AAD Connect Provisioning Agent authentication issue

S M A 0 Reputation points
2024-03-14T14:51:53.1+00:00

Hi All,

I am facing following issue when I try to configure on-premises application provisioning option and getting following error when configuring authentication part to connect Microsoft Entra ID. I am using windows 2016 server to install the AADConnectProvisioningAgent. I have tried to install agent with or without domain controller but getting same error in both. I thought the provisioning agent might require domain controller or domain-joined server.

It would be highly appreciated your guidance and solution on this issue. Your quick response would be great.

[14:39:59.801] [ 1] [INFO ]

[14:39:59.801] [ 1] [INFO ] ================================================================================

[14:39:59.801] [ 1] [INFO ] Application starting

[14:39:59.801] [ 1] [INFO ] ================================================================================

[14:39:59.801] [ 1] [INFO ] Start Time (Local): Thu, 14 Mar 2024 14:39:59 GMT

[14:39:59.801] [ 1] [INFO ] Start Time (UTC): Thu, 14 Mar 2024 14:39:59 GMT

[14:39:59.801] [ 1] [INFO ] Application Version: 1.1.1373.0

[14:39:59.801] [ 1] [INFO ] Application Build Date: 1907-10-20 19:15:35Z

[14:39:59.801] [ 1] [INFO ] Application Build Identifier: AD-ProvisioningAgent master (c3b5090504d0408c6f6d1cb7a836d376b86f50eb) Microsoft Azure®

[14:39:59.895] [ 1] [INFO ] Registry flag 'UseAdalAuthentication' set to 'False'. Using MSALAuthenticationProvider for AzureAuthentication.

[14:40:00.255] [ 1] [INFO ] IsServiceAccountGMSA:: Checking if service account is gmsa

[14:40:00.255] [ 1] [INFO ] Get current service credentials.

[14:40:00.333] [ 1] [INFO ] IsServiceAccountGMSA:: Service account: NT SERVICE\AADConnectProvisioningAgent is not gmsa. SamAccountName does not end with '$'.

[14:40:04.801] [ 1] [INFO ] ConfigureAzureActiveDirectoryPageViewModel:Launching Login form.

[14:40:04.817] [ 8] [INFO ] Authenticate-MSAL: acquiring token using interactive authentication.

[14:40:04.832] [ 8] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:04Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] MSAL MSAL.Desktop with assembly version '4.49.1.0'. CorrelationId(3cc3584f-85f1-41c7-b145-9ec58b3ce7f1)

[14:40:04.848] [ 8] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:04Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] === InteractiveParameters Data ===

LoginHint provided: False

User provided: False

UseEmbeddedWebView: NotSpecified

ExtraScopesToConsent:

Prompt: select_account

HasCustomWebUi: False

[14:40:04.848] [ 8] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:04Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1]

=== Request Data ===

Authority Provided? - True

Scopes - https://proxy.cloudwebappproxy.net/registerapp/user_impersonation

Extra Query Params Keys (space separated) -

ApiId - AcquireTokenInteractive

IsConfidentialClient - False

SendX5C - False

LoginHint ? False

IsBrokerConfigured - False

HomeAccountId - False

CorrelationId - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1

UserAssertion set: False

LongRunningOboCacheKey set: False

Region configured:

[14:40:04.864] [ 8] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:04Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] === Token Acquisition (InteractiveRequest) started:

 Scopes: https://proxy.cloudwebappproxy.net/registerapp/user_impersonation

Authority Host: login.windows.net

[14:40:04.864] [ 8] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:04Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] [Instance Discovery] Instance discovery is enabled and will be performed

[14:40:04.864] [ 8] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:04Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] [Region discovery] Not using a regional authority.

[14:40:04.879] [ 8] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:04Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Fetching instance discovery from the network from host login.windows.net.

[14:40:05.192] [ 11] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:05Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Authority validation enabled? True.

[14:40:05.192] [ 11] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:05Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Authority validation - is known env? True.

[14:40:05.207] [ 11] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:05Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Using legacy embedded browser.

[14:40:22.237] [ 12] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] [Legacy WebView] Redirect URI was reached. Stopping WebView navigation...

[14:40:22.315] [ 9] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] An authorization code was retrieved from the /authorize endpoint.

[14:40:22.315] [ 9] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Exchanging the auth code for tokens.

[14:40:22.331] [ 9] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] === InteractiveParameters Data ===

LoginHint provided: False

User provided: False

UseEmbeddedWebView: NotSpecified

ExtraScopesToConsent:

Prompt: select_account

HasCustomWebUi: False

[14:40:22.639] [ 13] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Response status code does not indicate success: 400 (BadRequest).

[14:40:22.639] [ 13] [WARN ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Request retry failed.

[14:40:22.639] [ 13] [INFO ] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] HttpStatusCode: 400: BadRequest

[14:40:22.639] [ 13] [ERROR] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] === Token Acquisition (1005) failed.

Host: login.windows.net.

