Share via

Pass-Through Authentication: Your account or password is incorrect

Atorli 56 Reputation points
2020-09-24T13:13:35.97+00:00

Due to requirements from IT Security we have to change from Password Hash Synchronization to Pass Through Authentication.

To achieve that, I opened Azure AD Connect, went to "Customize Synchronization Options" and unchecked "Password hash synchronization". After that, I can see the PTA agent show up in the Azure portal like this:
28122-azureconfig.png
The orange caution triangle is only a warning that I should have 3 redundant agents.

If I clock on that agent, I get the status "Active".

But, if I try to log on as a synchronized user, I always get the error "Your account or password is incorrect. If you can't remember your password, reset it now". This happens whether I try to log on an Azure website, or an Office application. The same error also happens if I try to use "Invoke-PassthroughAuthOnPremLogonTroubleshooter". I only get a "The username or password is incorrect" without any further explanation. If I access the Activity->Sign-In page on the Azure Portal, I also only see Error 50126 "Error validating credentials due to invalid username or password."

The same logon works perfectly well once I activate Password Hash Synchronization.

Now I'm a bit stuck because I can't find any further ways of troubleshooting. When I go on https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/AzureADConnect then "Pass-through authentication", then "Troubleshooting" I get the following screen
27970-troubleshooting.png
which is only regarding synchronization issues. PTA is not a topic in any of those options.

Does anyone know a guide on how to further debug problems with pass through authentication?

Microsoft Security | Microsoft Entra | Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2020-09-24T22:23:02.03+00:00

    I have seen issues with the incorrect UPN configuration on premises causing problems like this. For example, the user name may not be the same as email address and the UPN for the user may have a different suffix than the custom domain.

    Can you check the name for the user you are trying to authenticate with? Since you are using pass-through authentication users credentials are verified on your on-premises environment when they try to sign in.

    Open a PowerShell as an administrator
    Run the PowerShell cmdlet “Connect-MsolService”
    Run the PowerShell cmdlet “Set-MsolDirSyncFeature -Feature SynchronizeUpnForManagedUsers -Enable $true”

    Run full synchronization using the PowerShell cmdlet “Start-ADSyncSyncCycle -PolicyType Initial

    Check whether the UPN has changed.

    If it has not changed, use:
    Set-MsolUserPrincipalName -UserPrincipalName xxxxxxxxxxx -NewUserPrincipalName yyyyyyyyyyy`

    In the troubleshooting guide, see the section for users get invalid username/password error

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.