Troubleshoot Microsoft Entra Connect connectivity issues
This article explains how connectivity between Microsoft Entra Connect and Microsoft Entra ID works and how to troubleshoot connectivity issues. These issues are most likely to be seen in an environment that uses a proxy server.
Connectivity issues in the installation wizard
Microsoft Entra Connect uses the Microsoft Authentication Library (MSAL) for authentication. The installation wizard and the sync engine require machine.config to be properly configured because these two are .NET applications.
Note
Azure AD Connect v1.6.xx.x uses the Active Directory Authentication Library (ADAL). The ADAL is being deprecated and support will end in June 2022. We recommend that you upgrade to the latest version of Microsoft Entra Connect v2.
In this article, we show how Fabrikam connects to Microsoft Entra ID through its proxy. The proxy server is named fabrikamproxy and uses port 8080.
First, make sure that machine.config is correctly configured and that the Microsoft Entra ID Sync service has been restarted once after the machine.config file update.
Note
Some non-Microsoft blogs indicate you should make changes to miiserver.exe.config instead of the machine.config file. However, the miiserver.exe.config file is overwritten on every upgrade. Even if the file works during the initial installation, the system stops working during the first upgrade. For that reason, we recommend that you update machine.config as described in this article.
The proxy server must also have the required URLs opened. The official list is documented in Office 365 URLs and IP address ranges.
Of these URLs, the URLs listed in the following table are the absolute bare minimum to be able to connect to Microsoft Entra ID at all. This list doesn't include any optional features, such as password writeback. The information is provided here to help with troubleshooting for the initial configuration.
| URL | Port | Description |
|---|---|---|
mscrl.microsoft.com |
HTTP/80 | Used to download certificate revocation list (CRL) lists. |
*.verisign.com |
HTTP/80 | Used to download CRL lists. |
*.entrust.net |
HTTP/80 | Used to download CRL lists for multifactor authentication (MFA). |
*.management.core.chinacloudapi.cn (Azure Storage)*.graph.chinacloudapi.cn (Azure AD Graph) |
HTTPS/443 | Used for the various Azure services. |
secure.aadcdn.partner.microsoftonline-p.cn |
HTTPS/443 | Used for MFA. |
*.partner.microsoftonline.cn |
HTTPS/443 | Used to configure your Microsoft Entra directory and import/export data. |
*.chinacloudapi.cn |
HTTPS/443 | Used to configure your Microsoft Entra directory and import/export data. |
*.crl3.digicert.com |
HTTP/80 | Used to verify certificates. |
*.crl4.digicert.com |
HTTP/80 | Used to verify certificates. |
*.digicert.cn |
HTTP/80 | Used to verify certificates. |
*.ocsp.digicert.com |
HTTP/80 | Used to verify certificates. |
*.www.d-trust.net |
HTTP/80 | Used to verify certificates. |
*.root-c3-ca2-2009.ocsp.d-trust.net |
HTTP/80 | Used to verify certificates. |
*.crl.microsoft.com |
HTTP/80 | Used to verify certificates. |
*.oneocsp.microsoft.com |
HTTP/80 | Used to verify certificates. |
*.ocsp.msocsp.com |
HTTP/80 | Used to verify certificates. |
Errors in the wizard
The installation wizard uses two different security contexts. On the Connect to Microsoft Entra ID page, it uses the user who is currently signed in. On the Configure page, it changes to the account running the service for the sync engine. If an issue occurs, the error most likely will appear on the Connect to Microsoft Entra ID page in the wizard because the proxy configuration is global.
The following issues are the most common errors you might encounter in the installation wizard.
The installation wizard hasn't been correctly configured
This error appears when the wizard itself can't reach the proxy.
If you see this error, verify that the machine.config file is correctly configured. If machine.config looks correct, complete the steps in Verify proxy connectivity to see if the issue is also present outside the wizard.
