Service Connection Point error

Question

Hello,

Receiving the below messages for the Service Connection Point Role.

M365AUploadWorker worker ADAL authentication failed: Exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' was thrown.

Failed to execute worker "M365ADeviceHealthWorker" with error "Exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' was thrown.". See M365ADeviceHealthWorker.log for further details.

M365ADeviceHealthWorker worker ADAL authentication failed: Exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' was thrown.

Below message appear in M365AUploadWorker.log
AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials
Trace ID: f6471b2f-5662-46af-85b3-44199c76db01
Correlation ID: eadb05e0-8a22-4702-95cc-3e919ef3c2ab
Timestamp: 2021-08-04 19:50:32Z
Exception details:
[Critical][M365AUploadWorker][0][Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException][0x80131500]
Timestamp: 2021-08-04 19:50:32Z at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.<GetResponseAsync>d__22`1.MoveNext()

---

End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.<GetResponseAsync>d__21`1.MoveNext()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendHttpMessageAsync>d__72.MoveNext()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<SendTokenRequestAsync>d__69.MoveNext()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<CheckAndAcquireTokenUsingBrokerAsync>d__59.MoveNext()
at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.<RunAsync>d__57.MoveNext()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenForClientCommonAsync>d__33.MoveNext()
at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.<AcquireTokenAsync>d__61.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.Utility.<GetAuthenticationResultAsync>d__49.MoveNext()
[Critical]M365AUploadWorker[System.Net.Http.HttpRequestException][0x80131500]
Response status code does not indicate success: 401 (Unauthorized).
[Critical][M365AUploadWorker][2][Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException][0x80131500]

{"error":"invalid_client","error_description":"AADSTS7000222: The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security: https://learn.microsoft.com/azure/active-directory/develop/active-directory-certificate-credentials\r\nTrace ID: f6471b2f-5662-46af-85b3-44199c76db01\r\nCorrelation ID: eadb05e0-8a22-4702-95cc-3e919ef3c2ab\r\nTimestamp: 2021-08-04 19:50:32Z","error_codes":[7000222],"timestamp":"2021-08-04 19:50:32Z","trace_id":"f6471b2f-5662-46af-85b3-44199c76db01","correlation_id":"eadb05e0-8a22-4702-95cc-3e919ef3c2ab","error_uri":"https://login.microsoftonline.com/error?code=7000222"}: Unknown error
ADAL exception
Exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' was thrown. at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.<GetResponseAsync>d__22`1.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.Utility.<GetAuthenticationResultAsync>d__49.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.ServiceConnectorWorkerBase.<ApplyAuthorizationToRequestAsync>d__86.MoveNext()
Exception of type 'System.Net.Http.HttpRequestException' was thrown.
Exception of type 'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalException' was thrown.
Unexpected exception for worker M365AUploadWorker
at Microsoft.ConfigurationManager.ServiceConnector.ServiceConnectorWorkerBase.<ApplyAuthorizationToRequestAsync>d__86.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.ServiceConnectorWorkerBase.<ApplyAuthorizationToRequestAsync>d__85.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.ExtensionMethods.<GetNegotiatedResponseAsync>d__9.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.AadServiceConnectorWorker.<GetLocationServiceEndpointUrlAsync>d__24.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.AadServiceConnectorWorker.<GetMicroserviceUriAsync>d__15.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.AccountOnboardingWorker.<DoOnboardScenarioAsync>d__19.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.AadServiceConnectorWorker.<DoWorkAsync>d__16.MoveNext()
at Microsoft.ConfigurationManager.ServiceConnector.ServiceConnectorWorkerBase.<ExecuteAsync>d__75.MoveNext()

Please provide the steps to troubleshoot the issue

Answer 1

Hi @Boopathi Subramaniam ,

Thanks you for your updating!

After log in to the Azure portal, we could navigate to Azure Active Directory > App Registrations > Click on your App under Display name > Certificates & secrets.
From here we could see all existing Client Secrets if the above error appeared there will be at least one Secret key showing expired.

Then we could upload the certificate or create a new app secret. Please check this link to refer to the steps:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#authentication-two-options

If you create a new app secret, copy the value save it somewhere. Then navigate to Active Roles Synchronization Service > Connection Settings > Select Azure BackSync connection, and update the Key field with the copied value.

Before Save the changes, do not forget Test Connection to check if it passes.

---

If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 2

Hi,

Thanks for posting in Microsoft Q&A forum.

As the log file mentioned that:

The provided client secret keys are expired. Visit the Azure Portal to create new keys for your app, or consider using certificate credentials for added security……

So that we may try as the log shown, creating new keys for the apps or using certificate credentials for added security.

What's more, I found an issue is similar as yours, as you both get the error 401(Unauthorized) and may be caused by the Azure AD app permissions.
Please refer:
https://techcommunity.microsoft.com/t5/desktop-analytics/device-collection-not-syncing-with-desktop-analytics-in-sccm-cb/m-p/898754

---

If the response is helpful, please click "Accept Answer"and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Answer 3

Hello HanyunZhu.

I checked with my Azure Team. They are asking which app or certificate causing the issue. How do i find it about which applications or certificate causing this issue.

Below forum refers to the same kind of issue and i do not understand what is to be exactly performed in Azure
https://learn.microsoft.com/en-us/mem/configmgr/desktop-analytics/troubleshooting#create-app-in-azure-ad

https://techcommunity.microsoft.com/t5/desktop-analytics/device-collection-not-syncing-with-desktop-analytics-in-sccm-cb/m-p/898754

Answer 4

Hello HanyunZhu,

Thanks for your help.
Renewing Desktop Analytics Secert Key \Administration\Overview\Cloud Services\Azure Active Directory Tenants was resolved the issue.