Failed Manual ADConnect Health Syn Agent Registration

Dane Briggs 211 Reputation points
2020-08-26T22:19:20.913+00:00

The person that installed ADConnect noted that he received an error message "Registration failed for you Azure AD Connect Health Agent for sync". So I've tried to sync manually.

Register-AzureADConnectHealthSyncAgent

and receive the following errors

2020-08-26 20:58:40.743 The underlying connection was closed: An unexpected error occurred on a send.
Configuration Failed
Register-AzureADConnectHealthSyncAgent : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1

  • Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -St ...
  • ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • CategoryInfo : NotSpecified: (:) [Register-AzureADConnectHealthSyncAgent], WebException
  • FullyQualifiedErrorId : System.Net.WebException,Microsoft.Identity.AadConnect.Health.AadSync.PowerShell.Configur
    ationModule.RegisterAzureAdConnectHealthSyncAgent

The log is attached

20691-adhealthaadsyncagentconfiguration2020-08-26-16-36.txt

I've also noticed in the event log at the same time the following error:
Source: Schannel
Event ID: 36871
"A fatal error occurred while creating a TLS client credential. The internal error state is 10013."

To me everything is pointing to a TLS issue on the server. However I've set TLS according to MS recommendations
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement

I've also verified that RSA//SHA512 and ECDSA//SHA512 are a part of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003 key

Please help me resolve my connection issues.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,610 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dhivya G - MSFT Identity 11 Reputation points Microsoft Employee
    2020-08-28T19:10:03.477+00:00

    Thanks for the wait and detailed logs in the questions. I have reached out to the pg (product group ) team on this and here is what they have suggested to verify :

    The failure occurred when trying to upload sample data during registration / config of agent.
    Likely causes are:

    1. Outbound SSL inspection is being performed on HTTPS we traffic from health agent server. This breaks certificate based on between agent and health service.Outbound SSL inspection is not occurring on the communications to the AADC Health end points, all necessary AADC Health service end points are whitelisted/accessible, and the required TLS protocols are enabled on the AADC server.
    2. Url / port white listing of AAD connect health endpoints isn’t complete
    3. Server gardening and necessary TLS protocols are blocked

    Also, could you also refer to the requirements recommendations in this article.