≫ Next: Unable to delete Azure AD user

≪ Previous: Unable to login via "access work or school"

Hello Experts

I have two Azure AD Connect questions:AAD connect schedule:

As per this link, the default sync schedule is 30 mins, but I am not clear on the frequency of Delta and Initial (full) sync. Every 30 mins, it will run Delta sync or full sync?
While AAD Connect installation, it creates two accounts in on-premise AD - AD DS Connector account i.e. “ms-DS-ConsistencyGuid” as sourceAnchor and ADSync service account

If Ad Sync service account is used to run the synchronization service, then what is the primary use forAD DS Connector account?
What information does AD DS Connector account "write" to AD? For Sync, it only need read permissions then why it require "Write permissions"?

Thanks in advance

Alex

↧

Unable to delete Azure AD user

December 1, 2018, 11:32 pm

≫ Next: Kerbros Authentication flow

≪ Previous: Information on AAD Connect - Scheduler and sourceAnchor attribute

Hi Team,

I have created few users in on-premises Windows Active Directory & sync'd all the users using AD Connect. After my testing, I deleted the on-premises domain controller. when I am trying to delete synced user from the Azure AD, it's not allowing me to do that.

Please let me know the way to do it.

Thanks in advance.

↧

Kerbros Authentication flow

December 2, 2018, 2:41 am

≫ Next: Unable to sync user to Azure AD

≪ Previous: Unable to delete Azure AD user

I recently had a discussion with MS support engineer regarding Kerberos, I was following an article "https://blogs.technet.microsoft.com/askds/2008/03/06/kerberos-for-the-busy-admin"

he said when authentication occurs user already has a TGT from DC and user does not need to request for TGT everytime It is an only one-time process? Is that true?

Also when user submit a service ticket to the web server/application and application decrypt the service ticket using secret shared by KDC?

Can someone help here with the clear flow as he was pointing out the article is old and has vague info?

↧

Unable to sync user to Azure AD

December 2, 2018, 8:47 am

≫ Next: what will be impact in Azure O365 sync if I change AD Administrator password

≪ Previous: Kerbros Authentication flow

I created one user on-premise yesterday still user is not synced to Azure AD using AAD connect. There is no error in on AAD connect.

Checked OU filtering but that is fine, also there is no rule in sync rule editor ? also ran IDfix tool no error?

what else I should check ? can you please help..

↧

what will be impact in Azure O365 sync if I change AD Administrator password

December 2, 2018, 8:30 pm

≫ Next: Azure AD - Search Specific user from Azure AD

≪ Previous: Unable to sync user to Azure AD

Hi Experts,

I need advise on changing password of AD Enterprise administrator . Do I need to resync everything again in Azure.

I have O365 that get synced with my On-premise AD.

Thanks

↧

Azure AD - Search Specific user from Azure AD

November 29, 2018, 11:22 pm

≫ Next: Ldaps authentication questions

≪ Previous: what will be impact in Azure O365 sync if I change AD Administrator password

Hi,

We have used Graph API method for Azure AD login for our web application.

Graph URL = https://graph.windows.net

GraphApiVersion = 2013-11-08

We have done successful login using Graph API method while user accessing the application initially.

But inside the application we have a User master screen. From that master screen we will give search text to search the user from Azure AD. The Search Text may be userprincipalname, Surname or Email ID.

we have used below code for searching.

var url = "https://graph.windows.net/-tenant-/users?api-version=2013-11-08&$filter=startswith(userPrincipalName,"J")";
string requestUrl = String.Format(CultureInfo.InvariantCulture, graphUserUrl, HttpUtility.UrlEncode(tenantId));
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, requestUrl);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);

We have received below error from response.

{StatusCode: 400, ReasonPhrase: 'Bad Request', Version: 1.1, Content: System.Net.Http.StreamContent, Headers:
{
Pragma: no-cache
ocp-aad-diagnostics-server-name: OsjPaDrm2Ct3/28zt7eCc6/MPPZxy7JpBuUghhKVSVg=
request-id: 676df357-4a84-4bb0-8897-d312bd375a48
client-request-id: 725a20c4-e32e-4dc0-95bb-ea4b58aedb17
x-ms-dirapi-data-contract-version: 1.2
ocp-aad-session-key: ndfQbmMHIDcgz259MKYybUGs9RqD9DGSSr72nvIiw-HYinUwu9c9ME7eTejehqJ5HOupwIfzzgHrqhQ3vPABRDakQ-Lar5bUvMug06hjKQv_L0VP_t7z5CO_bGrL2nyx.nyV6dxgTsj2xLx6p3hiwaVQzztB_JHKupVRmDDx1opQ
DataServiceVersion: 3.0;
Strict-Transport-Security: max-age=31536000; includeSubDomains
Access-Control-Allow-Origin: *
Duration: 1107891
Cache-Control: no-cache
Date: Fri, 30 Nov 2018 07:14:02 GMT
Server: Microsoft-IIS/10.0
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Content-Length: 269
Content-Type: application/json; odata=minimalmetadata; streaming=true; charset=utf-8
Expires: -1
}}

Please help us to resolve this error and please provide any C# Code samples to search/filter the given user details from Azure AD using the above mentioned Graph API version.

Thank you in advance.

Nandhakumar R

↧

Ldaps authentication questions

December 3, 2018, 1:00 am

≫ Next: Azure AD Sign-In Logs not working for Log Analytics, Premium P2 Tenant.

≪ Previous: Azure AD - Search Specific user from Azure AD

Hi,

I need to migrate a large java web application to azure cloud. The application uses ldap authentication within the same domain.

--------------------------

I was able to migrate the web application itself by using tomcat apache azure custom web-app and setup ldaps authentication over the internet.

--------------------------

Current issue is that we also have a SQL and IIS server.

Is it possible to authenticate users with ldaps over the internet both from IIS Webdav (fileshare) and the SQL Server? They can't be domain joined. Azure AD Domain Services is not an option.

Automation

↧