locked
Unable to activate single sign on from the ADconnect RRS feed

  • Question

  • Please on my Active directory i deployed single sign on for all users but discovered it not really working so i decided to reconfigure it.while deploying there is section where i was asked to input domain administrator credential which i did but got an error that "an error occur while locating the computer account" mean while the username and password is correct.Kindly assist to rectify it.Thanks
    Tuesday, September 24, 2019 2:24 PM

Answers

  • We were seeing the same issue with 1.4.25.0 of Azure AD Connect.  The trace log (c:\program data\aadconnect\tracetime.log) isn't of any help as it doesn't give any more detail but here it is anyway:-

    [13:45:23.981] [  1] [INFO ] DesktopSso is only available for Active Directory forests. Getting all AD forests
    [13:45:23.981] [  1] [INFO ] There are 3 eligible forests.
    [13:45:23.981] [  1] [INFO ] forest1,forest2,forest3 are available for desktopsso.
    [13:45:41.414] [  1] [INFO ] Check if username is in samAccount format
    [13:45:41.414] [  1] [INFO ] Username is in samAccount format
    [13:45:41.415] [  1] [INFO ] desktopsso computer account will be created in FOREST
    [13:45:41.415] [  1] [INFO ] Checking if credentials belong to the forest
    [13:45:41.820] [  1] [INFO ] ValidateForest: using domaincontrollername to validate domain domainname
    [13:45:41.822] [  1] [INFO ] Successfully examined domain domainname GUID:xxxxxxxx-xxx-xxx-xxxx-xxxxxxxxx  DN:DC=domain,DC=com
    ....validates the other forests
    [13:45:42.070] [  1] [INFO ] DOMAIN\useraccount belongs to the forest
    [13:45:42.342] [  1] [ERROR] An error occurred while locating computer account.

    In our case, the issue was due to SSO being previously configured and so the computer account the process creates already existed.

    To resolve, follow the steps in https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature


    Tuesday, October 8, 2019 3:57 AM
  • Yep exactly this.

    Find computer account AZUREADSSOACC in AD, delete the account, try again, works.

    Why Microsoft don't just resolve this in the installer when reinstalling or just give a clear message that says "Hey you already have the account AZUREADSSOACC in AD, go delete that please and try again" is so far beyond me. 30 minutes of my time wasted today. Checking forums and such would be the same for many other techs out there.

    How much collective time has one programmer at Microsoft wasted with this globally?


    Wednesday, December 11, 2019 11:39 PM

All replies

  • Please double-check that the account is a member of the Domain Admins and Administrators groups in the domain, and if the domain is the forest root domain, the account is also a member of the Enterprise Admins group.

    This can also happen if the password or credentials changed on the account, or if there is an issue communicating with the DC.

    Are you able to properly ping the DC?

    Can you please post the logs from the AD Connect wizard?

    I've heard of this happening also if your account has MFA enabled or has certain conditions that require MFA (like being outside of the network). 

    If all else fails, you can try creating a new Domain Admin account to see if it works with that one.


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!

    Wednesday, September 25, 2019 12:21 AM
    Owner
  • Thanks Maeilee,

    Yes i'm able to ping the DC

    This is the event log.(i don't know if i'm right with that)

    +

    System
    - EventData
    Scheduler:SchedulerThreadMain: Released globalschedulerlock

    Wednesday, September 25, 2019 8:45 AM
  • Please on my Active directory i deployed single sign on for all users but discovered it not really working so i decided to reconfigure it.while deploying there is section where i was asked to input domain administrator credential which i did but got an error that "an error occur while locating the computer account" mean while the username and password is correct.Kindly assist to rectify it.Thanks

    Were you able to resolve this? I have the exact same issue.

    Monday, October 7, 2019 7:57 PM
  • We were seeing the same issue with 1.4.25.0 of Azure AD Connect.  The trace log (c:\program data\aadconnect\tracetime.log) isn't of any help as it doesn't give any more detail but here it is anyway:-

    [13:45:23.981] [  1] [INFO ] DesktopSso is only available for Active Directory forests. Getting all AD forests
    [13:45:23.981] [  1] [INFO ] There are 3 eligible forests.
    [13:45:23.981] [  1] [INFO ] forest1,forest2,forest3 are available for desktopsso.
    [13:45:41.414] [  1] [INFO ] Check if username is in samAccount format
    [13:45:41.414] [  1] [INFO ] Username is in samAccount format
    [13:45:41.415] [  1] [INFO ] desktopsso computer account will be created in FOREST
    [13:45:41.415] [  1] [INFO ] Checking if credentials belong to the forest
    [13:45:41.820] [  1] [INFO ] ValidateForest: using domaincontrollername to validate domain domainname
    [13:45:41.822] [  1] [INFO ] Successfully examined domain domainname GUID:xxxxxxxx-xxx-xxx-xxxx-xxxxxxxxx  DN:DC=domain,DC=com
    ....validates the other forests
    [13:45:42.070] [  1] [INFO ] DOMAIN\useraccount belongs to the forest
    [13:45:42.342] [  1] [ERROR] An error occurred while locating computer account.

    In our case, the issue was due to SSO being previously configured and so the computer account the process creates already existed.

    To resolve, follow the steps in https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso#manual-reset-of-the-feature


    Tuesday, October 8, 2019 3:57 AM
  • Thanks James,

    This is exactly the issue i had.I tried following the link you stated above but in the aspect of using Import-Module .\AzureADSSO.psd1 powershell below is the error i got

     

    Tuesday, October 8, 2019 11:00 AM
  • Yep exactly this.

    Find computer account AZUREADSSOACC in AD, delete the account, try again, works.

    Why Microsoft don't just resolve this in the installer when reinstalling or just give a clear message that says "Hey you already have the account AZUREADSSOACC in AD, go delete that please and try again" is so far beyond me. 30 minutes of my time wasted today. Checking forums and such would be the same for many other techs out there.

    How much collective time has one programmer at Microsoft wasted with this globally?


    Wednesday, December 11, 2019 11:39 PM
  • Hello Wade, 

    Thank you for sharing the solution and my sincere apologies for the inconvenience you had to go through due to this. We have taken this feedback and you can also provide feedback on the uservoice which is periodically monitored by the product group . Also we would request you to use professional words within your answers which will help in managing a healthy and inclusive community . 

    Thank you for your contribution to the community. 


    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable. Thanks!!

    Thursday, December 12, 2019 11:24 AM
    Owner