排查 Azure AD 连接问题Troubleshoot Azure AD connectivity

本文说明 Azure AD Connect 与 Azure AD 之间的连接的工作方式,以及如何排查连接问题。This article explains how connectivity between Azure AD Connect and Azure AD works and how to troubleshoot connectivity issues. 这些问题很有可能出现在包含代理服务器的环境中。These issues are most likely to be seen in an environment with a proxy server.

在安装向导中排查连接问题Troubleshoot connectivity issues in the installation wizard

Azure AD Connect 使用现代身份验证(使用 ADAL 库)来进行身份验证。Azure AD Connect is using Modern Authentication (using the ADAL library) for authentication. 安装向导和同步引擎要求正确配置 machine.config,因为这二者是 .NET 应用程序。The installation wizard and the sync engine proper require machine.config to be properly configured since these two are .NET applications.

在本文中,我们说明了 Fabrikam 如何通过其代理连接到 Azure AD。In this article, we show how Fabrikam connects to Azure AD through its proxy. 代理服务器名为 fabrikamproxy,并使用端口 8080。The proxy server is named fabrikamproxy and is using port 8080.

首先,我们需要确保正确配置 machine.configFirst we need to make sure machine.config is correctly configured.
machineconfigmachineconfig

Note

某些非 Microsoft 博客提到,应该对 miiserver.exe.config 进行更改。In some non-Microsoft blogs, it is documented that changes should be made to miiserver.exe.config instead. 但是,每次升级都会覆盖此文件,因此,尽管系统在初始安装期间可正常工作,但首次升级时会停止工作。However, this file is overwritten on every upgrade so even if it works during initial install, the system stops working on first upgrade. 出于此原因,建议改为更新 machine.config。For that reason, the recommendation is to update machine.config instead.

还必须在代理服务器上打开所需的 URL。The proxy server must also have the required URLs opened. Office 365 URL 和 IP 地址范围中提供了正式列表。The official list is documented in Office 365 URLs and IP address ranges.

下表列出了连接到 Azure AD 时最起码需要的那部分 URL。Of these URLs, the following table is the absolute bare minimum to be able to connect to Azure AD at all. 此列表未包括任何可选功能。This list does not include any optional features. 本文中描述这些功能是为了帮助排查初始配置问题。It is documented here to help in troubleshooting for the initial configuration.

URLURL 端口Port 说明Description
mscrl.microsoft.commscrl.microsoft.com HTTP/80HTTP/80 用于下载 CRL 列表。Used to download CRL lists.
*.verisign.com*.verisign.com HTTP/80HTTP/80 用于下载 CRL 列表。Used to download CRL lists.
*.entrust.net*.entrust.net HTTP/80HTTP/80 用于为 MFA 下载 CRL 列表。Used to download CRL lists for MFA.
*.chinacloudapi.cn*.chinacloudapi.cn HTTPS/443HTTPS/443 用于登录 Azure AD。Used to sign in to Azure AD.
secure.aadcdn.parter.microsoftonline-p.cnsecure.aadcdn.parter.microsoftonline-p.cn HTTPS/443HTTPS/443 用于 MFA。Used for MFA.
*.partner.microsoftonline.cn*.partner.microsoftonline.cn HTTPS/443HTTPS/443 用于配置 Azure AD 目录并导入/导出数据。Used to configure your Azure AD directory and import/export data.

向导中的错误Errors in the wizard

安装向导使用两种不同的安全性上下文。The installation wizard is using two different security contexts. 在“连接到 Azure AD”页上,使用的是当前登录的用户。On the page Connect to Azure AD, it is using the currently signed in user. 在“配置”页上,改为运行同步引擎服务的帐户On the page Configure, it is changing to the account running the service for the sync engine. 如果出现问题,该问题很有可能已显示在向导中的“连接到 Azure AD”页上,因为代理配置是全局性的。If there is an issue, it appears most likely already at the Connect to Azure AD page in the wizard since the proxy configuration is global.

以下问题是在安装向导中遇到的最常见错误。The following issues are the most common errors you encounter in the installation wizard.

未正确配置安装向导The installation wizard has not been correctly configured

当向导本身无法访问代理时,会出现此错误。This error appears when the wizard itself cannot reach the proxy.
nomachineconfig

  • 如果看到此错误,请检查是否已正确配置 machine.configIf you see this error, verify the machine.config has been correctly configured.
  • 如果配置看起来正确,请按照 验证代理连接 中的步骤,查看问题是否也出现在向导外部的位置。If that looks correct, follow the steps in Verify proxy connectivity to see if the issue is present outside the wizard as well.

