On-prem AD migration, Azure AD, SSO and Office 365

%3CLINGO-SUB%20id%3D%22lingo-sub-2603542%22%20slang%3D%22en-US%22%3EOn-prem%20AD%20migration%2C%20Azure%20AD%2C%20SSO%20and%20Office%20365%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2603542%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20all.%20Have%20an%20interesting%20one%20here.%20Helping%20a%20customer%20out%20with%20a%20good%20old%20ADMT%20AD%20migration.%20So%20far%20everything%20is%20going%20very%20well%2C%20except%20the%20user%20sign-on%20experience%20into%20Office%20365.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAfter%20the%20user%20has%20been%20migrated%2C%20they%20can%20login%20successfully%20using%20their%20old%5Ccurrent%20password%20onto%20their%20device%2C%20but%20as%20soon%20as%20they%20access%20anything%20Office%20365%20related%2C%20it%20tells%20them%20incorrect%20username%20or%20password.%20The%20have%20SSPR%20so%20once%20their%20password%20is%20changed%2C%20all%20works%20ok%20again.%20They%20use%20PTA%20as%20well.%20Not%20sure%20if%20it%20might%20be%20there%20that%20things%20go%20wrong.%20Initially%20we%20thought%20it%20was%20only%20some%20users%2C%20but%20after%20going%20through%20the%20Azure%20logs%2C%20it%20seems%20like%20it%20is%20all.%20The%20ones%20that%20know%20SSPR%20well%20just%20go%20ahead%20and%20do%20it%20without%20logging%20tickets.%20I%20checked%20everything%20and%20running%20out%20of%20ideas.%20We%20might%20just%20include%20with%20the%20comms%20to%20the%20users%20that%20they%20change%20their%20password%20post%20migration.%20More%20info%2C%20we%20are%20using%20ADMT%20with%20the%20PES.%20SID%20filtering%20is%20disabled.%20PTA%20agents%20are%20healthy.%20One%20far%20fetched%20possible%20issue%20might%20be%20the%20Kerberos%20ticket%20one%20those.%20Not%20changed%20for%20the%20last%20three%20months.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyone%20have%20done%20anything%20similar%20in%20the%20past%20of%20come%20across%20this%20before%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi all. Have an interesting one here. Helping a customer out with a good old ADMT AD migration. So far everything is going very well, except the user sign-on experience into Office 365.

 

After the user has been migrated, they can login successfully using their old\current password onto their device, but as soon as they access anything Office 365 related, it tells them incorrect username or password. The have SSPR so once their password is changed, all works ok again. They use PTA as well. Not sure if it might be there that things go wrong. Initially we thought it was only some users, but after going through the Azure logs, it seems like it is all. The ones that know SSPR well just go ahead and do it without logging tickets. I checked everything and running out of ideas. We might just include with the comms to the users that they change their password post migration. More info, we are using ADMT with the PES. SID filtering is disabled. PTA agents are healthy. One far fetched possible issue might be the Kerberos ticket one those. Not changed for the last three months.

 

Anyone have done anything similar in the past of come across this before?

0 Replies