AADConnect password sync error

So, long time since the last post. Its been a long an very hot summer, and things are starting to turn back to Business as usual Confused smile.

I started up my lap environment, after a good long vacation, and wow and behold…. AADConnect errors Sleepy smile I needed the lab for some testing…. Oh well, time for an article then.

After booting up, and some time to sync, this messages appeared in the O365 portal

2019-08-07_12h30_05

2019-08-07_12h30_41

Disappointed smile….. Didn’t make much sense to me… “Last synced 31 minutes ago”, but “warning no recent synchronization” ???

Didn’t spend to much time investigating, figured it had something to do with the whole environment being shutdown for a month, so went straight to try and fix it…My thoughts where, that trying to disable, do a sync and then re-enable password sync, would be a good place to start.

Here we go Open-mouthed smile

Started the AADConnect wizard

2019-08-07_12h40_23

Choose “Configure”, and then “Change user sign-in”

2019-08-07_12h40_53

So, log on with your Tenant global admin cred’s

2019-08-07_12h41_28

Set the option to “Do not configure”

2019-08-07_12h33_15

2019-08-07_12h33_31

2019-08-07_12h34_05

And then “Configure”. Just to make sure it actually was synchronizing, I ran the PowerShell sync cmdlet

Start-ADSyncSyncCycle -PolicyType delta

After it was successful (Had to run it a couple of times, since the reconfiguration of AADConnect, initiates a Complete sync, which takes some time) I reconfigured AADConnect to again allow password hash sync.

2019-08-07_13h19_29

Enter your O365 tenant credentials if prompted!

2019-08-07_13h21_05

2019-08-07_13h24_43

After id was done, I waited a good 5 minutes for the initial sync, and then ran the PowerShell cmdlet again

And the waiting game started. It can take some time for O365 to realize that you actually did something, so after about 15 minutes everything looked fine again.

2019-08-07_13h31_53

2019-08-07_13h32_14

Pretty easy fix Smile

Seamless Sign On – How to and why

Seamless Sign On, what is it and why would you want to use it

Well, good questions. Seamless Sign On is a fairly new feature in Azure ADConnect, that allows users to have that “Single Sign On” experience, you get from using ADFS, but without the huge infrastructure. I can’t really see a lot of large companies using this feature, but for smaller / midsize businesses it makes a lot more sense. Why? Make it as easy for your users as possible, they would only need to remember 1 password, and you, as and admin, are in control of your users ID’s and passwords, from within your local AD (which in return will give you more time to enjoy your coffee)

So, lets get to it and start looking at the configuration. It doesn’t matter if you already have Azure ADConnect installed, or its a new installation. Its the same settings for both scenarios.

First of, start the AADConnect wizard. If you install AADConnect for the first time, the below is what you need to configure.

image

If you already have AADConnect running, this is what you need to configure.

image

On a side note, I would always recommend using OU filtering, so that you only synchronize what you need, and not all objects from AD. It will only look messy and confusing.

image

After configuration is done, you need a little more work on the client side. You need to set up GPO’s to allow Azure to receive the Kerberos tickets for Authentication before it works. So you need your browser to trust some sites.

Internet Explorer

For IE users (the few left smiley lol), you need to add some URL’s to the local intranet zone. Preferably done by GPO. These are the 2 addresses you need to add:

https://autologon.microsoftazuread-sso.com
https://aadg.windows.net.nsatc.net

Chrome

For Chrome users, there is a little more work, but it pays of. First of, download the Google ADMX files and add them to your AD, so that you are able to configure Chrome with GPO’s. Afterwards go to the Google Extension store. Search for “Windows 10 accounts”

clip_image002

Right click on the the logo and copy the link address.

clip_image004

Paste it to notepad

image

Copy the “app id”, from the last dash, to the questionmark, and paste it on a new line. Now you need to format the address for the Chrome GPO.

Separate the 32 character ID, with the default Google store address ;https://clients2.google.com/service/update2/crx, so that it looks like this

ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx

Find the correct Computer GPO setting for Chrome extensions

clip_image006

Open up “Configure the list of force-installed apps and extensions

Enable –> show, and paste the above ID address we created a few seconds ago

clip_image008

Save the GPO and link it to the OU where your computers are located, and you’re in business.

Once the GPO is “active” on clients (if it doesn’t happen run gpupdate /force, might require a restart) you will see the little Windows logo on the right topside of Chromeimage

Try and click on it smiley surprise, or just go to https://portal.office.com.

I have not tested it with other browsers. Edge browser isn’t supported, go figuresmiley disappointed

Pros and cons

I my opinion this as an awesome feature. Some of the smaller customers that I have helped, would definitely have benefited from this, instead of an ADFS infrastructure, but that’s just me smiley sunglasses. I will list my view on pros and cons here.

Pros

  • Users, need only to remember their AD password, and get easy access to your Office 365 tenant
  • Easy configuration, no need for expensive certificates, or a larger infrastructure as with ADFS
  • If browsers are configured correctly, the Seamless Sign On is as close to the Single Sign On, as you can get
  • The AADConnect / service is really stable. I have yet to see it crashing, or break down
  • Low footprint in your infrastructure. With installation on Domain Controllers being supported, or maybe your file server / application server, you don’t need dedicated HW / VM to run add extra costs

 

Cons

  • If the service is down, users can’t login. It’s possible to make the solution High available, but for that you will need one more local server to install an agent on
  • hmm… not sure I can find any more cons, but if i do, I’ll be sure to update smiley lol

 

Have fun, and enjoy.