Quantcast
Channel: Azure Active Directory forum
Viewing all 16000 articles
Browse latest View live

Error 906 "ADSync Bootstrap Service Failed to Start"

July 8, 2017, 1:29 pm
$
0
0

My apologies if this has been answered previously.  I am attempting to install Azure Active Directory Connect on my stand-alone DC for the sole purpose of simplifying password management with Office365.  I have followed theprerequisites guide, and have installed and completed the 365 IdFix tool.  I am installing this on a nonroutable domain, however I have performed the requisite steps so that my users resolve to a routable suffix.

When I go through the AAD Connect Wizard, the required component installation fails every time with the message "Unable to install the Synchronization Service".  Looking at the trace log, I see "Error 906 ADSync Bootstrap Service Failed to Start.  I have tried to uninstall AD Sync which required manually removing the AD Sync Service in the Registry.  Installation failed with same message.  

Here is the relevant log entry from my latest attempt.  Any help would be greatly appreciated!

[13:20:43.752] [  4] [INFO ] Starting Sync Engine installation
[13:20:51.174] [  4] [INFO ] ServiceControllerProvider: service ADSync exists
[13:20:51.177] [  4] [INFO ] ServiceControllerProvider: processing StopService request for: ADSync
[13:20:51.178] [  4] [VERB ] ServiceControllerProvider:  Initial service status: Stopped
[13:20:51.178] [  4] [INFO ] ServiceControllerProvider: StopService status: Stopped
[13:20:51.179] [  4] [INFO ] ServiceControllerProvider:DeleteService - serviceName:ADSync
[13:20:56.197] [  4] [INFO ] ServiceControllerProvider:CreateService - serviceName:ADSync, username:MPMI\AAD_bd95d0763fac, assemblyPath:C:\Program Files\Microsoft Azure Active Directory Connect\ADSyncBootstrap.exe
[13:20:56.218] [  4] [INFO ] ServiceControllerProvider: Processing StartService request for: ADSync
[13:20:56.218] [  4] [VERB ] ServiceControllerProvider:  Initial service status: Stopped
[13:20:56.218] [  4] [VERB ] ServiceControllerProvider:  Starting service and waiting for completion.
[13:21:16.421] [  4] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (1).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[13:21:16.424] [  4] [VERB ] ServiceControllerProvider:  Initial service status: Stopped
[13:21:16.424] [  4] [VERB ] ServiceControllerProvider:  Starting service and waiting for completion.
[13:21:36.548] [  4] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (2).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[13:21:36.549] [  4] [VERB ] ServiceControllerProvider:  Initial service status: Stopped
[13:21:36.549] [  4] [VERB ] ServiceControllerProvider:  Starting service and waiting for completion.
[13:21:56.671] [  4] [WARN ] ServiceControllerProvider: StartService failed to start service (ADSync), attempt (3).
Exception Data (Raw): System.ServiceProcess.TimeoutException: Time out has expired and the operation has not been completed.
   at System.ServiceProcess.ServiceController.WaitForStatus(ServiceControllerStatus desiredStatus, TimeSpan timeout)
   at Microsoft.Online.Deployment.Framework.Providers.ServiceControllerProvider.StartService(String serviceName, TimeSpan timeout, Boolean verifyStart, String[] args)
[13:21:56.672] [  4] [ERROR] ServiceControllerProvider: StartService unable to start service (ADSync).
[13:22:03.562] [ 15] [INFO ] Starting Telemetry Send
[13:22:03.566] [  4] [ERROR] InstallSyncEnginePageViewModel: Error occurred while installing sync engine.
Exception Data (Raw): System.Exception: Unable to install the Synchronization Service.  Please see the event log for additional details. ---> System.InvalidOperationException: ADSync Bootstrap Service failed to Start
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.CreateAndStartBootstrapService(SyncServiceAccount syncServiceAccount)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.InstallCore(String logFilePath, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.ExecuteWithSetupResultsStatus(SetupAction action, String description, String logFileName, String logFileSuffix)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   --- End of inner exception stack trace ---
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Install()
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstallCore(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.Runtime.Stages.InstallSyncEngineStage.ExecuteInstall(ISyncEngineInstallContext syncEngineInstallContext, ProgressChangedEventHandler progressChangesEventHandler)
   at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.InstallSyncEnginePageViewModel.StartNewInstallation(Boolean skipSyncEngineInstall)

Search

AD Explorer Snapshot to CSV?

June 11, 2019, 8:02 am
$
0
0

Is there a way to convert a snapshot taken with AD Explorer into a csv or at least a text based output of all users and their properties? Thx

I no longer have access to the environment to gather this information another way, such as with PowerShell, so I specifically want to know if I can extract the information from the snapshot that I have.

AD Backup

June 11, 2019, 11:59 am
$
0
0

Does Microsoft provide any guidance or best practices for backing up and restoring your AD database in an Active Directory hybrid environment with Azure AD Connect? we are trying to put together a disaster recovery plan for AD recovery.

Any inputs\suggestions please.

Thanks.

Azure FHIR Postman oauth2 no longer works

May 22, 2019, 9:20 am
$
0
0

a few weeks ago, I register an Azure AD application, with the redirect_url as https://www.getpostman.com/oauth2/callback, at that time, it work. 

But now when I use my postman, I encounter the error

OAuth2WindowManager~startLoginWith - Opening auth login window","https://login.microsoftonline.com/7f786e85-2b61-4bbe-a796-71e917221e38/oauth2/callback/oauth2/authorize?resource=https://azurehealthcareapis.com&response_type=code&state=1234&client_
id=1848c8d5-1f8c-45ce-a210-29dd21200f0e&scope=patient%2F%24read&redirect_uri=https%3A%2F%2Fwww.getpostman.com%2Foauth2%2Fcallback"

"OAuth2WindowManager~startLoginWith - URL did not match the registered callbackURL, so skipping"

any suggestions? 

working on APIM

AADSTS50126: Invalid username or password

May 22, 2019, 7:22 am
$
0
0

I've registered a native app (for Power BI push operation) and added the necessary API permissions.
Global admin granted the consent. But the access token method fails.

equivalent PS script used to get access token

$authUrl = "https://login.windows.net/common/oauth2/token"
$body = @{
"resource" = “https://analysis.windows.net/powerbi/api";
"client_id" = "myclientid";
"grant_type" = "password";
"username" = "myuser";
"password" = "mypass";
"scope" = "openid"
}
$authResponse = Invoke-RestMethod -Uri $authUrl –Method POST -Body $body

$authResponse.access_token

But getting the same error:

Invoke-RestMethod : {"error":"invalid_grant","error_description":"AADSTS50126: Invalid username or password.

The master account used is synchronised to Azure AD from windows active directory server.

(The whole approach  works fine in a different tenant where the master account is create on Azure AD itself.

Blocked around this issue for a while. Any quick help is appreciated. Thanks in advance.

SAML toolkit for Java

May 23, 2019, 5:22 am
$
0
0

I have an in-house java application published externally and am looking for a java SAML toolkit so I can integrate SAML auth into the java auth code and create a SAML enterprise app in Azure. I see OneLogin has one but can't determine if it can be used for Azure or other IDPs.

Thanks!

How to customize 'user is not assigned to a role' message in SAML SSO configuration

May 28, 2019, 6:16 am
$
0
0
Hello! We are utilizing Azure AD Enterprise Applications to configure SAML SSO as a non-gallery application to manage authentication and authorization to our web application. We are using an AD group to authorize users to have access to the application. When a user that is not in the group attempts to log in, they correctly receive the message "The signed in user 'email@foo.bar' is not assigned to a role for the application 'GUID'..." along with a second message with IDs, timestamps, etc. This is not a user friendly message and we would like to customize it or if possible send the user to the application with a "Sign-in Failure" response indicating the user is not authorized so the application can display an appropriate message.  Is this possible and if so can I be pointed to the document or steps to configure this in Azure? Thank you!

Azure AD B2C can we get email verification in next screen similar to Mobile MFA

May 23, 2019, 10:09 am
$
0
0

Hi

Is it possible to display email verification box capture of code in next screen, similar to mobile OTP capture, instead of having it display below the email id. We are trying through Custom Policy

Search

Assign licenses to users by group membership

June 3, 2019, 9:39 am
$
0
0

I need to understand how licenses are applied to users who are in multiple groups. 

I am trying to limit access to Corp Resources to Corporate issued cellphones managed by InTune.  I have user groups for those users and the EMS license is assigned to that group. 

As I think through this, it seems that this will allow a user to add the Intune Company Portal to their personal phone too, as the user is licensed, not the device.

Any thoughts/suggestions on this?

Azure AD: OpenId Connect v2 - UserInfo not returning username, etc.

May 22, 2019, 10:22 am
$
0
0

Hi,

Everything works great except for the UserInfo results lacking fields like phone, userPrincipalName, etc that are available in endpointhttps://graph.microsoft.com/v1.0/me/. Most cases these fields are needed to setup users. You'd think the results would be same or have the option to add them to the UserInfo. On most third-party apps setting up OpenId Connect, we don't have an option to make the needless extra call to get the additional information which should be provided in the UserInfo.

Is there a way to add the missing fields to the UserInfo output?

Open Id Scopes: openid email profile

userinfo_endpoint:"https://graph.microsoft.com/oidc/userinfo"

Response:

{

    "sub": "Y7pQ-Ra6FCwePudogNOjvjD3uTKHj9PEMoLtuyKYRxs",

    "name": "Spoony, Jim",

    "family_name": "Spoony",

    "given_name": "Jim",

    "picture": "https://graph.microsoft.com/v1.0/me/photo/$value",

    "email": "Jim.Spoony@test.com"

}

Response: https://graph.microsoft.com/v1.0/me/

{

    "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",

    "businessPhones": [

        "+0 (333) 333-3476"

    ],

    "displayName": "Spoony, Jim",

    "givenName": "Jim",

    "jobTitle": "Senior Developer",

    "mail": "Jim.Spoony@test.com",

    "mobilePhone": "+3 (333) 333-3333",

    "officeLocation": "US 333 Paramount DR",

    "preferredLanguage": null,

    "surname": "Spoony",

    "userPrincipalName": "Jim.Spoony@test.com",

    "id": "5c12eb03-5af9-47a2-9c4a-3a57ab8de41d"

}

Thank you in advance for your help!





Azure AD to multiple on premises AD

May 23, 2019, 5:03 am
$
0
0

I have a question.

We have an azure AD for domain "123". We have 2 webapplications connected to the AD (with enterprise applications).

All users have a seperate "123" accounts to login in the applications.Our users have there own on premise AD account. They prefer to login to the webapplications using there own on premise account. The domains are different (for example "456" and "789").

What would be the best way to make users connect with our 2 webapplications but with there own user credentials?

We only want to verifiy the users, so a domain user/admin from domain "123" shouldnt be abble to do things for domain "456" and vice versa.

Should we use the following:

https://docs.microsoft. com/nl-nl/azure/active-directory/hybrid/how-to-connect-install-custom



Azure DevOps - Adding users to Project

June 5, 2019, 12:17 am
$
0
0

Hi,

We are having account for Azure DevOps. We have created one organization and few projects inside it.

At organization level we can get 5 users with Basic features access level. I just wanted to know these 5 licenses with Basic features is available at organization level in spite of number of projects inside that organization.Please confirm on this.

Also I want to know when we invite any external user to our Azure DevOps project then that external user needs to be part of Azure AD tenant on which DevOps services are hosted.

At Project level we have 'Invite' option to invite users to our project. From Project Settings -> Security -> Add Member, we can also invite users to our project. I found that the Security Group can be searched and added when we navigate through later approach but not with the first one. Is there any type of restriction? Does both ways of adding user is same?

Regards

Sanjay

Sanjay Nipane

Asp.net core 2.1 + windows authentication + AzureAD

May 7, 2019, 6:45 am
$
0
0

Hi,

I have my asp.net core 2.1 web app deployed on AWS instance/ docker cluster. 

This is a private network and need this web app to be authenticated using Integrated Windows Authentication on AzureAD.

Could someone please let me know if this is a valid scenario or suggest me how to proceed.

Thank You.

Regards

Chaithanya

Azure VM, Azure AD and Remote Laptops Connection

May 26, 2019, 9:31 pm
$
0
0

Hi,

I'm trying to move towards the Cloud platform in Azure and want to know some tips in terms of use based on the use case of our business.

