25,269 questions
Hi
it seems a proxy or firewall issue that generated this error.
You can follow the link below to check if required URL still reachable:
Please don't forget to mark helpful reply as answer
You can't unlock your account because your organization is currently experiencing connectivity problems with self service password reset
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 32%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWT%3C/text%3E%3C/svg%3E)
Winston Tran
171
Reputation points
Hi There,
Our users are intermittently seeing the attached screenshot when resetting their password.
We have on-prem AD synchronising to Azure AD and can confirm password writeback is enabled.
A few months ago we did attempt to disabled TLS 1.2 on the on-prem AD server through here https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor and here https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor
After running these steps it was working very consistently until recently.
I found this site (https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback) but cannot figure out where I am supposed to see these errors or where the logs are supposed to appear. Event viewer? Somewhere in Azure?
Can I get some assistance on this please?
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Accepted answer
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Thameur-BOURBITA 36,266 Reputation points Moderator2023-01-08T22:48:08.71+00:00 -
Winston Tran 171 Reputation points
2023-01-08T23:19:37.387+00:00 The URL https://passwordreset.microsoftonline.com/ is reachable. The appears after the user puts in their username and the CAPTCHA.
I've tried the following in the past- Confirming network connectivity and that there's no issues there (Test-NetConnection -ComputerName ssprdedicatedsbprodscu.servicebus.windows.net -Port 443)
- Restarted Azure AD connect sync service multiple times
- Disable/re-enable password writeback feature on Azure AD connect
- Updated Azure AD connect
- AD connect already has required permissions for resetting passwords in on-prem AD
Further below (https://learn.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#common-password-writeback-errors) it mentions errors. Where do I find the logs of these errors to get a better idea of the problem?
-
Winston Tran 171 Reputation points
2023-01-09T00:14:10.837+00:00 I just want to add that in Azure AD and under audit logs for a user there's a status reason for failure saying "We could not reach your on-premises password reset service. Check your sync machine's event log."
Sign in to comment -
2 additional answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator2023-01-09T05:51:49.507+00:00 @Winston Tran Thank you for reaching out to us, add to the above steps
- Any changes have been made with respect to on-premise password policy or any changes made on the network layer.
- All password reset service events can be visible in the application event logs and any changes related to TLS can be seen in system logs, so reviewing Application/system logs at the time of issue can give more insights.
- Is the issue is intermittent? All users experience this issue?
- If you have Active/Staging AD Connect setup, try to change the staging ad connect server to primary and vice versa, verify if the issue persists.
- Version of Azure AD Connect?
- At the time of issue execute this command Start-NetworkConnectivityDiagnosisTools from the Azure AD Connect server (https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-adconnectivitytools)
- You can capture a network trace from the Azure AD Connect server at the time of issue to investigate further.
If the above suggestions, doesn't help to isolate the issue, we can connect offline for deeper investigation.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
-
Winston Tran 171 Reputation points
2023-01-10T00:30:17.61+00:00 - Only change that was done was disabling TLS 1.0 on the server running AD with Azure AD connect setup. TLS 1.2 has been enabled for net framework based on the article here (https://learn.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor) as well.
- I've looked at this by by going into event viewer > Application logs > filter source to be password reset service but I only keep seeing logs like the below.
3. The issue is intermittent. Sometimes if a user is trying to reset their password they'll encounter the error but at the same time it is happening I if try to reset their password through the SSPR link I am able to do so. I can't seem to replicate the issue for myself. 4. Only have one server setup with AD connect so there's no active/staging setup. 5. AD Connect is running on 2.1.16.0 6. Using the link Confirm-DnsConnectivity doesn't seem to be recognised. What command am I supposed to run here?
Really appreciate your help!
-
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
2023-01-10T15:58:40.59+00:00 Hi @Winston Tran Troubleshooting intermittent issues is quite challenging, thank you for detailed information provided above, would suggest couple of steps which we can try before connecting offline for further discussion,
- Follow this article https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement to enable TLS 1.2 on the Azure AD Connect server, no other TLS versions should be enabled. Also, most important Reboot of the server mandatory. after making changes to TLS configuration.
- Would recommend to updrade the Azure AD Connect to the latest version ie 2.1.20.0
if the issue still persists, we can connect offline and troubleshoot further by reviewing the application/system logs & simultaneous network trace at the time of issue to investigate.
Let me know if you have any further questions, feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
-
Winston Tran 171 Reputation points
2023-01-11T22:10:50.61+00:00 Hello, TLS 1.2 has been enabled with TLS 1.0 and 1.1 disabled already.
What's the easiest way to uograde Azure connect?
Additionally it's happened again today but as soon as I RDP into the domain controller and open up synchronization server manager the SSPR portal is fine. Could be coincidence though.
-
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
2023-01-12T06:35:26.7+00:00 Hi @tartor321 Refer to this article [https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-upgrade-previous-version to perform In-place upgrade, as you have only single AD Connect server in your environment.
Automatic upgrade is not possible from 2.1.16.0 at this time, not all releases of Azure AD Connect are made available for auto upgrade. The release status indicates if a release is available for auto upgrade or for download only.
Latest version of Azure AD Connect (2.1.20.0) can be downloaded from here - [https://www.microsoft.com/en-us/download/details.aspx?id=47594
-
Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
2023-01-23T08:10:17.3533333+00:00 Hi @tartor321 Just checking in to see if above information was helpful. If you have any further updates on this issue, please feel free to post back.
Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.
-
Winston Tran 171 Reputation points
2023-01-30T23:36:27.9666667+00:00 Hello,
I did an inplace upgrade of Azure AD sync near end of last week and I haven't been reported of any issues so far.
Didn't even need to uninstall it, I just installed right on top of it.
If issues persist I'll report back but for now I'll accept answer!
Thanks for your help
Sign in to comment -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Limitless Technology 44,781 Reputation points2023-01-10T08:37:12.233+00:00 Hello,
Yes, the errors would appear in Azure. To retrieve them you need to follow the next steps:
1.Sign in to the Azure AD Connect server and start the Synchronization Service Manager by selecting Start > Synchronization Service.
2.Under the Connectors tab, select the on-premises Active Directory Domain Services connector, and then select Properties.
3.In the pop-up window, select Connect to Active Directory Forest and make note of the User name property. This property is the AD DS account used by Azure AD Connect to perform directory synchronization.
4.For Azure AD Connect to perform password writeback, the AD DS account must have reset password permission. You check the permissions on this user account in the following steps.
5.Sign in to an on-premises domain controller and start the Active Directory Users and Computers application.
6.Select View and make sure the Advanced Features option is enabled.
7.Look for the AD DS user account you want to verify. Right-click the account name and select Properties.
8.In the pop-up window, go to the Security tab and select Advanced.
9.In the Advanced Security Settings for Administrator pop-up window, go to the Effective Access tab.
10.Choose Select a user, select the AD DS account used by Azure AD Connect, and then select View effective access.
--If the reply is helpful, please Upvote and Accept as answer--