This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 76%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
I am switching from ADFS authentication to Password Hash Synchronization. I have enable the PHS successfully on AAD Connect sync and it was successful. I have changed the authentication method to PHS. However, when I tried to login to M365 portal, I get error "Invalid credential". I have done following steps
I ran the AAD connect troubleshooting tool, I got the following error
Password Hash Synchronization agent is continuously getting failures for domain "abc.com"
**Please check 611 error events in the application event logs for details**
**The latest 611 error event for the domain "abc.com" is generated at: 04/19/2024 09:47:14 UTC**
**Password Hash Synchronization agent had a problem about connecting to a domain controller in the domain "abc.com" at: 04/19/2024 09:15:45 UTC**
**Please make sure AD Connector account username and password are correct**
**In case the problem continues, then please setup reliable preferred domain controllers. Please see "Connectivity problems" section at https://go.microsoft.com/fwlink/?linkid=847231**
**Please check 611 error events in the application event logs for details**
**AD Connector account had a Password Hash Synchronization permission problem for the domain "abc.com" at: 04/19/2024 09:47:14 UTC**
**Please see: https://go.microsoft.com/fwlink/?linkid=847234**
**Please check 611 error events in the application event logs for details**
```I am getting below event viewer in event viewers
Password hash synchronization failed for domain: abc.com, domain controller hostname: DC01.abc.com, domain controller IP address: 10.0.9.0.100. Details:
Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)
at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)
at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetry[T]
at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()
at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()
at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()
at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)
.
<forest-info>
<partition-name>abc.com</partition-name>
<connector-id>9db36704-3817-46cb-bbe2-9baf5408d0a3</connector-id>
</forest-info>
Verify all the perms are set correctly:
https://learn.microsoft.com/en-us/answers/questions/1111816/problem-with-aadc-sync-event-id-611
Dear, I have already followed that doc and setup proper permission. Maybe please can you be some specific what I need to do. I have already read that article but it did not help me
It did not help. As I said, I have followed that doc and setup permission for service account. Please can you explain the whole process here what I need to do?
Disable PHS, then re-enable again.
Ensure you are using the latest version of Entra Connect:
As I mentioned, i already did that.
I tried to run below command to setup the permission
Set-ADSyncBasicReadPermissions -ADConnectorAccountName ServiceAccount01 -ADConnectorAccountDomain abc.com
but get below error------------
GrantAclsNoInheritance : No Sid Found for S-1-5-21-1413326767-14885643542-742849659-191918 S-1-5-21-1413326778-1488560042-742849659-337514 No mapping between account names and security IDs was done. The command failed to complete
successfully.
At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:1830 char:17
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What version of Entra Connect is this?
So, I was adding PHS rule as second clause. So between two a single group, two clause has AND operator. So instead, i add second group and created PHS rule cause between two different group there is OR operator. That fixed the problem.