SOLVED

Azure Active Directory Connect - error with AuthorizationManager check failed

%3CLINGO-SUB%20id%3D%22lingo-sub-164884%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20Active%20Directory%20Connect%20-%20error%20with%20AuthorizationManager%20check%20failed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-164884%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20solved%20this%20by%20manually%20installing%20the%20Microsoft%20certificate%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3CLI%3ELocate%26nbsp%3BC%3A%5CProgram%20Files%5CMicrosoft%20Azure%20Active%20Directory%20Connect%5CAdSyncConfig%5CAdSyncConfig.psm1%3C%2FLI%3E%0A%3CLI%3ERight%20click%20the%20file%2C%20and%20open%20properties%3C%2FLI%3E%0A%3CLI%3EGo%20to%20'Digital%20Signatures'%20tab%20and%20open%20the%20details%20for%20the%20certificate%3C%2FLI%3E%0A%3CLI%3EClick%20View%20certificate%3C%2FLI%3E%0A%3CLI%3EClick%20Install%20certificate%3C%2FLI%3E%0A%3CLI%3EI%20ran%20this%20twice%2C%20for%20both%20current%20user%20and%20local%20machine%3C%2FLI%3E%0A%3CLI%3EManually%20choose%20the%20following%20store%20to%20place%20certificates%3A%20'Trusted%20publishers'%3C%2FLI%3E%0A%3CLI%3ERe-run%20AAD%20Connect%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI%20hope%20this%20helps%20someone%20else%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-163783%22%20slang%3D%22en-US%22%3EAzure%20Active%20Directory%20Connect%20-%20error%20with%20AuthorizationManager%20check%20failed%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-163783%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20configuring%20AAD%20Connect%20I%20get%20to%20the%20'connect%20directories'%20stage%2C%20and%20it%20auto%20discovers%20my%20local%20AD%2Fforest%20name%2C%20but%20when%20I%20click%20Add%20Directory%2C%20I%20enter%20the%20domain%20administrators%20credentials%20and%20get%20the%20message%20back%20saying%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%22An%20error%20occured%20while%20auto%20creating%20an%20account%20in%20the%20forest%20%3CFORESTNAME%3E.%20AuthorizationManager%20check%20failed.%22%3C%2FFORESTNAME%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHere%20is%20the%20error%20trace%3A%3C%2FP%3E%0A%3CPRE%3E%5BERROR%5D%20Caught%20exception%20while%20creating%20synchronization%20account.%0AException%20Data%20(Raw)%3A%20System.Management.Automation.CmdletInvocationException%3A%20AuthorizationManager%20check%20failed.%20---%26gt%3B%20System.Management.Automation.PSSecurityException%3A%20AuthorizationManager%20check%20failed.%20---%26gt%3B%20System.Management.Automation.Host.HostException%3A%20A%20command%20that%20prompts%20the%20user%20failed%20because%20the%20host%20program%20or%20the%20command%20type%20does%20not%20support%20user%20interaction.%20The%20host%20was%20attempting%20to%20request%20confirmation%20with%20the%20following%20message%3A%20File%20C%3A%5CProgram%20Files%5CMicrosoft%20Azure%20Active%20Directory%20Connect%5CAdSyncConfig%5CAdSyncConfig.psm1%20is%20published%20by%20CN%3DMicrosoft%20Corporation%2C%20O%3DMicrosoft%20Corporation%2C%20L%3DRedmond%2C%20S%3DWashington%2C%20C%3DUS%20and%20is%20not%20trusted%20on%20your%20system.%20Only%20run%20scripts%20from%20trusted%20publishers.%0A%20%20%20at%20System.Management.Automation.Internal.Host.InternalHostUserInterface.ThrowPromptNotInteractive(String%20promptMessage)%0A%20%20%20at%20System.Management.Automation.Internal.Host.InternalHostUserInterface.PromptForChoice(String%20caption%2C%20String%20message%2C%20Collection%601%20choices%2C%20Int32%20defaultChoice)%0A%20%20%20at%20Microsoft.PowerShell.PSAuthorizationManager.AuthenticodePrompt(String%20path%2C%20Signature%20signature%2C%20PSHost%20host)%0A%20%20%20at%20Microsoft.PowerShell.PSAuthorizationManager.SetPolicyFromAuthenticodePrompt(String%20path%2C%20PSHost%20host%2C%20Exception%26amp%3B%20reason%2C%20Signature%20signature)%0A%20%20%20at%20Microsoft.PowerShell.PSAuthorizationManager.CheckPolicy(ExternalScriptInfo%20script%2C%20PSHost%20host%2C%20Exception%26amp%3B%20reason)%0A%20%20%20at%20Microsoft.PowerShell.PSAuthorizationManager.ShouldRun(CommandInfo%20commandInfo%2C%20CommandOrigin%20origin%2C%20PSHost%20host%2C%20Exception%26amp%3B%20reason)%0A%20%20%20at%20System.Management.Automation.AuthorizationManager.ShouldRunInternal(CommandInfo%20commandInfo%2C%20CommandOrigin%20origin%2C%20PSHost%20host)%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EI'm%20not%20sure%20where%20else%20to%20look%2C%20as%20I'm%20using%20the%20current%20logged%20in%20user%20domain%20admin%20account%20on%20the%20same%20VM%20which%20has%20AD%2FDNS%20installed%20etc%2C%20so%20permissions%20shouldn't%20be%20an%20issue%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-163783%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Contributor