  1. I want to host Domain Controller+File Share on Cloud in Azure
  2. I already have my users synced in Azure Active Directory from Office 365.
  3. I want to join Laptops and Remote machines to Domain so that staff can get connected to cloud DC and Files on the go.
  4. I want the remote devices to get all the Shared Drives done through GPO and other policies applied.

Please guide me on this.

Thanks

Parveen Singh


Unable to join VM to Domain. Unable to create new user in domain as domain is not verified in my directory

June 6, 2019, 12:54 pm
$
0
0

Good day Experts

Unable to join VM to Domain.

I am able to connect to VM and click Local Server ->WORKGROUP and then change.

When i specify the domain anwartest.onmicrosoft.com it asks me for login credentials.

i have the following users:

az-anwar

az-admin

i have tried all accounts known to me that i created in the Azure Portal but non of them work. the message says, User or Password is incorrect, however, i can login to the VM with those credentials.

I have used the UPN format and the SAM format.

i have verified and i can ping the domain from the VM.

Unable to create new user in domain as domain is not verified in my directory

please help.

Regards

Anwar

Search

SSPR Registration enforce Auth methods

June 4, 2019, 8:09 pm
$
0
0
We would like the ability to enforce users to register for a number of methods before continuing for SSPR. We would like to enforce say Mobile, Authenticator and Alternative email before the user exits the workflow. We set our minimum number to 1 for SSPR so the registration process only enforces 1 method, however we would like our users to enter more than 1 (eg in case of a lost phone or phone upgrade).

Internet URL's to Allow in firewall for Azure AD module installation

May 23, 2019, 1:35 am
$
0
0

Hello Team,

Can some one let us know what are URL's needs to allow in firewall for installing the Azure AD module in one of the machine, we dont have internet on that machine and customer is not ready to expose the server to https://go.micosoft.com ( Microsoft.com ) .

Internet URL's to Allow in firewall for Azure AD module installation

Paramesh KA

Changing server running Azure AD Connect - Compare report is listing all mydomain.com attributes changing to mydomain.onmicrosoft.com

June 5, 2019, 12:21 pm
$
0
0

I am retiring an old server and setting up the Azure AD Connect on a new 2019 Server. I have been running Azure AD Connect for a couple of years, after upgrading from DirSync. 

I set up the initial config on the new server and have it on staging mode. As suggested, I ran the AADConnectConfigDocumenter to compare the changes. All instances that list our verified domain mydomain.com - AAD are listed as being replaced by mydomain.onmicrosoft.com - AAD.

I can not see anywhere to have it retain the original value.

Thanks for any help,

Tony

Azure AD Identity protection- Non-existing users flagged for risk!

June 11, 2019, 3:09 pm
$
0
0

Hello Experts,

I have client who is seeing around 800 "Risky users" under Azure AD Identity protection. When we click on the event neither the user exists nor any risk event (As shown in the snapshot below). In AAD+Deleted users and AD the user doesn't exists (The events started from 2016 so they might be ex employees). 

So, we are unable to dismiss these risks (or unflagging these non-existing users from Identity protection), If we click on"Dismiss all events" it says successful but the user stays flagged and appear under risky users.

Please help! I couldn't find any doc covering it!


Thank you,

Warm Regards,

CreedHameed


CreedHameed

Can't remove MS Azure Active Directory address(es)

June 11, 2019, 3:50 am
$
0
0
Hi!

I am trying to delete my Skype/Microsoft account, and Skype says that I should delete all my Azure Active Directory addresses first:



(it is written in hungarian)

Now when I try to do so, I cant delete the address/addresses, because the button for doing this is greyed out:



(it is written in hungarian)

Why cant I remove the Azure Active Directory address/addresses? By the way, is it important to delete? As I recall, I've never used Microsoft Azure at all...maybe I am wrong. Could you look into my account to see if there is anything important in there?

I just want to delete my Skype/Microsoft account, but first I wanted to "clean up" everything that belongs to the account. (Since Skype is telling me all this during the delete process, as you can see on the first picture.)

Thanks for your help!
Viewing all 16000 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>