Hi @all,
I have a question / problem I am working on for several days now.
I did some tests myself, I did a lot of research but I found nothing equal.
I wanted to change my Azure AD Connect from federated authentication to seamless single sign on with pass-through.
After I changed the options in the Azure AD Connect wizard, I got an error "failed to create single sign-on secret for true".
Pass-through was activated and works fine. Seamless SSO was enabled too, but the local domain computer account "AZUREADSSOACC" was created in the default computer OU and deleted after the wizard reported the error.
As I said, I did a lot of research and I tried to enable seamless SSO through powershell.
When I ran "Enable-AzureADSSOForest -OnPremCredentials $creds" with the credentials of a domain admin I got the following output:
[17:11:29.814] [ 6] [INFORMATIONAL] GetDefaultWellKnownContainer: Attempting to look up the default well-known container...
[17:11:29.830] [ 6] [INFORMATIONAL] GetDefaultWellKnownContainer: Found the default well-known container: CN=Computers,DC=DOMAIN,DC=local
[17:11:30.095] [ 6] [INFORMATIONAL] No conflicts found for the reserved SPNs and computer account display name.
[17:11:30.095] [ 6] [INFORMATIONAL] Creating computer account in CN=Computers,DC=DOMAIN,DC=local (DOMAIN.local)...
[17:11:30.127] [ 6] [INFORMATIONAL] Setting password for computer account with DN 'CN=AZUREADSSOACC,CN=Computers,DC=DOMAIN,DC=local'...
Exception Data (Raw): System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
--- End of inner exception stack trace ---
at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
at Microsoft.KerberosAuth.KerberosAuthInterface.OnPremiseOperations.LdapClientProvider.SetPassword(String dn, String password, OnPremAuthenticationContext onPremAuthenticationContext)
at Microsoft.KerberosAuth.KerberosAuthInterface.OnPremKerberosAuthProvider.CreateComputerAccount(OnPremAuthenticationContext onPremAuthenticationContext, String containerOu)
[17:11:30.142] [ 6] [INFORMATIONAL] DeleteComputerAccount: Locating SSO computer account with name 'AZUREADSSOACC'...
[17:11:30.158] [ 6] [INFORMATIONAL] DeleteComputerAccount: AZUREADSSOACC found in DOMAIN.local. Deleting...
Enable-AzureADSSOForest : Exception has been thrown by the target of an invocation.
At line:1 char:1
+ Enable-AzureADSSOForest -OnPremCredentials $creds
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Enable-AzureADSSOForest], TargetInvocationException
+ FullyQualifiedErrorId : System.Reflection.TargetInvocationException,Microsoft.KerberosAuth.Powershell.PowershellCommands.EnableAzureADSSOForestCommand
I tried to run this command with another domain admin credentials.
I tried to create the computer object in another OU (with the parameter -parentdn)
I reinstalled Azure AD Connect just in case the AzureAdSSO.psd1 ist corrupt.
We have only one forest with one domain. I mention that because I found solutions for similar problems regarding root and child domain.
Unfortunately I have no idea how to solve the issue.
Can anyone help me out?
Thank you
Kind regards
Philipp