Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Self-Service Password Reset’ Category

(2017-03-21) “Unrecoverable Issue” Error Or “Temporary Connectivity Issue” Error During Azure AD Password Change Or Password Reset

Posted by Jorge on 2017-03-21


A few days ago I was testing with Azure AD Password Change and Azure AD Self-Service Password Reset. I experienced the following errors, which at that time were weird and that I was not able to understand, as a few days before everything was working.

The errors below are related to password change. However, you will see similar errors when using password reset.

image

Figure 1: Error When Using Azure AD Self-Service Password Change/Reset

we could not change your password

We’re sorry, but we cannot change your password at this time. This is due to a temporary

connectivity issue, so if you try again later, changing your password may succeed.

If the issue persists, please contact your admin to change your password for you

image

Figure 2: Error When Using Azure AD Self-Service Password Change/Reset

we could not change your password

 

We’re sorry, but we cannot change your password at this time. Unfortunately, this is due to

an unrecoverable issue with your account configuration, so trying again won’t work.

Please contact your admin to change your password for you

When you look in the Application Event Log on the active Azure AD Connect server you will see an event similar to the following one.

image

Figure 3: Error In The Application Event Log Of The AAD Connect Server When Using Azure AD Self-Service Password Change/Reset

An unexpected error has occurred during a password set operation.
"ERR_: MMS(2332): ..\ObjectSearcher.cpp(461): AD Object is not present.
BAIL: MMS(2332): ..\ObjectSearcher.cpp(491): 0x80230405 (The operation failed because the object cannot be found): No password writeback targets found. Make sure that the source object exists and is connected to the target objects via MV and the target object is in scope of password sync rule. AAD anchor = User_ad4555c8-5a6c-4769-b3f7-27f58383f23dAzure AD Sync 1.1.443.0"

I also saw the following error

image

Figure 4: Error In The Application Event Log Of The AAD Connect Server When Using Azure AD Self-Service Password Change/Reset

TrackingId: 0f14f5a9-b62c-448f-a0bf-9783f73660ea, Reason: Synchronization Engine returned an error hr=80230405, message=The operation failed because the object cannot be found, Context: cloudAnchor: User_cb4555c8-5a6c-4769-b3f7-27f58383f23d, SourceAnchorValue: xxxxxxxxxxxxx UserPrincipalName: jorge@xxxxxx.nl, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230405, message=The operation failed because the object cannot be found
   at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
   at AADPasswordReset.SynchronizationEngineManagedHandle.ChangePassword(String cloudAnchor, String sourceAnchor, String oldPassword, String newPassword)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ChangePassword(String changePasswordXMLRequestString)

The errors mention 2 key hints:

  1. The operation failed because the object cannot be found
    1. Make sure that the source object exists and is connected to the target objects via MV ….
    2. …..and the target object is in scope of password sync rule

[AD.1]

This basically says the following:

  • The AD user object has a representative connector space object in the AD connector space, which is connected to a metaverse object, which is connected to connector space object in the AAD connector space, which is a representation of the AAD user object

In other words, the AD object and the AAD object must be related to each other through the CS objects and the MV object in Azure AD Connect. All CS objects must be a “connector”. If that is not the case you will need to fix this.

[AD.2]

This basically says the following:

  • Are there at least 1 inbound sync rule from AD and at least 1 outbound sync rule to AAD that both have the setting “Enable Password Sync” enabled and that both target the related objects end-to-end in Azure AD Connect

In other words, if at least one inbound sync rule and at least one outbound sync rule do not have the setting “Enable Password Sync” enabled it will produce this error. In addition, if the inbound and outbound sync rules with that setting do not scope the same related objects, it will also produce this error

So what was it in my case? Let’s first go back to the theory.

By default, 2 sync rules in Azure AD Connect (“In from AD – User AccountEnabled” and “Out to AAD – User Join”) have the settings “Enable Password Sync” enabled. If you want to use Password Change and Password Reset in Azure AD, you will have to enable Password Writeback in Azure AD Connect. That’s it! You do not have to do anything else!

Let’s assume you need to change any of the default rules. In that scenario you will try to edit the default sync rule and then choose the option to clone and disable the original sync rule. The cloned sync rule is then edited as you see fit or need. When you clone a sync rule that has the setting “Enable Password Sync”, that setting will also be transferred from the original sync rule to the cloned sync rule.

A week or so ago, I had to reinstall Azure AD Connect. So I used my script to export sync rules to PowerShell files, uninstalled Azure AD Connect, reinstalled Azure AD Connect and imported my custom sync rules. And here is where it went wrong! The script that I had written had a bug where it DID NOT export the setting “Enable Password Sync” on any sync rule. Therefore, during import the setting “Enable Password Sync” was also not put back on my custom inbound sync rule (and the original sync rule was disabled, as expected!). A simple fix to the script solved the export issue.

For Azure AD Connect, on my custom inbound sync rule I enabled the setting “Enable Password Sync” and ran an initial (full) sync with the command: Start-ADSyncSyncCycle -PolicyType Initial

Problem solved!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Self-Service Password Reset, Windows Azure Active Directory | Leave a Comment »

(2014-04-05) Azure Active Directory Services – It’s Getting Cooler By The Day!

Posted by Jorge on 2014-04-05


Azure Active Directory has reached general availability. It is packed with very cool features for all the stuff you want, or need, to do in the cloud.

Azure Active Directory Premium is a service targeted at large enterprises and is available through volume licensing and/or an enterprise agreement. So if you are interested in a demo, a trial or purchasing, contact your Microsoft account rep (OR ME!). It is also available as part of our new Enterprise Mobility Suite (EMS) which includes Intune and Azure RMS as well. We are offering some incredible deals on EMS for the next 90 days so if you are considering purchasing subscriptions any of these services, now is a great time to act!

As always, we’d love to hear any feedback or suggestions you have. And for those of you with enterprise class identity needs, I hope you’ll find Azure AD Premium useful!

It is a combined offering for:

  • Directory Services
  • Federation Services
  • Rights Management Services
  • Multi-Factor AuthN
  • Identity Management
  • Monitoring and Reporting
  • and much more!

….in the cloud.

WOW!

Read more about it through the following links:

Have fun!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in App Access Management, Branding, Monitoring/Reporting, Multi-Factor AuthN, Rights Management, Self-Service Group Management, Self-Service Password Reset, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: