Azure AD Connect: Troubleshoot Pass-through Authentication - Microsoft Entra (2023)

Table of Contents
In this article General issues Check status of the feature and Authentication Agents User-facing sign-in error messages Users get invalid username/password error Sign-in failure reasons on the Azure portal (needs Premium license) Authentication Agent installation issues An unexpected error occurred Authentication Agent registration issues Registration of the Authentication Agent failed due to blocked ports Registration of the Authentication Agent failed due to token or account authorization errors An unexpected error occurred Authentication Agent uninstallation issues Warning message when uninstalling Azure AD Connect Issues with enabling the feature Enabling the feature failed because there were no Authentication Agents available Enabling the feature failed due to blocked ports Enabling the feature failed due to token or account authorization errors Collecting Pass-through Authentication Agent logs Azure AD Connect logs Authentication Agent event logs Detailed trace logs Domain Controller logs Performance Monitor counters FAQs Videos
  • Article

This article helps you find troubleshooting information about common issues regarding Azure AD Pass-through Authentication.

Important

If you are facing user sign-in issues with Pass-through Authentication, don't disable the feature or uninstall Pass-through Authentication Agents without having a cloud-only Global Administrator account or a Hybrid Identity Administrator account to fall back on. Learn about adding a cloud-only Global Administrator account. Doing this step is critical and ensures that you don't get locked out of your tenant.

General issues

Check status of the feature and Authentication Agents

Ensure that the Pass-through Authentication feature is still Enabled on your tenant and the status of Authentication Agents shows Active, and not Inactive. You can check status by going to the Azure AD Connect blade on the Entra admin center.

Azure AD Connect: Troubleshoot Pass-through Authentication - Microsoft Entra (1)

Azure AD Connect: Troubleshoot Pass-through Authentication - Microsoft Entra (2)

User-facing sign-in error messages

If the user is unable to sign into using Pass-through Authentication, they may see one of the following user-facing errors on the Azure AD sign-in screen:

(Video) How to troubleshoot Azure AD Connect | Identity | Microsoft

ErrorDescriptionResolution
AADSTS80001Unable to connect to Active DirectoryEnsure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they are able to connect to Active Directory.
AADSTS80002A timeout occurred connecting to Active DirectoryCheck to ensure that Active Directory is available and is responding to requests from the agents.
AADSTS80004The username passed to the agent was not validEnsure the user is attempting to sign in with the right username.
AADSTS80005Validation encountered unpredictable WebExceptionA transient error. Retry the request. If it continues to fail, contact Microsoft support.
AADSTS80007An error occurred communicating with Active DirectoryCheck the agent logs for more information and verify that Active Directory is operating as expected.

Users get invalid username/password error

This can happen when a user's on-premises UserPrincipalName (UPN) is different than the user's cloud UPN.

To confirm that this is the issue, first test that the Pass-through Authentication agent is working correctly:

See Also
Azure AD Connect: User sign-in - Microsoft EntraAzure AD Pass-through Authentication - Quickstart - Microsoft EntraAzure AD Connect: Use a SAML 2.0 Identity Provider for Single Sign On - Azure - Microsoft EntraAuthenticate with Azure AD for access

  1. Create a test account.

  2. Import the PowerShell module on the agent machine:

    Import-Module "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\PassthroughAuthPSModule\PassthroughAuthPSModule.psd1"

  3. Run the Invoke PowerShell command:

    Invoke-PassthroughAuthOnPremLogonTroubleshooter

  4. When you are prompted to enter credentials, enter the same username and password that are used to sign in to (https://login.microsoftonline.com).

If you get the same username/password error, this means that the Pass-through Authentication agent is working correctly and the issue may be that the on-premises UPN is non-routable. To learn more, see Configuring Alternate Login ID.

Important

If the Azure AD Connect server isn't domain joined, a requirement mentioned in Azure AD Connect: Prerequisites, the invalid username/password issue occurs.

(Video) How to troubleshoot Azure AD Connect issues with group writeback?

Sign-in failure reasons on the Azure portal (needs Premium license)

If your tenant has an Azure AD Premium license associated with it, you can also look at the sign-in activity report on the Entra admin center.

Navigate to Azure Active Directory -> Sign-ins on the Azure portal and click a specific user's sign-in activity. Look for the SIGN-IN ERROR CODE field. Map the value of that field to a failure reason and resolution using the following table:

Sign-in error codeSign-in failure reasonResolution
50144User's Active Directory password has expired.Reset the user's password in your on-premises Active Directory.
80001No Authentication Agent available.Install and register an Authentication Agent.
80002Authentication Agent's password validation request timed out.Check if your Active Directory is reachable from the Authentication Agent.
80003Invalid response received by Authentication Agent.If the problem is consistently reproducible across multiple users, check your Active Directory configuration.
80004Incorrect User Principal Name (UPN) used in sign-in request.Ask the user to sign in with the correct username.
80005Authentication Agent: Error occurred.Transient error. Try again later.
80007Authentication Agent unable to connect to Active Directory.Check if your Active Directory is reachable from the Authentication Agent.
80010Authentication Agent unable to decrypt password.If the problem is consistently reproducible, install and register a new Authentication Agent. And uninstall the current one.
80011Authentication Agent unable to retrieve decryption key.If the problem is consistently reproducible, install and register a new Authentication Agent. And uninstall the current one.
80014Validation request responded after maximum elapsed time exceeded.Authentication agent timed out. Open a support ticket with the error code, correlation ID, and timestamp to get more details on this error

Important

Pass-through Authentication Agents authenticate Azure AD users by validating their usernames and passwords against Active Directory by calling the Win32 LogonUser API. As a result, if you have set the "Logon To" setting in Active Directory to limit workstation logon access, you will have to add servers hosting Pass-through Authentication Agents to the list of "Logon To" servers as well. Failing to do this will block your users from signing into Azure AD.

See Also
Auth.streamotion.com.au/activate - Use Kayo Activation Code to Activate Streamotion [2023]AT&T.com Activate Prepaid : How to AT&T SIM & AT&T Prepaid activation was replacedHow do I cancel my speed Talk subscription? Does SpeedTalk work with iPhone?Tbs.com Activate - Enter Code to Activate and Watch TBS Channel on Roku, Apple TV, Android TV, Amazon Firestick

Authentication Agent installation issues

An unexpected error occurred

Collect agent logs from the server and contact Microsoft Support with your issue.

Authentication Agent registration issues

Registration of the Authentication Agent failed due to blocked ports

Ensure that the server on which the Authentication Agent has been installed can communicate with our service URLs and ports listed here.

Registration of the Authentication Agent failed due to token or account authorization errors

Ensure that you use a cloud-only Global Administrator account or a Hybrid Identity Administrator account for all Azure AD Connect or standalone Authentication Agent installation and registration operations. There is a known issue with MFA-enabled Global Administrator accounts; turn off MFA temporarily (only to complete the operations) as a workaround.

An unexpected error occurred

Collect agent logs from the server and contact Microsoft Support with your issue.

(Video) Azure AD Verifiable Credentials - Troubleshooting tips

Authentication Agent uninstallation issues

Warning message when uninstalling Azure AD Connect

If you have Pass-through Authentication enabled on your tenant and you try to uninstall Azure AD Connect, it shows you the following warning message: "Users will not be able to sign-in to Azure AD unless you have other Pass-through Authentication agents installed on other servers."

Ensure that your setup is highly available before you uninstall Azure AD Connect to avoid breaking user sign-in.

Issues with enabling the feature

Enabling the feature failed because there were no Authentication Agents available

You need to have at least one active Authentication Agent to enable Pass-through Authentication on your tenant. You can install an Authentication Agent by either installing Azure AD Connect or a standalone Authentication Agent.

Enabling the feature failed due to blocked ports

Ensure that the server on which Azure AD Connect is installed can communicate with our service URLs and ports listed here.

Enabling the feature failed due to token or account authorization errors

Ensure that you use a cloud-only Global Administrator account when enabling the feature. There is a known issue with multi-factor authentication (MFA)-enabled Global Administrator accounts; turn off MFA temporarily (only to complete the operation) as a workaround.

Collecting Pass-through Authentication Agent logs

Depending on the type of issue you may have, you need to look in different places for Pass-through Authentication Agent logs.

See Also
Epicgames.com/Activate - How to Activate Epic Games on PS4, Xbox, Nintendo Switch [2023]Minecraft 1.19 Release Date Wild Update : Minecraft 1.19 Wild Update

Azure AD Connect logs

For errors related to installation, check the Azure AD Connect logs at %ProgramData%\AADConnect\trace-*.log.

