I have an Azure AD Connect (v2.1.16.0) installation that has recently begun failing during the majority (but not all) of its directory sync attempts. When a directory synchronization fails, the synchronization service manager indicates that it is the import and export tasks using the AAD connector that fail. Here are example errors errors that show up in the event log:
ERROR #1 - ADSync - Event ID: 6005
"The management agent "[tenantID].onmicrosoft.com - AAD" failed on run profile "Delta Import" because of an unspecified management agent error."
ERROR #2 - Directory Synchronization - Event ID: 906
"Authenticate-MSAL: unexpected exception [Unspecified-Authentication-Failure] - extendedMessage: An error occurred while sending the request. | The request was aborted: Could not create SSL/TLS secure channel.
webException: The request was aborted: Could not create SSL/TLS secure channel.
STS endpoint: HTTPS://LOGIN.MICROSOFTONLINE.COM/[tenantID].ONMICROSOFT.COM"
ERROR #3 - Directory Synchronization - Event ID: 906
"GetSecurityToken: unable to retrieve a security token for the provisioning web service (AWS). An error occurred while sending the request. | The request was aborted: Could not create SSL/TLS secure channel.. extendedMessage: An error occurred while sending the request. | The request was aborted: Could not create SSL/TLS secure channel.
webException: The request was aborted: Could not create SSL/TLS secure channel.
STS endpoint: HTTPS://LOGIN.MICROSOFTONLINE.COM/[tenantID].ONMICROSOFT.COM"
ERROR #4 - Directory Synchronization - Event ID: 106
"Failed to connect to Windows Azure Active Directory during import: Exception: System.Net.Http.HttpRequestException: An error occurred while sending the request. ---> System.Net.WebException: The request was aborted: Could not create SSL/TLS secure channel.
at System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.Http.HttpClientHandler.GetResponseCallback(IAsyncResult ar)"
When I open the Azure AD Connect installation wizard (AzureADConnect.exe), I get a very similar error message when attempting to sign in with a cloud-only global administrator account. However, if I use the /InteractiveAuth command line then I am able to sign in and use the wizard normally (but the post wizard synchronization will still fail).
I have spent three days searching the internet and trying different solutions. I have:
- Uninstalled and reinstalled Azure AD Connect
- Installed Azure AD Connect on a different server (with same result)
- Made sure that the cloud sync account is not using MFA and is excluded from all conditional access policies
- Made sure that the cloud-only global administrator account does not use MFA (and does use @[tenantID].onmicrosoft.com instead of one of my custom domains)
- Ensured that all accounts have unchanged and unexpired passwords
- Updated all of the root CA certificates on my server
- Enforced TLS 1.2 for all applications (including .NET Framework) on my server
- Ensured that all the latest .NET updates have been applied
- I should also point out that my network does NOT use a web proxy
At this point I am stuck and have no idea where my next troubleshooting steps should be. I am suspecting that the heart of the error has something to do with the .NET Framework, but I am completely unfamiliar with .NET and can only understand enough to recognize that Error #4 above is being thrown by .NET. (Sorry if adding the #dotnet-ad tag ends up being irrelevant)
Any help or direction that you can provide would be greatly appreciated.