When configuring AAD Connect I get to the 'connect directories' stage, and it auto discovers my local AD/forest name, but when I click Add Directory, I enter the domain administrators credentials and get the message back saying:

 

"An error occured while auto creating an account in the forest <forestname>. AuthorizationManager check failed."

 

Here is the error trace:

[ERROR] Caught exception while creating synchronization account.
Exception Data (Raw): System.Management.Automation.CmdletInvocationException: AuthorizationManager check failed. ---> System.Management.Automation.PSSecurityException: AuthorizationManager check failed. ---> System.Management.Automation.Host.HostException: A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: File C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1 is published by CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US and is not trusted on your system. Only run scripts from trusted publishers.
   at System.Management.Automation.Internal.Host.InternalHostUserInterface.ThrowPromptNotInteractive(String promptMessage)
   at System.Management.Automation.Internal.Host.InternalHostUserInterface.PromptForChoice(String caption, String message, Collection`1 choices, Int32 defaultChoice)
   at Microsoft.PowerShell.PSAuthorizationManager.AuthenticodePrompt(String path, Signature signature, PSHost host)
   at Microsoft.PowerShell.PSAuthorizationManager.SetPolicyFromAuthenticodePrompt(String path, PSHost host, Exception& reason, Signature signature)
   at Microsoft.PowerShell.PSAuthorizationManager.CheckPolicy(ExternalScriptInfo script, PSHost host, Exception& reason)
   at Microsoft.PowerShell.PSAuthorizationManager.ShouldRun(CommandInfo commandInfo, CommandOrigin origin, PSHost host, Exception& reason)
   at System.Management.Automation.AuthorizationManager.ShouldRunInternal(CommandInfo commandInfo, CommandOrigin origin, PSHost host)

 

I'm not sure where else to look, as I'm using the current logged in user domain admin account on the same VM which has AD/DNS installed etc, so permissions shouldn't be an issue

1 Reply
best response confirmed by Kevyn Williams (Occasional Contributor)
Solution

I've solved this by manually installing the Microsoft certificate:

 

  1. Locate C:\Program Files\Microsoft Azure Active Directory Connect\AdSyncConfig\AdSyncConfig.psm1
  2. Right click the file, and open properties
  3. Go to 'Digital Signatures' tab and open the details for the certificate
  4. Click View certificate
  5. Click Install certificate
  6. I ran this twice, for both current user and local machine
  7. Manually choose the following store to place certificates: 'Trusted publishers'
  8. Re-run AAD Connect

 

I hope this helps someone else