Authentication Agent event logs

For errors related to the Authentication Agent, open up the Event Viewer application on the server and check under Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin.

For detailed analytics, enable the "Session" log (right-click inside the Event Viewer application to find this option). Don't run the Authentication Agent with this log enabled during normal operations; use only for troubleshooting. The log contents are only visible after the log is disabled again.

Detailed trace logs

To troubleshoot user sign-in failures, look for trace logs at %ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\. These logs include reasons why a specific user sign-in failed using the Pass-through Authentication feature. These errors are also mapped to the sign-in failure reasons shown in the preceding sign-in failure reasons table. Following is an example log entry:

(Video) Microsoft Entra / Azure AD 2 0 Explained with Full Demo

 AzureADConnectAuthenticationAgentService.exe Error: 0 : Passthrough Authentication request failed. RequestId: 'df63f4a4-68b9-44ae-8d81-6ad2d844d84e'. Reason: '1328'. ThreadId=5 DateTime=xxxx-xx-xxTxx:xx:xx.xxxxxxZ

You can get descriptive details of the error ('1328' in the preceding example) by opening up the command prompt and running the following command (Note: Replace '1328' with the actual error number that you see in your logs):

Net helpmsg 1328

Azure AD Connect: Troubleshoot Pass-through Authentication - Microsoft Entra (4)

Domain Controller logs

If audit logging is enabled, additional information can be found in the security logs of your Domain Controllers. A simple way to query sign-in requests sent by Pass-through Authentication Agents is as follows:

 <QueryList> <Query Id="0" Path="Security"> <Select Path="Security">*[EventData[Data[@Name='ProcessName'] and (Data='C:\Program Files\Microsoft Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe')]]</Select> </Query> </QueryList>

Performance Monitor counters

Another way to monitor Authentication Agents is to track specific Performance Monitor counters on each server where the Authentication Agent is installed. Use the following Global counters (# PTA authentications, #PTA failed authentications and #PTA successful authentications) and Error counters (# PTA authentication errors):

Azure AD Connect: Troubleshoot Pass-through Authentication - Microsoft Entra (5)

Important

Pass-through Authentication provides high availability using multiple Authentication Agents, and not load balancing. Depending on your configuration, not all your Authentication Agents receive roughly equal number of requests. It is possible that a specific Authentication Agent receives no traffic at all.

FAQs

How do I troubleshoot connectivity issues with Azure AD Connect? ›

Start the Azure AD Connect wizard. Go to Additional Tasks > Troubleshoot, and then select Next. On the Troubleshooting page, select Launch to start the troubleshooting menu in PowerShell. In the main menu, select Troubleshoot Object Synchronization.

See Details
How do I enable pass through authentication in Azure AD Connect? ›

Sign in to the Entra admin center with the Hybrid Identity Administrator credentials for your tenant. Select Azure Active Directory. Select Azure AD Connect. Verify that the Pass-through authentication feature appears as Enabled.

Get More Info
How do I test pass through authentication? ›

From the Azure portal, in the left pane, click Azure Active Directory > Azure AD Connect. Verify that the Pass-through authentication feature appears as Enabled. Click Pass-through authentication. The Pass-through authentication pane lists the servers where your Authentication Agents are installed.

Tell Me More
What happens when you exhaust the maximum failed attempts for authenticating yourself via Azure AD? ›

Lockout state across Azure AD data centers is synchronized. However, the total number of failed sign-in attempts allowed before an account is locked out will have slight variance from the configured lockout threshold. Once an account is locked out, it will be locked out everywhere across all Azure AD data centers.

Continue Reading
What are the common issues with ad connect? ›

Azure AD Connect requires proper installation and configuration to function properly. Common issues include incorrect credentials, network connectivity issues, and firewall settings.

Read More
How do I check my Azure AD Connect sync errors? ›

Sign in to the Microsoft 365 admin center with a global administrator account. On the Home page, you'll see the User management card. On the card, choose Sync errors under Azure AD Connect to see the errors on the Directory sync errors page.

Get More Info
What is the difference between password synchronization and pass-through authentication? ›

Password hash synchronization—Synchronizes the hash of a user's Azure AD and on-premise Active Directory passwords. Pass-through authentication—Allows users to authenticate with the same password on both Azure AD and on-premise Active Directory.

Read The Full Story
How does Azure AD pass-through authentication work? ›

The user enters their password into the Azure AD sign in page, and then selects the Sign in button. Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.

Show Me More
What is the difference between pass-through authentication and federation? ›

Pass-through Authentication and federation rely on on-premises infrastructure. For pass-through authentication, the on-premises footprint includes the server hardware and networking the Pass-through Authentication agents require. For federation, the on-premises footprint is even larger.

Know More
What are 4 ways to authenticate? ›

In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.

See Details

What are the 3 ways 2 factor authentication is demonstrated? ›

Two-factor authentication for mobile devices

Some devices can recognize fingerprints, use the built-in camera for facial recognition or iris scanning, and use the microphone for voice recognition.

See Details
What happens when authentication fails? ›

If you receive this error message, that means that the username and/or password that you have entered is incorrect.

Find Out More
What might be the result of too many failed login attempts? ›

Repeated failure to enter a valid Windows/Mac user name and password can result in IP Lockout. This means you won't be able to continue to attempt to log in from the same computer until the lockout is resolved.

Discover More
How many invalid logon attempts are permitted before the account becomes locked? ›

Windows security baselines recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. Using this type of policy must be accompanied by a process to unlock locked accounts.

Discover More Details
How do I reset my Azure AD authentication? ›

Sign in to the Azure portal. Search for and select Azure Active Directory, then select Password reset from the menu on the left side. From the Properties page, under the option Self service password reset enabled, select None. To apply the SSPR change, select Save.

Get More Info
How do I fix Azure AD Connect sync errors? ›

To resolve this issue:
  1. Remove the Azure AD account (owner) from all admin roles.
  2. Hard delete the quarantined object in the cloud.
  3. The next sync cycle will take care of soft-matching the on-premises user to the cloud account because the cloud user is now no longer a Hybrid Identity Administrator.
May 4, 2023

See Details
How do I know if my Azure AD Connect is working? ›

You can check the status in the Microsoft 365 admin center. If there are no errors present, the DirSync or Azure AD Connect Status icon appears as a green circle (successful).

See Details
How do I check my Azure AD Connect logs? ›

To view all events that are related to directory synchronization, follow these steps:
  1. Open Event Viewer.
  2. Expand Windows Logs, and then expand Application.
  3. In the Actions pane, select Filter Current Log.
  4. In the Event sources box, select the Directory Synchronization check box.
  5. Select OK.
May 9, 2022

Discover More Details
How do I force a sync in Azure AD Connect? ›

Use the following steps to force a remote synchronization of AD and Azure:
  1. Use the Enter-PSSession command to connect to your Azure AD Connect server.
  2. Perform a delta synchronization using the Start-ADSyncSyncCycle command.
  3. Exit the PSSession to kill the connection to your Azure AD Connect server.
Oct 3, 2022

Get More Info
What is the default sync for Azure AD Connect? ›

The new default synchronization frequency is 30 minutes. The scheduler is responsible for two tasks: Synchronization cycle.

View More

How frequently does Azure AD Connect sync? ›

How Often? Once every 30 minutes, the Azure AD synchronization is triggered, unless it is still processing the last run. Runs generally take less than 10 minutes, but if we need to replace the tool, it can take 2-3 days to get into synchronicity.

Read More
What are two possible vulnerabilities when login password authentication is used? ›

11 Most Common Authentication Vulnerabilities
  • Flawed Brute-Force Protection. ...
  • Weak Login Credentials. ...
  • Username Enumeration. ...
  • HTTP Basic Authentication. ...
  • Poor Session Management. ...
  • Staying Logged In. ...
  • SQL Injection. ...
  • Unsecure Password Change and Recovery.
Dec 19, 2022

Get More Info Here
What are the three main threats associated with the use of passwords for authentication? ›

User-Generated Credentials. Down Brute-Force Attacks. Recycled Passwords. Large-Scale Breaches.

Continue Reading
Which three authentication methods can Azure AD users use? ›

Available verification methods
  • Microsoft Authenticator.
  • Authenticator Lite (in Outlook)
  • Windows Hello for Business.
  • FIDO2 security key.
  • OATH hardware token (preview)
  • OATH software token.
  • SMS.
  • Voice call.
Mar 14, 2023

See More
What are the key benefits of using Azure AD pass through authentication? ›

Key benefits of using Azure AD Pass-through Authentication
  • Great user experience. Users use the same passwords to sign into both on-premises and cloud-based applications. ...
  • Easy to deploy & administer. No need for complex on-premises deployments or network configuration. ...
  • Secure. ...
  • Highly available.
May 4, 2023

Learn More Now
What is the difference between Azure ADFS and passthrough authentication? ›

Pass-through authentication is an alternative to AD FS and password hash synchronization in Azure AD. This technology allows users to access cloud apps after authenticating against the local Active Directory. The configuration of pass-through authentication is less complex than that of AD FS, for example.

