I can't register Azure AD connector health sync agent?

Question

I had to un-install our previous version of Azure AD Connect as upgrading to the latest version hung. I've got Azure AD Connect working, but I can't register the Azure AD connector health sync agent.

I've tried using the Powershell command: 'Register-AzureACConnectHealthSyncAgent', but that fails with the following errors in the log:

Message = CertificatePinning.Validate;Error validating Subject Public Key Info hash against certificate pinning list: 3B56DD641BD3E3A45E26477051CA3A0944C4992D271E8A0123C4AE99DEF3A288
Message = Agent.Main;Client activation failed:The remote server returned an error: (403) Forbidden. 
System.Net.WebException: The remote server returned an error: (403) Forbidden.

The account that I use when attempting to register is the same one that I used when installing Azure AD Connect. The account is a Global Administrator.

I've searched other posts and found one about ensuring that the values RSA/SHA512 and ECDSA/SHA512 exist in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003\Functions. I've checked, and these values exist.

We don't have a support contract with Microsoft. Please, can anybody help with this?

Many thanks for reading and, hopefully, replying.

Answer 1

Hello @Jwilliams-0218 , I researched on this however there may be insights in your environment that I may not have and hence I will base my answer as per the error details what you have provided. The error provided by you points directly to Certificate Pinning issues. I will first explain what certificate pinning is. Certificate pinning is the process where the chain validation for a certificate is to be done by specific Certificate authorities for a particular domain name which are listed against the certificate pinning list maintained on the verifiers side. This is done in order to harden security against any kind of tampering of the certificates during client server secure communications. This is not the best technical definition of certificate pinning but for the sake of explaining this issue , I think this will just do for the moment. In case you would like to know more about the same you can read it here.

I would suggest you to run a few checks in order to troubleshoot some things yourself and come to conclusion for this one. I suppose you are using the latest agent and not any old previously downloaded ones. In case you have installed the Azure AD connect health agent for sync from any old setup I would recommend you to update it to the most recent from download page here.

Try registering the agent again using Register-AzureACConnectHealthSyncAgent . If you get the same error we will start with testing the connectivity because the "forbidden error with failing CertificatePinning Validation for the subject name of the certificate presented from the Health agent client" often occurs because of some kind of issue with the network connectivity mostly . It can be due to other reasons as well but mostly its TLS/SSL network security related. So we will start with checking the connectivity using the powershell command below. Please open an elevated Powershell prompt and run the following cmdlets.

• We will first check whether there is a proxy setting defined for the AAD connect health agent.

  • `Get-AzureAdConnectHealthProxySettings`
    

• Response should be something like below.

  • PS C:\Windows\system32> Get-AzureADConnectHealthProxySettings
    

  • 	Key                                                         Value
    

  • 	---                                                         -----
    

  • 	HttpsProxyAddress
    

• Alternatively if you see any proxy configured , please remove it by using Set-AzureAdConnectHealthProxySettings –NoProxy . This will only clear proxy setting config for the AD connect health agent and won't affect any other component on the machine.
• Since you have mentioned that you have already checked some TLS related hash settings but I would like you to verify again if the update listed in the KB2973337 is installed on your server. If your server OS for this issue is windows 2016 or above this KB is not applicable for your case.
• Now run the connectivity test again using Test-AzureADConnectHealthConnectivity -Role Sync
• If you still get the same error about certificatePinning then we will need to take a network trace to ascertain whether any issues with the SSL handshake between the client and the backend service in the cloud.
• The Health agent client certificate is used to check the authenticity of the agent in order to verify that the client agent is not tampered with so during the registration request the certificate is also attached for connections to the PolicyKeyservice in the azure backend as you can see in the Test-azureADconnecthealthconnectivity logs. Hence we will verify some settings related to secure communications and then collect a network trace to verify that the certificate is not modified in any way.
• If you have a proxy or the environment has some kind of HTTPS inspection or SSL/TLS scanning tools at the network level like some advanced firewall or application security appliances , they generally act as a middleman and assign any SSL communication within the network a temporary certificate themselves. If this is not setup properly , the clients trying to use secure connections to any external service over TLS can face several connectivity issues. In this case the certificate attached in the registration request can get modified and the subject of the issuing authority will get changed because the certificate is not the original one within which PowerShell request was initiated but the one which the firewall changed the request with. So the PolicyKeyService from the cloud will reject the same as its designed to verify the client certificate issued by specific Certificate authority which is Microsoft's internal CA for security purposes.
• Make sure that the PolicyKeyService Endpoints and other related endpoints are in firewalls allow lists in your environment's network and if they are already in the allowed list.
• Try restarting the monitor and insights services from the services console and running the registration again .
• If that does not work , restart you can use wireshark to capture the network logs for checking HTTPS traffic. you may need to download and install it . - Start wireshark - Run the agent registration commands Register-AzureACConnectHealthSyncAgent - Stop the network capture after the error. - Review the wireshark trace.
• Try filtering the traffic using the filter ssl.record.version == 0x0300 where the 0x300 is hex code for SSL3 traffic. The hex value represents the type of protocol for example 0x0301[ for TLS 1.0] , 0x0302[ for TLS 1.1] and 0x0303[ for TLS 1.2] . In the traffic you should find a Client hello/Server Hello Section.
• You need to find the X509Cert leaf in the Certs>Certificates branch and then find the value of Issuer: . If it is not from Microsoft then you have an issue where somewhere in the network the request is modified and you need to find which network device is changing the issuer .
• If this does not help then we may need to some more detailed debugging in order to come to a conclusion.

I am positive that this will help you resolve the issue and solve it yourself. However if this still does not help you , please do let us know and we will take some more logs and help you on next steps. Please save the logs and timestamps for future troubleshooting purposes in case the above plan does not help. In case the above helps you fix the issue , please do accept this post as answer so that it can help other members of the community with similar issues.

Thank you.