使用 Microsoft 帐户A Microsoft account is used

如果使用的是 Microsoft 帐户而不是学校或组织帐户,将会看到一个常规错误。If you use a Microsoft account rather than a school or organization account, you see a generic error.
A Microsoft Account is usedA Microsoft Account is used

无法访问 MFA 终结点The MFA endpoint cannot be reached

如果无法访问终结点 https://secure.aadcdn.parter.microsoftonline-p.cn,并且全局系统管理员启用了 MFA,则会出现此错误。This error appears if the endpoint https://secure.aadcdn.parter.microsoftonline-p.cn cannot be reached and your global admin has MFA enabled.
nomachineconfignomachineconfig

  • 如果看到此错误,请验证是否已将 secure.aadcdn.parter.microsoftonline-p.cn 终结点添加到代理。If you see this error, verify that the endpoint secure.aadcdn.parter.microsoftonline-p.cn has been added to the proxy.

无法验证密码The password cannot be verified

如果安装向导已成功连接到 Azure AD,但无法验证密码本身,则会看到此错误:If the installation wizard is successful in connecting to Azure AD, but the password itself cannot be verified you see this error:
密码不正确。

  • 密码是否为临时密码并且必须更改?Is the password a temporary password and must be changed? 它是否确实为正确的密码?Is it actually the correct password? 请尝试登录到 https://login.partner.microsoftonline.cn (在 Azure AD Connect 服务器以外的另一台计算机上),并验证该帐户是否可用。Try to sign in to https://login.partner.microsoftonline.cn (on another computer than the Azure AD Connect server) and verify the account is usable.

验证代理连接Verify proxy connectivity

要验证 Azure AD Connect 服务器是否确实与代理和 Internet 建立了连接,可使用一些 PowerShell 来查看代理是否允许 Web 请求。To verify if the Azure AD Connect server has actual connectivity with the Proxy and Internet, use some PowerShell to see if the proxy is allowing web requests or not. 在 PowerShell 命令提示符下运行 Invoke-WebRequest -Uri https://adminwebservice.partner.microsoftonline.cn/ProvisioningService.svcIn a PowerShell prompt, run Invoke-WebRequest -Uri https://adminwebservice.partner.microsoftonline.cn/ProvisioningService.svc. (从技术上讲,第一个调用是对 https://login.partner.microsoftonline.cn 发出的并且此 URI 也能正常运行,但另一个 URI 的响应速度更快。)(Technically the first call is to https://login.partner.microsoftonline.cn and this URI works as well, but the other URI is faster to respond.)

PowerShell 使用 machine.config 中的配置来联系代理。PowerShell uses the configuration in machine.config to contact the proxy. winhttp/netsh 中的设置应该不会影响这些 cmdlet。The settings in winhttp/netsh should not impact these cmdlets.

如果代理配置正确,则会收到成功状态:proxy200If the proxy is correctly configured, you should get a success status: proxy200

如果收到“无法连接到远程服务器”,则表示 PowerShell 正在尝试进行直接调用而未使用代理,或者 DNS 配置不正确。If you receive Unable to connect to the remote server, then PowerShell is trying to make a direct call without using the proxy or DNS is not correctly configured. 请确保 machine.config 文件配置正确。Make sure the machine.config file is correctly configured. unabletoconnectunabletoconnect

如果未正确配置代理,将出现错误:proxy200 proxy407If the proxy is not correctly configured, you get an error: proxy200 proxy407

错误Error 错误文本Error Text 注释Comment
403403 禁止Forbidden 代理尚未对请求的 URL 打开。The proxy has not been opened for the requested URL. 请重新访问代理配置,并确保已打开 URLRevisit the proxy configuration and make sure the URLs have been opened.
407407 需要代理身份验证Proxy Authentication Required 代理服务器要求登录,但未提供任何登录信息。The proxy server required a sign-in and none was provided. 如果代理服务器需要身份验证,请确保在 machine.config 中配置该设置。另外,请确保对运行向导的用户和服务帐户使用域帐户。If your proxy server requires authentication, make sure to have this setting configured in the machine.config. Also make sure you are using domain accounts for the user running the wizard and for the service account.

代理空闲超时设置Proxy idle timeout setting

Azure AD Connect 向 Azure AD 发送导出请求时,在生成响应之前,Azure AD 最多可用 5 分钟的时间来处理该请求。When Azure AD Connect sends an export request to Azure AD, Azure AD can take up to 5 minutes to process the request before generating a response. 如果同一导出请求中包含大量具有大型组成员身份的组对象,则会出现这种情况。This can happen especially if there are a number of group objects with large group memberships included in the same export request. 确保将代理空闲超时配置为大于 5 分钟。Ensure the Proxy idle timeout is configured to be greater than 5 minutes. 否则,Azure AD Connect 服务器上可能会出现 Azure AD 的间歇性连接问题。Otherwise, intermittent connectivity issue with Azure AD may be observed on the Azure AD Connect server.