Continue Reading
Which protocol is most commonly used for federated authentication systems? ›

The SAML protocol simplifies password management and user authentication in a federated system. It uses Extensible Markup Language (XML) to standardize communications between multiple systems.

Get More Info Here
Is federated authentication same as SSO? ›

The key difference between SSO and FIM is while SSO is designed to authenticate a single credential across various systems within one organization, federated identity management systems offer single access to a number of applications across various enterprises.

View More
What are the 3 methods of authentication? ›

Authentication factors can be classified into three groups: something you know: a password or personal identification number (PIN); something you have: a token, such as bank card; something you are: biometrics, such as fingerprints and voice recognition.

Read More
What are the 3 A's of authentication? ›

authentication, authorization, and accounting (AAA)

See Details

Which are the 3 ways of authenticating user identity? ›

5 Common Authentication Types
  • Password-based authentication. Passwords are the most common methods of authentication. ...
  • Multi-factor authentication. ...
  • Certificate-based authentication. ...
  • Biometric authentication. ...
  • Token-based authentication.

View More
What is the strongest form of two-factor authentication? ›

FIDO U2F is the most secure form of 2FA that prevents against password cracking, man-in-the-middle, and phishing attacks. Learn more about FIDO U2F here. There are many forms of 2FA, some of which are stronger than others.

Discover More
What is the best method of two-factor authentication? ›

Top 7 2FA Security Best Practices to Follow in 2023
  1. Enable 2FA for All Your Users Without Exceptions. ...
  2. Require Users to Use WebAuthn/U2F Security Keys or Authenticator Apps. ...
  3. Ask Users to Enable Biometric Lock on their Authenticator Apps. ...
  4. Use Adaptive MFA Policies. ...
  5. Combine 2FA With Zero Trust. ...
  6. Couple 2FA With SSO.
Jan 2, 2023

Continue Reading
What are the two most commonly used authentication factors in multifactor authentication? ›

Authentication using two or more factors to achieve authentication. Factors include: (i) something you know (e.g. password/personal identification number (PIN)); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric). See authenticator.

Know More
How do I test Azure connectivity? ›

Test connectivity between two connected virtual machines
  1. Sign in to the Azure portal.
  2. In the search box at the top of the portal, enter network watcher. Select Network Watcher in the search results.
  3. Under Network diagnostic tools, select Connection troubleshoot. ...
  4. Select Test connection.
Mar 22, 2023

Get More Info
How do I check my Azure AD Connect health? ›

View the health status
  1. In the Azure portal, search for and select Azure AD Domain Services.
  2. Select your managed domain, such as aaddscontoso.com.
  3. On the left-hand side of the Azure AD DS resource window, select Health.
Jan 30, 2023

Tell Me More

Videos

1. Azure AD Pass through Authentication (PTA) & Single Sign On (SSO) - Step by Step Demo
(Cloud TechWorld)
2. How to FINALLY FIX error 80180002 in Azure!
(Business Tech Planet)
3. Enable Password Writeback in Azure AD | step by step demo to configure Password Writeback in AAD
(Office365Concepts)
4. Error Signing in with ADFS and Azure AD
(Guy in a Cube)
5. Azure Active Directory (Entra) & Hybrid Identities
(OETC)
6. Azure AD Authentication Methods and Policies
(John Craddock Identity and Access Training)
Top Articles
Latest Posts
Article information

Author: Kelle Weber

Last Updated: 01/07/2023

Views: 6065

Rating: 4.2 / 5 (73 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Kelle Weber

Birthday: 2000-08-05

Address: 6796 Juan Square, Markfort, MN 58988

Phone: +8215934114615

Job: Hospitality Director

Hobby: tabletop games, Foreign language learning, Leather crafting, Horseback riding, Swimming, Knapping, Handball

Introduction: My name is Kelle Weber, I am a magnificent, enchanting, fair, joyous, light, determined, joyous person who loves writing and wants to share my knowledge and understanding with you.