A Microsoft account is used
If you use a Microsoft account instead of a school or organization account, you see a generic error:
The MFA endpoint can't be reached
This error appears if the endpoint https://secure.aadcdn.partner.microsoftonline-p.cn can't be reached and your Hybrid Identity Administrator has MFA enabled.
If you see this error, verify that the endpoint secure.aadcdn.partner.microsoftonline-p.cn has been added to the proxy.
The password can't be verified
If the installation wizard is successful in connecting to Microsoft Entra ID but the password itself can't be verified, you see this error:
Is the password a temporary password that must be changed? Is it actually the correct password? Try to sign in to https://login.partner.microsoftonline.cn on a different computer than the Microsoft Entra Connect server and verify that the account is usable.
Verify proxy connectivity
To check whether the Microsoft Entra Connect server is connecting to the proxy and the internet, use some PowerShell cmdlets to see if the proxy is allowing web requests. In PowerShell, run Invoke-WebRequest -Uri https://adminwebservice.partner.microsoftonline.cn/ProvisioningService.svc. (Technically, the first call is to https://login.partner.microsoftonline.cn, and this URI also works, but the other URI is quicker to respond.)
PowerShell uses the configuration in machine.config to contact the proxy. The settings in winhttp/netsh shouldn't affect these cmdlets.
If the proxy is correctly configured, a success status appears:
If you see the message Unable to connect to the remote server, PowerShell is trying to make a direct call without using the proxy or DNS isn't correctly configured. Make sure that the machine.config file is correctly configured.
If the proxy isn't correctly configured, a 403 or 407 error message appears:
The following table describes 403 and 407 proxy errors:
| Error | Error Text | Comment |
|---|---|---|
| 403 | Forbidden | The proxy hasn't been opened for the requested URL. Revisit the proxy configuration and make sure that the URLs have been opened. |
| 407 | Proxy Authentication Required | The proxy server required a sign-in and none was provided. If your proxy server requires authentication, make sure that you configured this setting in machine.config. Also make sure that you're using domain accounts for the user running the wizard and for the service account. |
Proxy idle timeout setting
When Microsoft Entra Connect sends an export request to Microsoft Entra ID, Microsoft Entra ID can take up to 5 minutes to process the request before generating a response. The response is especially likely to be delayed if many group objects that have large group memberships are included in the same export request. Ensure that the proxy idle timeout is configured to be greater than 5 minutes. Otherwise, you might have intermittent connectivity issues with Microsoft Entra ID on the Microsoft Entra Connect server.
Communication pattern between Microsoft Entra Connect and Microsoft Entra ID
If you've followed all the steps described in this article and you still can't connect, at this point you might look at network logs. This section describes a normal and successful connectivity pattern.
But first, here are some common concerns about data in the network logs that you can ignore:
- There are calls to
https://dc.services.visualstudio.com. It's not required to have this URL open in the proxy for the installation to succeed, and these calls can be ignored. - You see that DNS resolution lists the actual hosts as being in the DNS namespace
nsatc.netand other namespaces that aren't underpartner.microsoftonline.cn. However, there aren't any web service requests on the actual server names. You don't have to add these URLs to the proxy. - The endpoints
adminwebserviceandprovisioningapiare discovery endpoints, and they're used to find the actual endpoint to use. These endpoints are different depending on your region.
Reference proxy logs
The following example is a dump from an actual proxy log and the installation wizard page from where it was taken (duplicate entries to the same endpoint have been removed). This section can be used as a reference for your own proxy and network logs. The actual endpoints might be different in your environment (in particular, the URLs in italic).
Connect to Microsoft Entra ID
| Time | URL |
|---|---|
| 1/11/2016 8:31 | connect:/login.partner.microsoftonline.cn:443 |
| 1/11/2016 8:31 | connect://adminwebservice.partner.microsoftonline.cn:443 |
| 1/11/2016 8:32 | connect://bba800-anchor.partner.microsoftonline.cn:443 |
| 1/11/2016 8:32 | connect://login.partner.microsoftonline.cn:443 |
| 1/11/2016 8:33 | connect://provisioningapi.partner.microsoftonline.cn:443 |
| 1/11/2016 8:33 | connect://bwsc02-relay.partner.microsoftonline.cn:443 |
Configure
| Time | URL |
|---|---|
| 1/11/2016 8:43 | connect://login.partner.microsoftonline.cn:443 |
| 1/11/2016 8:43 | connect://bba800-anchor.partner.microsoftonline.cn:443 |
| 1/11/2016 8:43 | connect://login.partner.microsoftonline.cn:443 |
| 1/11/2016 8:44 | connect://adminwebservice.partner.microsoftonline.cn:443 |
| 1/11/2016 8:44 | connect://bba900-anchor.partner.microsoftonline.cn:443 |
| 1/11/2016 8:44 | connect://login.partner.microsoftonline.cn:443 |
| 1/11/2016 8:44 | connect://adminwebservice.partner.microsoftonline.cn:443 |
| 1/11/2016 8:44 | connect://bba800-anchor.partner.microsoftonline.cn:443 |
| 1/11/2016 8:44 | connect://login.partner.microsoftonline.cn:443 |
| 1/11/2016 8:46 | connect://provisioningapi.partner.microsoftonline.cn:443 |
| 1/11/2016 8:46 | connect://bwsc02-relay.partner.microsoftonline.cn:443 |
Initial sync
| Time | URL |
|---|---|
| 1/11/2016 8:48 | connect://login.chinacloudapi.cn:443 |
| 1/11/2016 8:49 | connect://adminwebservice.partner.microsoftonline.cn:443 |
| 1/11/2016 8:49 | connect://bba900-anchor.partner.microsoftonline.cn:443 |
| 1/11/2016 8:49 | connect://bba800-anchor.partner.microsoftonline.cn:443 |
Authentication errors
This section covers errors that might be returned from the ADAL and PowerShell. The error explanation should help you identify your next steps.
Invalid grant
You entered an invalid username or password. For more information, see The password can't be verified.
Unknown user type
Your Microsoft Entra directory can't be found or resolved. Maybe you tried to sign in with a username in an unverified domain?
User realm discovery failed
Network or proxy configuration issues. The network can't be reached. See Connectivity issues in the installation wizard.
User password expired
Your credentials have expired. Change your password.
Authorization failure
Microsoft Entra Connect failed to authorize the user to perform an action in Microsoft Entra ID.
Authentication canceled
The MFA challenge was canceled.
Connect to MSOnline failed
Authentication was successful, but Azure AD PowerShell has an authentication problem.
Privileged Identity Management enabled
Authentication was successful, but Privileged Identity Management has been enabled and the user currently isn't a Hybrid Identity Administrator. For more information, see Privileged Identity Management.
Company information unavailable
Authentication was successful, but company information couldn't be retrieved from Microsoft Entra ID.
Domain information unavailable
Authentication was successful, but domain information couldn't be retrieved from Microsoft Entra ID.
Unspecified authentication failure
Shown as Unexpected error in the installation wizard. This error might occur if you try to use a Microsoft account instead of a school or organization account.
Troubleshooting steps for earlier releases
In releases starting with build number 1.1.105.0 (released February 2016), the sign-in assistant was retired. Configuring the sign-in assistant should no longer be required, but the information in the next sections is included for reference.
For the single sign-in assistant to work, Microsoft Windows HTTP Services (WinHTTP) must be configured. You can configure WinHTTP by using netsh.
The sign-in assistant isn't configured correctly
This error appears when the sign-in assistant can't reach the proxy or the proxy isn't allowing the request.
If you see this error, look at the proxy configuration in netsh and verify that it's correct.
If the proxy configuration looks correct, complete the steps in Verify proxy connectivity to see if the issue occurs outside the wizard.
Next steps
Learn more about integrating your on-premises identities with Microsoft Entra ID.