Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, February 22, 2017 6:12 PM
Hello all,
I am looking to enable SSO in the AD Connect and am getting the above error.
Server: Windows 2008 R2. ADC is the latest (1.1.380).
Everything else is working properly in ADC.
Here is part of the log with the error (I did replace our Domain name in the below):
[13:03:56.656] [ 1] [INFO ] There are 1 eligible forests.
[13:03:56.656] [ 1] [INFO ] **MYDOMAIN**.com are available for desktopsso.
[13:04:05.682] [ 1] [ERROR] A terminating unhandled exception occurred.
Exception Data (Raw): System.ComponentModel.Win32Exception (0x80004005): The implementation is not capable of performing the request
at Microsoft.Online.Deployment.Framework.UI.Dialogs.CredentialsDialog.ShowDialog(IWin32Window owner)
at Microsoft.Online.Deployment.Framework.UI.Dialogs.CredentialsDialog.Show()
at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.ConfigDesktopSsoPageViewModel.ValidateDomainAdminCredentialsOnExecute(Object obj)
at MS.Internal.Commands.CommandHelpers.CriticalExecuteCommandSource(ICommandSource commandSource, Boolean userInitiated)
at System.Windows.Documents.Hyperlink.OnClick()
at System.Windows.Documents.Hyperlink.DoUserInitiatedNavigation(Object sender)
at System.Windows.Documents.Hyperlink.OnMouseLeftButtonUp(Object sender, MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent)
at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e)
at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args)
at System.Windows.ContentElement.RaiseTrustedEvent(RoutedEventArgs args)
at System.Windows.Input.InputManager.ProcessStagingArea()
at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport)
at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel)
at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o)
at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
[13:04:05.702] [ 5] [INFO ] Starting Telemetry Send
[13:04:05.707] [ 1] [INFO ] Page transition from "Single sign on" [ConfigDesktopSsoPageViewModel] to "Error" [ErrorPageViewModel]
All replies (15)
Thursday, February 23, 2017 9:26 PM
Hi trapperdave,
Sorry to hear you're having issues enabling SSO.
The wizard is attempting to display a dialog box prompting you to enter the credentials for the domain you're trying to configure for SSO. Is this happening consistently for you if you relaunch AAD Connect? Do you see any errors in the Windows Event Viewer?
Thursday, February 23, 2017 10:40 PM
Hello Soren and thanks for the response!
I get a UAC prompt and I type in my Domain (Enterprise) admin credentials. Should I turn off the UAC prompting and try?
Thursday, February 23, 2017 10:51 PM
That's interesting. Are you saying you're getting a UAC prompt as you're clicking the Enter credentials link? AAD Connect should already be elevated when you start it, so you should only see a UAC prompt when you launch it.
Thursday, February 23, 2017 10:57 PM
yes that is exactly what I get. I see a blue link to add my credentials and it goes to the UAC prompt. I do also get the UAC prompt when I start the Azure AD Connect
Friday, February 24, 2017 4:56 PM
So even with UAC completely off in GPO I am still getting the UAC prompt for this. Is it a Windows 2008 R2 issue?
Friday, February 24, 2017 6:29 PM | 2 votes
It shouldn't be, but I'll try repro on my end to confirm.
To unblock you, you can enable SSO manually through PowerShell. I've included the instructions below:
Location of SSO PowerShell scripts
a. Open PowerShell
b. Navigate to %programfiles%\ Microsoft Azure Active Directory Connect
c. Import AzureADSSO.psd1 by calling: Import-Module .\AzureADSSO.psd1
To enable SSO for a new forest:
a. Call New-AzureADSSOAuthenticationContext. This should give you a popup to enter the cloud admin credentials for the tenant
b. Call Enable-AzureADSSOForest for each forest you would like to enable SSO for. This should give you a popup to enter the domain admin credentials.
To enable SSO for your tenant (this is the last step):
a. Call New-AzureADSSOAuthenticationContext. This should give you a popup to enter your tenant creds
b. Call Enable-AzureADSSO and pass ‘true’ to enable SSO
Let me know if that worked for you.
Friday, February 24, 2017 7:06 PM
Hi Soren,
I opened Powershell (run as admin), navigated to the correct folder. I do see the AzureADSSO.psd1 script. I type exactly import-module AzureADSSO.psd1 and get an error:
Import-Module : The specified module 'AzureADSSO.psd1' was not loaded because no valid module file was found in any
module directory.
At line:1 char:1
- Import-Module AzureADSSO.psd1
-
+ CategoryInfo : ResourceUnavailable: (AzureADSSO.psd1:String) [Import-Module], FileNotFoundException
+ FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand
Friday, February 24, 2017 7:23 PM
Sorry, I forgot to add '.\ in front of the module name. It should look like this:
Import-Module .\AzureADSSO.psd1
I've updated the post above to reflect this.
Friday, February 24, 2017 8:06 PM
I should have noticed that as well. I am up to the Enable-AzureADForest. It has created the local account about 30 minutes ago. Still waiting on this script to complete.
Thanks.
Friday, February 24, 2017 9:03 PM
I would say it's hung. It has been at this prompt for more than 90 minutes:
OnPremCredentials
[14:34:31.109] [ 6] [INFORMATIONAL] Creating computer account in CN=Computers,DC=hbs,DC=zzzdomainzzz,DC=com
[14:34:31.453] [ 6] [INFORMATIONAL] Creating computer account...
Should I stop the Azure service or stop the script?
Thanks, David
Saturday, February 25, 2017 3:45 AM
Sorry for all this trouble, David.
Could you send my team an email at aadopauthfeedback@microsoft.com and we'll work with you directly on figuring out what's going on. It would appear you're running in to several different issues and we'll likely need more details.
Monday, February 27, 2017 5:56 PM
Thanks Soren. I sent the email. I had to eventually stop the above script. I tried running again, but it errors out since the computer was created. I went on to the last script and that seems it ran. I set up GPO, but the SSO is not working on my test machine. I am not sure where to find any log info.
Davi
Wednesday, March 1, 2017 6:46 AM
Do you have the Windows Firewall disabled? I've found several things that don't work correctly during setup when the firewall is disabled (usually via GPO).
Wednesday, March 1, 2017 3:11 PM
Hi Aaron, Soren was able to help me get it working by using the PowerShell commands. I did turn the firewall off and allow the port 9090. Thanks, David
Monday, April 24, 2017 7:18 AM
It shouldn't be, but I'll try repro on my end to confirm.
To unblock you, you can enable SSO manually through PowerShell. I've included the instructions below:
Location of SSO PowerShell scripts
a. Open PowerShell
b. Navigate to %programfiles%\ Microsoft Azure Active Directory Connect
c. Import AzureADSSO.psd1 by calling: Import-Module .\AzureADSSO.psd1
To enable SSO for a new forest:
a. Call New-AzureADSSOAuthenticationContext. This should give you a popup to enter the cloud admin credentials for the tenant
b. Call Enable-AzureADSSOForest for each forest you would like to enable SSO for. This should give you a popup to enter the domain admin credentials.
To enable SSO for your tenant (this is the last step):
a. Call New-AzureADSSOAuthenticationContext. This should give you a popup to enter your tenant creds
b. Call Enable-AzureADSSO and pass ‘true’ to enable SSO
Let me know if that worked for you.
It's working! Thank you!