25,132 questions
It seem that the service keeps on working even without an updated certificate (at least for now).
Azure Pass-through autentication agent certificate not updating
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 88%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELZ%3C/text%3E%3C/svg%3E)
Liran Zamir1
21
Reputation points
I have Azure pass-through authentication agents working on a few servers that are not allowed direct internet connection.
I am using a proxy server that seem to allow user authentication but some updates are blocked as seen by events in event viewer.
I configured both AzureADConnectAgentUpdater.exe.config and AzureADConnectAuthenticationAgentService.exe.config with our proxy server settings
and the proxy does not require authentication from the PTA servers IP address, however it probably does block updates and the tenant certificate is about
to expire and is not updating automatically as it should.
I'm trying to work with the proxy server admin to find what is being blocked and why, but agent updates are automatic and I cannot find a way to trigger
an updater connection to get troubleshooting done faster. Restarting the services does not make it initiate a update connection.
Does anyone know of a way to force the services to update on request ?
Thanks.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 81%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator2022-01-05T00:03:42.997+00:00 Are you able to share your event viewer logs?
If the existing certificate has expired, Azure AD deletes the Authentication Agent from your tenant’s list of registered Authentication Agents. Then a global administrator needs to manually install and register a new Authentication Agent. PTA Deep Dive)
Based on the information you have provided, you may need to uninstall and reinstall the latest version of the agent and then make sure that the agent is enabled in Azure. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-pta-upgrade-preview-authentication-agents
I would also recommend reviewing the Troubleshooting steps, which involve verifying the status of the agent and verifying that the latest version is installed.
-
Liran Zamir1 21 Reputation points
2022-01-05T06:50:02.167+00:00 Hello and thank you for your reply.
My authentication agents are still active as the certificate expiration date has not been reached yet. (it will happen in a few days).
We are running the AD Connect auth agent/package/updater version 1.5.2482.0Yesterday we implemented firewall changes and configured two of the PTAs for direct access and restarted both the PTA and updater services
and verified using netstat that the process connects directly to MS IP addresses and not via proxy. I also did not see and "SYN_SENT" messages.
In addition since the service restart I am no longer getting error events regarding failed connections in the AuthenticationAgent and AgentUpdater.
However the certificate is not updating and I have no way to ask the service to force an update.
Will I need to uninstall and reinstall the PTA in order to make it work ?
Sign in to comment