- article
This article helps you find information about resolving common issues with Azure AD pass-through authentication.
important
If you encounter problems with user sign-in when using Pass-through Authentication, do not disable this feature or uninstall the Pass-through Authentication Agent without a cloud-only Global Administrator account or a Reliable Hybrid Administrator account. learn aboutAdd a cloud-only global administrator accountTaking this step is crucial to ensuring tenants don't turn you down.
general questions
Check the capabilities and status of authentication brokers
Make sure pass-through authentication is still availableswitch onThe status of the authentication broker is displayed in the tenantpositive, NOvoid.You can check the status byAzure AD Connecton the bladeGo to the management center.
Login error messages addressed to the user
If users are unable to sign in using Pass-through Authentication, they may see one of the following user-related errors on the Azure AD sign-in screen:
| mistake | describe | solve |
|---|---|---|
| AADSTS80001 | Cannot connect to Active Directory | Make sure the proxy server belongs to the same AD forest as the users who need to authenticate their passwords and can connect to Active Directory. |
| AADSTS80002 | A timeout occurred while connecting to Active Directory | Verify that Active Directory is available and responding to agent requests. |
| AADSTS80004 | Invalid username passed to the proxy server | Make sure the user is trying to log in with the correct username. |
| AADSTS80005 | Validation encounters unpredictable WebException | Temporary error. Retry the request. If it still fails, contact Microsoft Support. |
| AADSTS80007 | An error occurred while communicating with Active Directory | Check the agent logs for more information and verify that Active Directory is working as expected. |
The user is getting an invalid username/password error
This can happen when your local UserPrincipalName (UPN) differs from your cloud user's UPN.
To confirm this is the problem, first check that the pass-through authentication proxy is running:
Create a test account.
Import the PowerShell module to the agent machine:
导入模块„C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\PassthroughAuthPSModule\PassthroughAuthPSModule.psd1”Run the invoke PowerShell command:
Call through the AuthOnPremLogon troubleshooterWhen prompted for credentials, enter the same username and password you used to log in (https://login.microsoftonline.com).
If you get the same username/password error, then the pass-through authentication proxy is working fine, and the problem may be that the local UPN is not routable. For more information, seeSet up an alternate login ID.
important
If the Azure AD Connect server is not domain-joined, it requiresAzure AD Connect: Prerequisites, there is a problem with invalid username/password.
Reasons for sign-in failures in the Azure portal (requires Premium license)
If your tenant has an Azure AD Premium license associated with it, you can also viewLogin Activity ReportexistGo to the management center.
navigationAzure Active Directory->check inexistAzure Portaland click Sign-in activity for a specific user. To look forlogin error codeside. Use the following table to map the values of this field to failure causes and solutions:
| login error code | Login failure reason | solve |
|---|---|---|
| 50144 | Active Directory user password has expired. | Reset user passwords in the local Active Directory. |
| 80001 | No authentication broker available. | Install and register an authentication broker. |
| 80002 | The authentication broker password verification request timed out. | Verify that Active Directory is reachable from the authentication broker. |
| 80003 | The authentication broker received an invalid response. | If the problem is reproducible for many users, check your Active Directory configuration. |
| 80004 | An invalid User Principal Name (UPN) was used in the login request. | Require users to sign in with a valid username. |
| 80005 | Authentication Broker: An error occurred. | Transient error. Please try again later. |
| 80007 | The authentication broker could not connect to Active Directory. | Verify that Active Directory is reachable from the authentication broker. |
| 80010 | The authentication broker was unable to decrypt the password. | If the problem persists, install and register a new Authentication Broker. and uninstall the current one. |
| 80011 | The authentication broker was unable to retrieve the decryption key. | If the problem persists, install and register a new Authentication Broker. and uninstall the current one. |
| 80014 | The verification request responded after the maximum uptime was exceeded. | Authentication agent timed out. Open a support ticket with the error code, associated ID and timestamp for more information about this error |
important
The pass-through authentication broker authenticates Azure AD users by calling Active Directory to verify the username and passwordWin32 User Login APITherefore, if your Active Directory logon settings have been configured to restrict workstation logon access, you must also add the server hosting the Pass-through Authentication Broker to the logon-to server list. If you don't, your users won't be able to sign in to Azure AD.
