Azure AD Connect - Enable single sign-on -> Error "Cannot retrieve single sign-on status"

Question

I have a Windows 2023 Server with an existing Azure AD Connect installation. Everything is syncing correctly. We're currently using "Password Hash Synchronization" and want to enable "Enable single sign-on." I've confirmed all the prerequisites, including TLS 1.2 enabled, MFA on admin account disabled, domain admin credentials correct, ports open, etc. Every time, I get an error stating, "Cannot retrieve single sign-on status."

I've checked the trace file in C:\ProgramData\AADConnect, and it doesn't give any context for why it's failing. It just says...
[16:41:54.330] [ 1] [INFO ] Authenticate-MSAL: successfully acquired an access token.
[16:42:15.392] [ 1] [ERROR] ConfigDesktopSsoPage: Exception caught in GetDesktopSsoStatus One or more errors occurred.. Skipping configuration

[16:42:15.392] [ 1] [ERROR] Cannot retrieve single sign-on status.

[16:47:09.628] [ 1] [VERB ] ReleaseSyncConfigurationMutex(): Releasing sync config changes mutex.

[16:47:09.628] [ 1] [INFO ] ================================================================================

[16:47:09.628] [ 1] [INFO ] Application exiting

[16:47:09.628] [ 1] [INFO ] ================================================================================

I've seen several other people mention disabling MFA on the Azure admin account as a fix for this, but I've tried that and still have the same problem. I just updated Azure AD Connect to the latest version (2.3.20.0). Does anyone have a fix for this issue?

Answer 1

I resolved this for my environment. Azure Active Directory Connect was reaching out to IP addresses in Ireland (even though we're West Cost US). Our firewall has a geo-IP block that was prohibiting that traffic. After I allowed Ireland in our Geo-IP filter everything started working. Lesson - do a packet capture on your firewall looking for dropped traffic to/from your Azure AD Connect server. You may find it's getting blocked due to security services/traffic rules.

Answer 2

Hello @Jake Smith,

I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

Issue: Azure AD Connect - Enable single sign-on -> Error "Cannot retrieve single sign-on status

Solution: Resolved by @Jake Smith.

Below are the steps followed by @Jake Smith.

I resolved this for my environment. Azure Active Directory Connect was reaching out to IP addresses in Ireland (even though we're West Cost US). Our firewall has a geo-IP block that was prohibiting that traffic. After I allowed Ireland in our Geo-IP filter everything started working. Lesson - do a packet capture on your firewall looking for dropped traffic to/from your Azure AD Connect server. You may find it's getting blocked due to security services/traffic rules.

If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.

Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

Thanks,
Raja Pothuraju.