Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,629 questions
AAD Cloud Sync Agent fails to connect
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 82%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFM%3C/text%3E%3C/svg%3E)
Filippo Martinelli
26
Reputation points
In January I installed AAD Cloud Sync Agent and it worked till the end of July. Checking Azure AD in the cloud the domain is in quarantine status and the installed agents list reports none. First question: was my agent, which worked for months, automatically removed from the list ?
Executing AAD Cloud Sync Agent Wizard again it reports the following error:
PowerShell: System.Net.WebException: Remote server error: (401) Unauthorized. in System.Net.HttpWebRequest.GetResponse() in Microsoft.ApplicationProxy.Connector.PSModule.OnpremisesPublishingOperations.ProcessRequestWithoutPayload(HttpWebRequest request) in Microsoft.ApplicationProxy.Connector.PSModule.GetPublishedResourceCommand.ProcessRecord() in System.Management.Automation.CommandProcessor.ProcessRecord()
The agent log is full of the following errors:
AADConnectProvisioningAgent.exe Error: 0 : Service bootstrap request failed with exception. Request Id: 'fa4d8a82-150a-4326-a556-ccf43b1a9f45', Error: 'System.ServiceModel.Security.MessageSecurityException: La richiesta HTTP non è autorizzata con lo schema di autenticazione client 'Anonymous'. Intestazione di autenticazione ricevuta dal server: ''. ---> System.Net.WebException: Errore del server remoto: (401) Non autorizzato. in System.Net.HttpWebRequest.EndGetResponse(IAsyncResult asyncResult) in System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelAsyncRequest.CompleteGetResponse(IAsyncResult result)
It is not a TLS 1.2 problem because it is not mandatory yet. Admin AAD login has been verified. The public ip of AAD agent on premise may have changed, is it possible the requests fail because the ip is filtered ?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 36,411 Reputation points Microsoft Employee2021-09-01T23:36:08.047+00:00 Do you get any AADSTS error? Based on the agent log, it sounds like the agent cannot establish a correct connection to the cloud. You can check the Resource Monitor on the server for more hints. I have seen people resolve this by ensuring that the agent no longer connects via the proxy.
Go to:
C: \ Program Files \ Microsoft Azure AD Connect Authentication Agent \ AzureADConnectAuthenticationAgentService.exe.config
If you enter these lines and then restart the agent, this may resolve the issue:
<?xml version=”1.0″ encoding=”utf-8″?> <configuration> <system.net> <defaultProxy enabled=”false”></defaultProxy> </system.net> <runtime> <gcServer enabled=”true”/> </runtime> <appSettings> <add key=”TraceFilename” value=”AzureADConnectAuthenticationAgent.log”/> </appSettings> </configuration>
Sign in to comment