I am getting an error upgrading Azure AD Connect to the Entra AD Connect

Anonymous
2024-08-05T17:01:13+00:00

unable to validate credentials due to an unexpected error. restart azure ad connect with the /interactiveauth option to further diagnose this issue. (extenedmessage: an error occorred while sending the request. | The underlying connection was closed: An existing connection was forcibly closed by the remote host. webException: the underlying connection was closed: an unexpected error occured on a send. STS endpoint HTTPS://Login.micosoftonline.com/ourdomain.

Windows for business | Windows Server | Windows cloud | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Anonymous
    2024-08-06T06:57:24+00:00

    Hi Derek Kelsheimer,

    Thank you for posting in the Microsoft Community Forums.

    Here are some possible solution steps and checkpoints to help you diagnose and resolve the issue:

    1. Check network connectivity Ensure that your server has access to Azure's STS (Security Token Service) endpoint https://login.microsoftonline.com This includes checking your network firewall, proxy settings, and any security software that may be blocking outbound HTTPS connections.
    2. Verify credentials Ensure that you are using the correct Azure administrator credentials and have sufficient permissions to perform the upgrade operation. Try to re-authenticate using another Azure administrator account with the appropriate permissions.
    3. Use the /interactiveauth option As suggested by the error message, you can try restarting the Azure AD Connect (or Entra AD Connect) wizard using the /interactiveauth option. This option allows you to authenticate through the graphical user interface (GUI) and may help diagnose the problem.
    4. Check the log files Check the %ProgramData%\AADConnect\trace-*.log files, which typically contain detailed information about errors that occurred during the upgrade process. Look for error messages related to credential validation, network connectivity, or STS endpoints.
    5. Updating and configuring the server Make sure your server has all the latest security updates and patches installed. Check that the server's date and time settings are correct, as incorrect date and time settings can affect the authentication of SSL/TLS connections.
    6. Check the configuration of Azure AD Connect/Entra AD Connect Ensure that the configuration of Azure AD Connect or Entra AD Connect is correct and does not have any known compatibility issues before upgrading. If you have previously customized the configuration, make sure that these customizations were properly handled during the upgrade.

    Best regards

    Neuvi Jiang

    0 comments No comments
  2. Anonymous
    2024-08-14T14:58:01+00:00

    I've been having the same issue for over a week. I also launch the installer using the /interactiveauth switch.
    Checking the trace log files, I see this:

    [09:44:43.721] [ 9] [ERROR] AzureConfigurationFromPrincipalName: Unable to determine the Azure instance for UPN (myemail@mydomain.com). Defaulting to the WorldWide instance which may result in authentication failures. Resolution Method [DomainSuffixMapping]: Unknown MOERA domain suffix. Defaulting to WorldWide which may result in subsequent authentication failures. Resolution Method [AzureInstanceDiscovery]: Unexpected failure. An error occurred while sending the request.. Continuing resolution.

    [09:44:43.733] [ 9] [INFO ] ResolveAzureInstance [Default]: authority=HTTPS://LOGIN.MICROSOFTONLINE.COM/MYDOMAIN.COM, Resolution Method [DomainSuffixMapping]: Unknown MOERA domain suffix. Defaulting to WorldWide which may result in subsequent authentication failures. Resolution Method [AzureInstanceDiscovery]: Unexpected failure. An error occurred while sending the request.. Continuing resolution.

    [09:44:43.770] [ 9] [INFO ] Authenticate-MSAL [Acquiring token]: STS endpoint (HTTPS://LOGIN.MICROSOFTONLINE.COM/MYDOMAIN.COM), scope (https://graph.windows.net/user\_impersonation), userName (myemail@mydomain.com).

    [09:44:43.771] [ 9] [INFO ] MSAL.ClearTokenCache [Clearing Token Cache]

    [09:44:43.845] [ 9] [INFO ] MSAL: False MSAL 4.36.0.0 MSAL.Desktop 4.8 or later Windows Server 2016 Datacenter [08/14 14:44:43.84 - 11********-7**c-4**3-8**4-e***********25] [Region discovery] Azure region was not configured or could not be discovered. Not using a regional authority.

    [09:44:43.854] [ 9] [INFO ] MSAL: False MSAL 4.36.0.0 MSAL.Desktop 4.8 or later Windows Server 2016 Datacenter [08/14 14:44:43.85] Found 0 cache accounts and 0 broker accounts

    [09:44:43.855] [ 9] [INFO ] MSAL: False MSAL 4.36.0.0 MSAL.Desktop 4.8 or later Windows Server 2016 Datacenter [08/14 14:44:43.85] Returning 0 accounts

    [09:44:43.855] [ 9] [INFO ] Authenticate-MSAL [InteractionMode.Desktop]: user interaction required to complete authentication. [09:44:43.860] [ 9] [INFO ] Authenticate-MSAL: acquiring token using interactive authentication.

    0 comments No comments
  3. Anonymous
    2024-08-14T18:58:20+00:00

    Enabling TLS 1.2 resolved the issue.

    10 people found this answer helpful.
    0 comments No comments
  4. Anonymous
    2024-08-16T19:06:13+00:00

    I too got it resolved by enabling TLS 1.2.

    I just want to add where the instructions are, that I followed (as it took some time to find those):

    https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-tls-enforcement

    22 people found this answer helpful.
    0 comments No comments