while configuring password write back for SSPR, I get error and it says check event viewer. Not able to enable SSPR.

Anonymous

While enabling SSPR, I need to enable password writeback in AAD connect however, when doing so, I face below mentioned error which is not letting me enable the same. Can someone please suggest on this.

TLS1.2 is already running on server. And we are using adfs server for SSO.

The server encountered an unexpected error while performing an operation for the client.

"BAIL: MMS(8344): ..\server.cpp(9546): 0x80004005 (Unspecified error)
Azure AD Sync 2.1.16.0"

The password management extension encountered an error.
The stack trace is:

"Couldn't connect to any service bus endpoint(s)

at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetServiceManager.LogAndThrowPasswordResetException(String message, String context, Int32 eventId, Exception ex)
at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetServiceManager.StartPasswordResetService(String configXML, IPasswordReset passwordResetProvider, Boolean initiatedByAdmin)
at AADPasswordReset.AADPasswordResetExtension.StartPasswordResetService(AADPasswordResetExtension* , _GUID managementAgentGuid, Char* serviceConfiguration, IAADPasswordReset* passwordResetServerHandle, Int32 initiatedByAdmin)

InnerException=>
Exception of type 'Microsoft.CredentialManagement.OnPremisesPasswordReset.OnPremisesPasswordResetException' was thrown.

at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetServiceManager.StartPasswordResetService(String configXML, IPasswordReset passwordResetProvider, Boolean initiatedByAdmin)

InnerException=>
none

TrackingId: ec5b096a-7266-4ffd-af27-f4a288d39c8a, Couldn't connect to any service bus endpoint(s), Details:

TrackingId: ec5b096a-7266-4ffd-af27-f4a288d39c8a, Password writeback service is not in a healthy state. No serviceHost for service bus endpoints are in running state. Please refer aka.ms/ssprtroubleshoot, Details: Version: 5.0.922.0

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Anonymous

2022-09-19T04:25:46.783+00:00

Anyone figured this error? As I have gone through all the details and possible explanation on the issue however, the end result remains the same.
Givary-MSFT 27,966 Reputation points Microsoft Employee

2022-09-19T05:58:07.633+00:00

anonymous user Reviewed the above error message in the query,

just wanted to check do you see any application event ID 31034 logged on AADC server that is active?

Have you tried Disable and Re-Enable Password Writeback, will generally correct any service bus connectivity issues. you can do this in the GUI in Azure AD Connect Configuration Wizard or you can also check results of doing this via PowerShell commands:

$aadConnector = Get-ADSyncConnector | ? {$_.Name -match "onmicrosoft.com - AAD"}
Get-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name

<< Remove SSPR writeback config >>
Remove-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name
Start-Sleep -Seconds 5

<< Re-enable SSPR writeback config >>
Set-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name -Enable $true
Start-Sleep -Seconds 5

<< Verify SSPR writeback config >>
Get-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name

Let me know if these steps help or we can connect offline to troubleshoot the same.
Anonymous

2022-09-19T06:22:37.07+00:00
Hi @Givary-MSFT

I ran ps command and below is the output.

$aadConnector = Get-ADSyncConnector | ? {$_.Name -match "onmicrosoft.com - AAD"}
Get-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name

Connector : solvezy.onmicrosoft.com - AAD
Enabled : False
ModifiedTimestamp : 9/17/2022 8:07:47 AM
OnboardingRequiredStatus : NotRequired
ServiceStatus : Unknown

Get-ADSyncAADPasswordResetConfiguration : Cannot validate argument on parameter 'Connector'. The argument is null or
empty. Provide an argument that is not null or empty, and then try the command again.
At line:1 char:52