[14:40:22.654] [ 13] [ERROR] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Exception type: Microsoft.Identity.Client.MsalUiRequiredException

, ErrorCode: invalid_grant

HTTP StatusCode 400

CorrelationId 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1

[14:40:22.654] [ 13] [ERROR] MSAL: False MSAL 4.49.1.0 MSAL.Desktop 4.7.2 Windows Server 2016 Datacenter [2024-03-14 14:40:22Z - 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1] Exception type: Microsoft.Identity.Client.MsalUiRequiredException

, ErrorCode: invalid_grant

HTTP StatusCode 400

CorrelationId 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1

at Microsoft.Identity.Client.OAuth2.OAuth2Client.ThrowServerException(HttpResponse response, RequestContext requestContext)

at Microsoft.Identity.Client.OAuth2.OAuth2Client.CreateResponseT

at Microsoft.Identity.Client.OAuth2.OAuth2Client.<ExecuteRequestAsync>d__11`1.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.Identity.Client.OAuth2.OAuth2Client.<GetTokenAsync>d__10.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__11.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at Microsoft.Identity.Client.OAuth2.TokenClient.<SendHttpAndClearTelemetryAsync>d__11.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.Identity.Client.OAuth2.TokenClient.<SendTokenRequestAsync>d__5.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<GetTokenResponseAsync>d__11.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.Identity.Client.Internal.Requests.InteractiveRequest.<ExecuteAsync>d__9.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

at Microsoft.Identity.Client.Internal.Requests.RequestBase.<RunAsync>d__12.MoveNext()

[14:40:22.654] [ 8] [ERROR] Authenticate-MSAL: unexpected authentication failure [invalid_grant] - AADSTS500202: User account '{EUII Hidden}' from external identity provider 'live.com' is not supported for API version '2.0'. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint. Trace ID: eee7576c-3706-4ef9-8f2f-68b7865e4400 Correlation ID: 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1 Timestamp: 2024-03-14 14:40:22Z.

[14:40:22.654] [ 8] [INFO ] ConfigureAzureActiveDirectoryPageViewModel:Authentication exception - AADSTS500202: User account '{EUII Hidden}' from external identity provider 'live.com' is not supported for API version '2.0'. Microsoft account pass-thru users and guests are not supported by the tenant-independent endpoint. Trace ID: eee7576c-3706-4ef9-8f2f-68b7865e4400 Correlation ID: 3cc3584f-85f1-41c7-b145-9ec58b3ce7f1 Timestamp: 2024-03-14 14:40:22Z

[14:40:22.670] [ 1] [ERROR] A terminating unhandled exception occurred.

Exception Data (Raw): System.FormatException: Input string was not in a correct format.

at System.Text.StringBuilder.FormatError()

at System.Text.StringBuilder.AppendFormatHelper(IFormatProvider provider, String format, ParamsArray args)

at System.String.FormatHelper(IFormatProvider provider, String format, ParamsArray args)

at System.String.Format(IFormatProvider provider, String format, Object[] args)

at Microsoft.Online.Deployment.Framework.UI.Controls.TextBlock.DynamicTextBlock.DynamicTextBlockDataContextChanged(Object sender, DependencyPropertyChangedEventArgs e)

at System.Windows.FrameworkElement.RaiseDependencyPropertyChanged(EventPrivateKey key, DependencyPropertyChangedEventArgs args)

at System.Windows.FrameworkElement.OnDataContextChanged(DependencyObject d, DependencyPropertyChangedEventArgs e)

at System.Windows.DependencyObject.OnPropertyChanged(DependencyPropertyChangedEventArgs e)

at System.Windows.FrameworkElement.OnPropertyChanged(DependencyPropertyChangedEventArgs e)

at System.Windows.DependencyObject.NotifyPropertyChange(DependencyPropertyChangedEventArgs args)

at System.Windows.DependencyObject.UpdateEffectiveValue(EntryIndex entryIndex, DependencyProperty dp, PropertyMetadata metadata, EffectiveValueEntry oldEntry, EffectiveValueEntry& newEntry, Boolean coerceWithDeferredReference, Boolean coerceWithCurrentValue, OperationType operationType)

at System.Windows.DependencyObject.InvalidateProperty(DependencyProperty dp, Boolean preserveCurrentValue)

at System.Windows.Data.BindingExpressionBase.Invalidate(Boolean isASubPropertyChange)

at System.Windows.Data.BindingExpression.TransferValue(Object newValue, Boolean isASubPropertyChange)

at MS.Internal.Data.ClrBindingWorker.NewValueAvailable(Boolean dependencySourcesChanged, Boolean initialValue, Boolean isASubPropertyChange)

at MS.Internal.Data.PropertyPathWorker.UpdateSourceValueState(Int32 k, ICollectionView collectionView, Object newValue, Boolean isASubPropertyChange)

at MS.Internal.Data.PropertyPathWorker.RefreshValue()

at MS.Internal.Data.ClrBindingWorker.ScheduleTransferOperation(Object arg)

at MS.Internal.Data.DataBindEngine.ProcessCrossThreadRequests()

at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)

at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)

[14:40:37.046] [ 1] [INFO ] Opened log file at path C:\ProgramData\Microsoft\Azure AD Connect Provisioning Agent\Trace\trace-wizard-20240314-143959.log

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,418 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Givary-MSFT 27,486 Reputation points Microsoft Employee
    2024-03-15T08:14:31.87+00:00

    @S M A Thank you for reaching out to us, reviewed the above mentioned trace log file while installing the provisioning agent, noticed the account - AADConnectProvisioningAgent which is being used is not a GMSA account.

    Request you to review the pre-reqs for provisioning agent documented here - https://learn.microsoft.com/en-us/entra/identity/hybrid/cloud-sync/how-to-prerequisites?tabs=public-cloud#:~:text=Cloud-,provisioning%20agent%20requirements,-You%20need%20the

    If the pre-reqs are in place, still the issue persists, let me know will connect offline to troubleshoot further on this.

    0 comments No comments