ADConnect\ADSync Kerberos rollover Get-AzureADSSOStatus suddenly not working

Question

ADConnect\ADSync Kerberos rollover Get-AzureADSSOStatus suddenly not working

DoBongSoon 546

Hello,

I renew our Kerberos every month and suddenly I get this error:

PS C:\Program Files\Microsoft Azure Active Directory Connect> Import-Module .\AzureADSSO.psd1
PS C:\Program Files\Microsoft Azure Active Directory Connect> New-AzureADSSOAuthenticationContext
PS C:\Program Files\Microsoft Azure Active Directory Connect> New-AzureADSSOAuthenticationContext
PS C:\Program Files\Microsoft Azure Active Directory Connect> Get-AzureADSSOStatus |ConvertFrom-Json
Get-AzureADSSOStatus : One or more errors occurred.
At line:1 char:1

Get-AzureADSSOStatus |ConvertFrom-Json
~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Get-AzureADSSOStatus], AggregateException
FullyQualifiedErrorId : System.AggregateException,Microsoft.KerberosAuth.Powershell.PowershellCommands.GetAzureA
DSSOStatusCommand

I already tried using a space after | for ConvertFrom-JSon, same issue. I also tried another Global admin's credential, same error. If I type in only the Get-AzureADSSOStatus I get the same error. This works every month until today. Does anyone have the same issue after August Windows Update? Thank you.

Siva-kumar-selvaraj 15,701 Reputation points

2021-09-09T11:08:13.907+00:00

Hello @DoBongSoon ,

Thanks for reaching out.

Could you please confirm AAD connect version also run following cmdlet and share the outcome with us. Thanks.

Get-AzureADSSOStatus -verbose -debug

Accepted answer

2 additional answers

Your answer

Siva-kumar-selvaraj 15,701 Reputation points

2021-09-09T11:08:13.907+00:00

Hello @DoBongSoon ,

Thanks for reaching out.

Could you please confirm AAD connect version also run following cmdlet and share the outcome with us. Thanks.

Get-AzureADSSOStatus -verbose -debug

Answer 1

DoBongSoon 546

Hi,

I just want to share the fix in case someone will run into the same issue. We discovered that the issue was about the URL we need to whitelist in Cisco Umbrella (although we are not blocking the port). It has always worked for us and suddenly got blocked. Microsoft support ran a log to review traffic from the AD Connect server and we found the offending URL that was filtered by the firewall when requesting and updating the SSO configuration in Azure AD.

Albert Treacy 1 Reputation point

2021-10-07T03:56:34.1+00:00

Hello EE-9037

Can you please advise what was the URL that need to be added to the Cisco Umbrella allow list.

Regards
Siva-kumar-selvaraj 15,701 Reputation points

2021-10-07T05:12:09.333+00:00

Thanks for leveraging Microsoft Q&A forum also sharing your findings which would definitely help others in the community.
DoBongSoon 546 Reputation points

2021-10-07T18:10:03.15+00:00

*.msappproxy.net - This was the offending URL.
Albert Treacy 1 Reputation point

2021-10-07T21:27:51.837+00:00

Thanks very much EE-9037

Just added to Allow List now

Regards

Answer 2

DoBongSoon 546

I get the same error. I think there is suddenly an issue with the "Get-AzureADSSOStatus" command. I have no issue with the other "Get" commands.

Get-AzureADSSOStatus : One or more errors occurred.
At line:1 char:1

Get-AzureADSSOStatus -verbose -debug
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CategoryInfo : NotSpecified: (:) [Get-AzureADSSOStatus], AggregateException
FullyQualifiedErrorId : System.AggregateException,Microsoft.KerberosAuth.Powershell.PowershellCommands.GetAzureA
DSSOStatusCommand

My AADConnect version is 2.0.10.0. I upgraded it from 1.3, thinking that was the issue, but it did not fix the problem. I get the same error.

Thank you.

Siva-kumar-selvaraj 15,701 Reputation points

2021-09-13T13:07:20.253+00:00

Thanks for the update.

This issues need more investigation and live troubleshooting for quicker resolution I would recommend you to contact azure support. If you have a support plan, requesting you to file a support ticket, else please do let us know, we will try and help you get a one-time free technical support. Thanks
DoBongSoon 546 Reputation points

2021-09-13T16:20:54.553+00:00

Thank you. I did open a ticket with Microsoft but they have not responded to me yet (after several days). If they resolve this, I will share the solution here. In the meantime, anyone who has other ideas or the same experience recently please share. Thank you.
Raghuvarma Pasupuleti 0 Reputation points

2024-02-15T13:13:49.3966667+00:00

Any update on the resolution regarding the issue?

Answer 3

DoBongSoon 546

I am not aware of any issue at this time. It has been working for us. Also make sure that you are part of either the enterprise or domain admin when running the command. Otherwise, it won't work. This has been a thing for years. It wasn't like this when we started ADConnect.

Raghuvarma Pasupuleti 0 Reputation points

2024-02-15T18:23:10.46+00:00

We are in the middle of migration to cloud authentication from ADFS. As part of staged rollout, trying to execute the commands, but getting below error. The account that i tried to run with is part of Domain Admin group. Still facing the issue.

Share via

ADConnect\ADSync Kerberos rollover Get-AzureADSSOStatus suddenly not working

2 additional answers

Your answer