Get-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name

~~~~~~~~~~~~~~~~~~

CategoryInfo : InvalidData: (:) [Get-ADSyncAADPasswordResetConfiguration], ParameterBindingValidationEx
ception

FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.IdentityManagement.PowerShell.Cmdlet.GetADSyn
cAADPasswordResetConfigurationCmdlet
Anonymous

2022-09-19T06:30:18.993+00:00

@Givary-MSFT I ran these ps command and below is the output.
Anonymous

2022-09-19T06:30:34.027+00:00
Below is the output from PS command.
$aadConnector = Get-ADSyncConnector | ? {$_.Name -match "onmicrosoft.com - AAD"}
Get-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name

Connector : solvezy.onmicrosoft.com - AAD
Enabled : False
ModifiedTimestamp : 9/17/2022 8:07:47 AM
OnboardingRequiredStatus : NotRequired
ServiceStatus : Unknown

Set-ADSyncAADPasswordResetConfiguration : Server detected an exception (Error HRESULT E_FAIL has been returned from a
call to a COM component.). Please consult the event log for additional information. AAD Password reset configuration
may be in an invalid state. Try removing the configuration.
At line:1 char:1

Set-ADSyncAADPasswordResetConfiguration -Connector $aadConnector.Name ...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

CategoryInfo : WriteError: (Microsoft.Ident...igurationCmdlet:SetADSyncAADPas...igurationCmdlet) [Set-A
DSyncAADPasswordResetConfiguration], InvalidOperationException

FullyQualifiedErrorId : Server detected an exception (Error HRESULT E_FAIL has been returned from a call to a CO
M component.). Please consult the event log for additional information. AAD Password reset configuration may be in
an invalid state. Try removing the configuration.,Microsoft.IdentityManagement.PowerShell.Cmdlet.SetADSyncAADPass
wordResetConfigurationCmdlet
Isabella 0 Reputation points

2023-03-17T13:03:39.53+00:00
The error message suggests that there is an issue with the Password Writeback Service in Azure AD Connect. The service may not be in a healthy state, and there may be an issue with connecting to the service bus endpoints.

You can try the following steps to troubleshoot the issue:

Check if the Password Writeback Service is enabled in Azure AD Connect and that the necessary permissions are granted.

Check if the server has the required network connectivity to connect to the service bus endpoints. Ensure that the firewall is not blocking the connection.

Verify if the service bus endpoint URLs are configured correctly in the Azure AD Connect configuration.

Try restarting the Azure AD Connect server and check if the issue is resolved.

If the issue persists, you may need to review the logs in more detail to identify the root cause of the problem. It may be helpful to consult with Microsoft support for further assistance.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

5 answers

JimmySalian-2011 41,916 Reputation points

2022-09-14T14:12:46.93+00:00

Hi Ujjwal,

Please check the time is sync and you are using correct GA account check this link for troubleshooting same issue: unable-configure-pwd-writeback-error

==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Please sign in to rate this answer.
Anonymous

2022-09-17T08:20:50.557+00:00

@JimmySalian-2011 I did checked all the details you have mentioned along with the article however, error remains same.

Time isnt skewed in ADFS server as well as local time. The account which I have used is azure ad account and not hybrid account.

However the problem remains the same. I am reposting the error which I received today while enabling the same.

Event IDs are : 6800, 32001, 31044

**The server encountered an unexpected error while performing an operation for the client.

"BAIL: MMS(9036): ..\server.cpp(9546): 0x80004005 (Unspecified error)
Azure AD Sync 2.1.16.0"**

The password management extension encountered an error.
The stack trace is:

"Couldn't connect to any service bus endpoint(s)

at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetServiceManager.LogAndThrowPasswordResetException(String message, String context, Int32 eventId, Exception ex)
at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetServiceManager.StartPasswordResetService(String configXML, IPasswordReset passwordResetProvider, Boolean initiatedByAdmin)
at AADPasswordReset.AADPasswordResetExtension.StartPasswordResetService(AADPasswordResetExtension* , _GUID managementAgentGuid, Char* serviceConfiguration, IAADPasswordReset* passwordResetServerHandle, Int32 initiatedByAdmin)

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Sign in to comment
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Deleted

This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Comments have been turned off. Learn more
Dynamic 0 Reputation points

2023-03-21T15:43:37.9333333+00:00
Open the Event Viewer on the server where the Azure AD Connect is installed.

Look for any errors or warnings related to SSPR or password writeback.

Check the event logs for any errors related to Azure AD Connect.

Make sure that the Azure AD Connect server is running the latest version of the software.

Verify that the password writeback feature is enabled in the Azure AD Connect configuration.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
Tom Murphy 0 Reputation points

2024-03-28T13:39:39.12+00:00

To fix this you must enable TLS 1.0 and 1.1 thats the only way I could get password writeback to enable. I had recently disabled this across our server estate. This is an undocumented feature that it required. Google how to enable TLS 1.0 and 1.1 - this is not a secure cypher in this day and age, but it was the only way the server would connect to the Azure Service bus for SSPR, before it was enabled, the Azure side would terminate the connection.

Microsoft need to fix this.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment