ADSync Errors following ADFS setup


  • Hi everyone

    We have been using Office 365 and Azure AD for a year or so and have been using Azure AD Connect to synchronize users and passwords from our on-premise AD.  This evening we have enabled ADFS so all Office 365 logins are now authenticted by our on-premise ADFS server.

    This is working and users are able to sign in to Office 365 with the ADFS server successfully authenticating them.  However we now are getting some 109 and 6801 events for ADSync and Directory Synchronization n the server where Azure AD Connect is installed.  The errors in these events are shown below:

    Failure while importing entries from Windows Azure Active Directory. Exception: Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: Federated service at https://adfs.DOMAIN/adfs/services/trust/13/usernamemixed returned error: ID3242: The security token could not be authenticated or authorized. ---> System.Net.WebException: The remote server returned an error: (500) Internal Server Error.

    I'm a bit confused as to what this error is referring to?  If I run the Azure AD Connect sync manually it seems to complete with no errors and I was under the impression that the ADSync tool could continue to run even though we're now using ADFS, so if we ever have to switch back our on-premise AD and AAD will match?

    I'd be grateful if anyone with any experience of any of the above could give me any advice?

    Thanks in advance for your help.

    Saturday, April 1, 2017 9:36 PM

All replies

  • Hi,

    It seems like there is a problem with the Azure AD account which is used by your Azure AD Connect server to synchronize from Azure AD. Do you happen to know which account is it? If so, can you check against Azure AD to see if its UPN is based on your tenant's domain please?

    Also, when you said you ran manual sync to complete with no errors, what is the exact step that you took? Did the operation includes either import or export on the Azure AD connector?


    Chun Yong

    Monday, April 3, 2017 7:24 AM
  • Hi Chun, thanks for the response.

    I've checked and it looks like you're right, the ADFS server is returning a username or password is incorrect when our Directory Sync service account is trying to logon.  I've checked the account and when viewing it in Office 365 admin it shows as "Synced with Active Directory" and "Sourced from Local Active Directory" in AAD, but I can't find this account in local AD?  I assume this is why our ADFS server can't authenticate it.

    The UPN of the account is not our domain but is on our internal domain.  Like I said above I think the problem is the fact that the AD Sync service account doesn't seem to be on our local AD even though AAD and Office 365 think it's being synced from there?  However I'm not sure how I can resolve this issue.

    Monday, April 3, 2017 8:44 AM
  • Hi,

    It is normal for the service account to show up as "Synced with Active Directory". The account isn't synchronized from on-premises AD but it is decorated this way for legacy reason.

    Can you check a couple of things please:


    1. Login to Azure AD Connect server.
    2. Fire up Synchronization Service Manager.
    3. Go to the Connectors tab.
    4. Select the one which corresponds to your Azure AD tenant.
    5. Right click and select properties.
    6. Click on Connectivity.
    What do you see under "UserName"? Does it correspond to the domain or does it  have your internal domain?

    Secondly, fire up Azure AD PowerShell. Do a lookup on the Azure AD User object for your sync service account. Do you see any value stamped on its ImmutableId attribute?


    Chun Yong

    Monday, April 3, 2017 4:12 PM