locked
AAD Connect Seamless Single Sign On failed with "failed to create single sign-on secret for true" RRS feed

  • Question

  • Hi @all,

    I have a question / problem I am working on for several days now.

    I did some tests myself, I did a lot of research but I found nothing equal.

    I wanted to change my Azure AD Connect from federated authentication to seamless single sign on with pass-through.
    After I changed the options in the Azure AD Connect wizard, I got an error "failed to create single sign-on secret for true".
    Pass-through was activated and works fine. Seamless SSO was enabled too, but the local domain computer account "AZUREADSSOACC" was created in the default computer OU and deleted after the wizard reported the error.

    As I said, I did a lot of research and I tried to enable seamless SSO through powershell.

    When I ran "Enable-AzureADSSOForest -OnPremCredentials $creds" with the credentials of a domain admin I got the following output:

    [17:11:29.814] [  6] [INFORMATIONAL] GetDefaultWellKnownContainer: Attempting to look up the default well-known container...
    [17:11:29.830] [  6] [INFORMATIONAL] GetDefaultWellKnownContainer: Found the default well-known container: CN=Computers,DC=DOMAIN,DC=local
    [17:11:30.095] [  6] [INFORMATIONAL] No conflicts found for the reserved SPNs and computer account display name.
    [17:11:30.095] [  6] [INFORMATIONAL] Creating computer account in CN=Computers,DC=DOMAIN,DC=local (DOMAIN.local)...
    [17:11:30.127] [  6] [INFORMATIONAL] Setting password for computer account with DN 'CN=AZUREADSSOACC,CN=Computers,DC=DOMAIN,DC=local'...
    Exception Data (Raw): System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.UnauthorizedAccessException: Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
       --- End of inner exception stack trace ---
       at System.DirectoryServices.DirectoryEntry.Invoke(String methodName, Object[] args)
       at Microsoft.KerberosAuth.KerberosAuthInterface.OnPremiseOperations.LdapClientProvider.SetPassword(String dn, String password, OnPremAuthenticationContext onPremAuthenticationContext)
       at Microsoft.KerberosAuth.KerberosAuthInterface.OnPremKerberosAuthProvider.CreateComputerAccount(OnPremAuthenticationContext onPremAuthenticationContext, String containerOu)
    [17:11:30.142] [  6] [INFORMATIONAL] DeleteComputerAccount: Locating SSO computer account with name 'AZUREADSSOACC'...
    [17:11:30.158] [  6] [INFORMATIONAL] DeleteComputerAccount: AZUREADSSOACC found in DOMAIN.local. Deleting...
    Enable-AzureADSSOForest : Exception has been thrown by the target of an invocation.
    At line:1 char:1
    + Enable-AzureADSSOForest -OnPremCredentials $creds
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Enable-AzureADSSOForest], TargetInvocationException
        + FullyQualifiedErrorId : System.Reflection.TargetInvocationException,Microsoft.KerberosAuth.Powershell.PowershellCommands.EnableAzureADSSOForestCommand


    I tried to run this command with another domain admin credentials.
    I tried to create the computer object in another OU (with the parameter -parentdn)
    I reinstalled Azure AD Connect just in case the AzureAdSSO.psd1 ist corrupt.

    We have only one forest with one domain. I mention that because I found solutions for similar problems regarding root and child domain.

    Unfortunately I have no idea how to solve the issue.

    Can anyone help me out?

    Thank you

    Kind regards

    Philipp

    Friday, February 22, 2019 4:25 PM

Answers

  • I successfully configured seamless single sign on !!!

    I don't know why the configuration did not work on the sync server. I also installed a second instance of the Azure AD Connect on one of our ADFS-Servers with no firewall between ADFS and DCs. That also didn't work.

    Now I tried importing the AzureADSSO.psd1 in a powershell on the DC via the administrative share from the sync server (import-module "\\syncserver\c$\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1"). On the DC I was able to configure seamless single sign on.

    There must be some policy or restriction (not firewall) in our environment that prevented the configuration via a member server.

    • Marked as answer by Philipp4711 Friday, April 26, 2019 6:56 AM
    Friday, April 26, 2019 6:56 AM

All replies

  • This can also happen if there is a firewall or something else preventing communication between the sync/adconnect server and the domain controller. 

    http://www.open-a-socket.com/index.php/2017/08/03/how-to-resolve-the-rpc-server-is-unavailable-when-enabling-seamless-single-sign-on/

    As you mentioned this can also happen if you have a service account in the subdomain rather than the root forest, but that does not seem to be the case with you since you only have one domain.

    Wednesday, February 27, 2019 8:21 PM
    Owner
  • Let me know if this helps at all.
    Friday, March 1, 2019 6:44 PM
    Owner
  • Sorry, I was a little busy.

    This was helpful because it was an idea, but unfortunately it did not solve my problem.

    I also disabled the antivirus, but I got the same error.

    Friday, April 5, 2019 9:51 AM
  • The error states that the account does not have permissions to set the password for the AZUREADSSOACC computer object (consisting of reset password and change password for computer objects).

    Please check the delegation settings on the default Computers container. It might be that the accounts that are members of the Domain Admins and/or Enterprise Admins group do not have these permissione or have these permission denied due to organizational processes. You may need to add this permission (temporarily). These permissions are also needed when you want to rollover the Kerberos decryption key for the computer object.

    Monday, April 8, 2019 9:09 AM
  • Thank you for your advice.

    I checked the permissions several times and now again.

    Neither the domain admins nor my personal admin, who is member of the domain admins, have any restrictions. The effective permissions says full access with no exceptions. Reset password and change password is also enabled.

    I also granted (temporarily) my personal admin account and after that everyone with full access permissions on the default computers OU (this object and all descendant objects) - no luck - same error.

    I also tried the powershell way (https://docs.microsoft.com/de-de/azure/active-directory/hybrid/tshoot-connect-sso) again with and without the parameter "-parentdn" - no luck - same error.

    Tuesday, April 9, 2019 5:16 PM
  • I successfully configured seamless single sign on !!!

    I don't know why the configuration did not work on the sync server. I also installed a second instance of the Azure AD Connect on one of our ADFS-Servers with no firewall between ADFS and DCs. That also didn't work.

    Now I tried importing the AzureADSSO.psd1 in a powershell on the DC via the administrative share from the sync server (import-module "\\syncserver\c$\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1"). On the DC I was able to configure seamless single sign on.

    There must be some policy or restriction (not firewall) in our environment that prevented the configuration via a member server.

    • Marked as answer by Philipp4711 Friday, April 26, 2019 6:56 AM
    Friday, April 26, 2019 6:56 AM