Password hash synchronization is not working

Mohd Arif 921 Reputation points
2024-04-19T10:04:26.35+00:00

I am switching from ADFS authentication to Password Hash Synchronization. I have enable the PHS successfully on AAD Connect sync and it was successful. I have changed the authentication method to PHS. However, when I tried to login to M365 portal, I get error "Invalid credential". I have done following steps

  1. Tested 389, 636 and 135 port from AAD connect server to DC, it works
  2. ping is fine from both side
  3. reconfigured PHS and restarted sync service
  4. rebooted connect server
  5. reconfigure AD Connector account permission using the troubleshoot tool available in AAD connect

I ran the AAD connect troubleshooting tool, I got the following error

Password Hash Synchronization agent is continuously getting failures for domain "abc.com"

    **Please check 611 error events in the application event logs for details**

    **The latest 611 error event for the domain "abc.com" is generated at: 04/19/2024 09:47:14 UTC**

    **Password Hash Synchronization agent had a problem about connecting to a domain controller in the domain "abc.com" at: 04/19/2024 09:15:45 UTC**

    **Please make sure AD Connector account username and password are correct**

    **In case the problem continues, then please setup reliable preferred domain controllers. Please see "Connectivity problems" section at https://go.microsoft.com/fwlink/?linkid=847231**

    **Please check 611 error events in the application event logs for details**

    **AD Connector account had a Password Hash Synchronization permission problem for the domain "abc.com" at: 04/19/2024 09:47:14 UTC**

    **Please see: https://go.microsoft.com/fwlink/?linkid=847234**

    **Please check 611 error events in the application event logs for details**

I am getting below event viewer in event viewers

Password hash synchronization failed for domain: abc.com, domain controller hostname: DC01.abc.com, domain controller IP address: 10.4.24.71. Details:

Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsException: RPC Error 8453 : Replication access was denied. There was an error calling _IDL_DRSGetNCChanges.

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsRpcConnection.OnGetChanges(ReplicationState syncState)

at Microsoft.Online.PasswordSynchronization.DirectoryReplicationServices.DrsConnection.GetChanges(ReplicationState replicationState)

at Microsoft.Online.PasswordSynchronization.RetryUtility.ExecuteWithRetryT

at Microsoft.Online.PasswordSynchronization.DeltaSynchronizationTask.SynchronizeCredentialsToCloud()

at Microsoft.Online.PasswordSynchronization.PasswordSynchronizationTask.SynchronizeSecrets()

at Microsoft.Online.PasswordSynchronization.SynchronizationExecutionContext.SynchronizeDomain()

at Microsoft.Online.PasswordSynchronization.SynchronizationManager.SynchronizeDomain(SynchronizationExecutionContext syncExecutionContext)

.

<forest-info>

<partition-name>abc.com</partition-name>

<connector-id>9db36704-3817-46cb-bbe2-9baf5408d0a3</connector-id>

</forest-info>

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,889 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,192 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,073 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,541 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andy David - MVP 142.2K Reputation points MVP
    2024-04-19T10:08:21.92+00:00
  2. Mohd Arif 921 Reputation points
    2024-04-19T10:21:02.4966667+00:00

    It did not help. As I said, I have followed that doc and setup permission for service account. Please can you explain the whole process here what I need to do?

    0 comments
  3. Andy David - MVP 142.2K Reputation points MVP
    2024-04-19T10:48:25.77+00:00

    Disable PHS, then re-enable again.

    Ensure you are using the latest version of Entra Connect:

    https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/user-prov-sync/pwd-hash-sync-stops-work

    0 comments
  4. Mohd Arif 921 Reputation points
    2024-04-19T11:56:09.19+00:00

    As I mentioned, i already did that.

    I tried to run below command to setup the permission

    Set-ADSyncBasicReadPermissions -ADConnectorAccountName ServiceAccount01 -ADConnectorAccountDomain abc.com

    but get below error------------

    GrantAclsNoInheritance : No Sid Found for S-1-5-21-1413326767-14885643542-742849659-191918 S-1-5-21-1413326778-1488560042-742849659-337514 No mapping between account names and security IDs was done. The command failed to complete

    successfully.

    At C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1:1830 char:17

    • ... GrantAclsNoInheritance $domainDN $ACL -TargetForestCreden ...
    •             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
      • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,GrantAclsNoInheritance