Authentication agent installation problems
An unexpected problem occurred
Collect proxy logsfrom the server and contact Microsoft Support to resolve the issue.
Authentication agent registration issues
Authentication broker registration failed due to blocked port
Make sure that the server with the Authentication Agent installed can communicate with the URL and port of the service provided by usHere.
Authentication agent registration failed due to token or account authorization error
Make sure you're using a cloud-only global admin account or a hybrid admin account for all Azure AD Connect installations and registrations, or a standalone authentication broker. There is a known issue with global administrator accounts with MFA enabled; temporarily disable MFA (only until complete) as a workaround.
An unexpected problem occurred
Collect proxy logsfrom the server and contact Microsoft Support to resolve the issue.
Problems uninstalling the authentication agent
Warning message when uninstalling Azure AD Connect
If you have pass-through authentication enabled in your tenant and you try to uninstall Azure AD Connect, you will see the following warning message: "Users will not be able to sign in to Azure AD unless you have additional pass-through authentication proxies installed."
Make sure your settings arehigh availabilityAvoid disrupting user logins until Azure AD Connect is uninstalled.
Problems enabling the feature
Enabling this feature failed because no authentication broker is available
You must have at least one active authentication broker to enable pass-through authentication in your tenant. You can install the authentication broker by installing Azure AD Connect or a standalone authentication broker.
Failed to enable feature due to blocked port
Make sure the server where Azure AD Connect is installed can communicate with the service URLs and ports we listedHere.
Failed to enable feature due to token or account authorization error
When enabling this feature, make sure you're using a cloud-only global administrator account. There is a known issue with Global Administrator accounts with Multi-Factor Authentication (MFA) enabled; temporarily disable MFA (only until complete) as a workaround.
Collect Pass-Auth Proxy logs
Depending on the type of problem you may encounter, you'll need to look elsewhere for the Pass-through Authentication Proxy logs.
Azure AD connection logs
For installation errors, check the Azure AD Connect logs at%ProgramData%\AADConnect\trace-*.log.
Authentication agent event log
For errors related to the authentication proxy, open the Event Viewer application on the server and checkApplications and Services Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin.
For detailed analysis, enable the "Sessions" log (right-click in the Event Viewer app to find this option). During normal operation, do not run Authentication Agent with this log enabled; use it only for troubleshooting. The contents of the log are only visible when the log is turned off again.
Detailed tracking log
To troubleshoot user login failures, find the trace logs at%ProgramData%\Microsoft\Azure AD Connect Authentication Broker\Trace\.These logs contain the reason why the specified user failed to log in using Pass-through Authentication. These errors also map to the sign-in failure causes shown in the sign-in failure cause table above. The following are sample log entries:
AzureADConnectAuthenticationAgentService.exe errors: 0: Pass-through authentication request failed. Request ID: "df63f4a4-68b9-44ae-8d81-6ad2d844d84e". Reason: "1328". ThreadId=5 Date Time=xxxx-xx-xxTxx:xx:xx.xxxxxxZYou can get descriptive error details ("1328" in the example above) by opening a command prompt and running the following command (note: replace "1328" with the actual error number you see in the log):
Web help message 1328
domain controller logs
If audit logging is enabled, additional information can be found in the domain controller's security log. A simple way to query a login request sent by a transparent agent is as follows:
performance monitoring counters
Another way to monitor Authentication Broker is to track specific Performance Monitor counters on each server where Authentication Broker is installed. Use the following global counters (# PTA certified,#PTA failedI#PTA successfully certified) and error counter (# PTA authentication failed):
important
Pass-through authentication provides high availability using multiple authentication brokers andNOLoad balancing. Depending on the configuration,NOAll your authentication proxies receive approxequalQuantity requested. The specified authentication proxy may not receive any traffic at all.