Azure AD Connect 与 Azure AD 之间的通信模式The communication pattern between Azure AD Connect and Azure AD

如果已遵循上述步骤但仍无法连接,现在可以开始查看网络日志。If you have followed all these preceding steps and still cannot connect, you might at this point start looking at network logs. 本部分说明正常且成功的连接模式。This section is documenting a normal and successful connectivity pattern. 此外,还将列出你在阅读网络日志时可能会忽略的常见辅助信息。It is also listing common red herrings that can be ignored when you are reading the network logs.

  • 有向 https://dc.services.visualstudio.com 发出的调用。There are calls to https://dc.services.visualstudio.com. 不需要在代理中打开该 URL 即可成功安装,可以忽略这些调用。It is not required to have this URL open in the proxy for the installation to succeed and these calls can be ignored.
  • 可以看到 DNS 解析列出要处于 DNS 命名空间 nsatc.net 的实际主机,以及不在 partner.microsoftonline.cn 下的其他命名空间。You see that dns resolution lists the actual hosts to be in the DNS name space nsatc.net and other namespaces not under partner.microsoftonline.cn. 但是,实际服务器名称中不会有任何 Web 服务请求,因此不需要将这些 URL 添加到代理。However, there are not any web service requests on the actual server names and you do not have to add these URLs to the proxy.
  • 终结点 adminwebservice 和 provisioningapi 是发现终结点,用于找出要使用的实际终结点。The endpoints adminwebservice and provisioningapi are discovery endpoints and used to find the actual endpoint to use. 这些终结点根据区域而有所不同。These endpoints are different depending on your region.

引用代理日志Reference proxy logs

下面是实际代理日志中的转储以及获取此转储的安装向导页(已删除同一终结点的重复条目)。Here is a dump from an actual proxy log and the installation wizard page from where it was taken (duplicate entries to the same endpoint have been removed). 本部分可用作自己的代理和网络日志的参考。This section can be used as a reference for your own proxy and network logs. 环境中的实际终结点可能有所不同(尤其是以斜体显示的 URL)。The actual endpoints might be different in your environment (in particular those URLs in italic).

连接到 Azure ADConnect to Azure AD

时间Time URLURL
1/11/2016 8:311/11/2016 8:31 connect://login.partner.microsoftonline.cn:443connect://login.partner.microsoftonline.cn:443
1/11/2016 8:311/11/2016 8:31 connect://adminwebservice.partner.microsoftonline.cn:443connect://adminwebservice.partner.microsoftonline.cn:443
1/11/2016 8:321/11/2016 8:32 connect://bba800-anchor.partner.microsoftonline.cn:443connect://bba800-anchor.partner.microsoftonline.cn:443
1/11/2016 8:321/11/2016 8:32 connect://login.partner.microsoftonline.cn:443connect://login.partner.microsoftonline.cn:443
1/11/2016 8:331/11/2016 8:33 connect://provisioningapi.partner.microsoftonline.cn:443connect://provisioningapi.partner.microsoftonline.cn:443
1/11/2016 8:331/11/2016 8:33 connect://bwsc02-relay.partner.microsoftonline.cn:443connect://bwsc02-relay.partner.microsoftonline.cn:443

配置Configure

时间Time 代码URL
1/11/2016 8:431/11/2016 8:43 connect://login.partner.microsoftonline.cn:443connect://login.partner.microsoftonline.cn:443
1/11/2016 8:431/11/2016 8:43 connect://bba800-anchor.partner.microsoftonline.cn:443connect://bba800-anchor.partner.microsoftonline.cn:443
1/11/2016 8:431/11/2016 8:43 connect://login.partner.microsoftonline.cn:443connect://login.partner.microsoftonline.cn:443
1/11/2016 8:441/11/2016 8:44 connect://adminwebservice.partner.microsoftonline.cn:443connect://adminwebservice.partner.microsoftonline.cn:443
1/11/2016 8:441/11/2016 8:44 connect://bba900-anchor.partner.microsoftonline.cn:443connect://bba900-anchor.partner.microsoftonline.cn:443
1/11/2016 8:441/11/2016 8:44 connect://login.partner.microsoftonline.cn:443connect://login.partner.microsoftonline.cn:443
1/11/2016 8:441/11/2016 8:44 connect://adminwebservice.partner.microsoftonline.cn:443connect://adminwebservice.partner.microsoftonline.cn:443
1/11/2016 8:441/11/2016 8:44 connect://bba800-anchor.partner.microsoftonline.cn:443connect://bba800-anchor.partner.microsoftonline.cn:443
1/11/2016 8:441/11/2016 8:44 connect://login.partner.microsoftonline.cn:443connect://login.partner.microsoftonline.cn:443
1/11/2016 8:461/11/2016 8:46 connect://provisioningapi.partner.microsoftonline.cn:443connect://provisioningapi.partner.microsoftonline.cn:443
1/11/2016 8:461/11/2016 8:46 connect://bwsc02-relay.partner.microsoftonline.cn:443connect://bwsc02-relay.partner.microsoftonline.cn:443

初始同步Initial Sync

时间Time URLURL
1/11/2016 8:481/11/2016 8:48 connect://login.chinacloudapi.cn:443connect://login.chinacloudapi.cn:443
1/11/2016 8:491/11/2016 8:49 connect://adminwebservice.partner.microsoftonline.cn:443connect://adminwebservice.partner.microsoftonline.cn:443
1/11/2016 8:491/11/2016 8:49 connect://bba900-anchor.partner.microsoftonline.cn:443connect://bba900-anchor.partner.microsoftonline.cn:443
1/11/2016 8:491/11/2016 8:49 connect://bba800-anchor.partner.microsoftonline.cn:443connect://bba800-anchor.partner.microsoftonline.cn:443

身份验证错误Authentication errors

本部分介绍了 ADAL(Azure AD Connect 使用的身份验证库)和 PowerShell 可能返回的错误。This section covers errors that can be returned from ADAL (the authentication library used by Azure AD Connect) and PowerShell. 其中说明的错误可帮助了解后续步骤。The error explained should help you in understand your next steps.

无效授权Invalid Grant

无效的用户名或密码。Invalid username or password. 有关详细信息,请参阅 无法验证密码For more information, see The password cannot be verified.

未知用户类型Unknown User Type

找不到或无法解析 Azure AD 目录。Your Azure AD directory cannot be found or resolved. 也许你在尝试使用未验证域中的用户名登录?Maybe you try to login with a username in an unverified domain?

用户领域发现失败User Realm Discovery Failed

网络或代理配置问题。Network or proxy configuration issues. 无法访问网络。The network cannot be reached. 请参阅 在安装向导中排查连接问题See Troubleshoot connectivity issues in the installation wizard.

用户密码已过期User Password Expired

凭据已过期。Your credentials have expired. 请更改密码。Change your password.

授权失败Authorization Failure

未能授权用户在 Azure AD 中执行操作。Failed to authorize user to perform action in Azure AD.

身份验证已取消Authentication Cancelled

多重身份验证 (MFA) 质询已取消。The multi-factor authentication (MFA) challenge was cancelled.

未能连接到 MS OnlineConnect To MS Online Failed

身份验证成功,但 Azure AD PowerShell 出现身份验证问题。Authentication was successful, but Azure AD PowerShell has an authentication problem.

需要 Azure AD 全局管理员角色Azure AD Global Admin Role Needed

用户已成功完成身份验证。User was authenticated successfully. 但用户未分配有全局管理员角色。However user is not assigned global admin role. 此处介绍如何将全局管理员角色分配给用户。This is how you can assign global admin role to the user.

公司信息不可用Company Information Unavailable

身份验证成功。Authentication was successful. 无法从 Azure AD 检索公司信息。Could not retrieve company information from Azure AD.

域信息不可用Domain Information Unavailable

身份验证成功。Authentication was successful. 无法从 Azure AD 检索域信息。Could not retrieve domain information from Azure AD.

身份验证失败,出现未知错误Unspecified Authentication Failure

在安装向导中显示为“意外错误”。Shown as Unexpected error in the installation wizard. 如果尝试使用 Microsoft 帐户而不是学校或组织帐户,可能会发生这种错误。Can happen if you try to use a Microsoft Account rather than a school or organization account.

针对旧版本的疑难解答步骤Troubleshooting steps for previous releases.

从内部版本号 1.1.105.0(于 2016 年 2 月发行)开始已停用登录助理。With releases starting with build number 1.1.105.0 (released February 2016), the sign-in assistant was retired. 不再需要用到本部分所述的配置,这些内容仅供参考。This section and the configuration should no longer be required, but is kept as reference.

要使单一登录助理正常工作,必须配置 winhttp。For the single-sign in assistant to work, winhttp must be configured. 可以使用 netsh 完成此配置。This configuration can be done with netsh.
netshnetsh

未正确配置登录助理The Sign-in assistant has not been correctly configured

当登录助理无法访问代理或代理不允许该请求时,将出现此错误。This error appears when the Sign-in assistant cannot reach the proxy or the proxy is not allowing the request. nonetshnonetsh

  • 如果看到此错误,请在 netsh 中查看代理配置并确认配置是否正确。If you see this error, look at the proxy configuration in netsh and verify it is correct. netshshownetshshow
  • 如果配置看起来正确,请按照 验证代理连接 中的步骤,查看问题是否也出现在向导外部的位置。If that looks correct, follow the steps in Verify proxy connectivity to see if the issue is present outside the wizard as well.

后续步骤Next steps

了解有关 将本地标识与 Azure Active Directory 集成的详细信息。Learn more about Integrating your on-premises identities with Azure Active Directory.