Forum Discussion

vand3rlinden's avatar
vand3rlinden
Brass Contributor
Feb 10, 2022
Solved

Azure AD SSPR Password write back issue

Hi all,   A company I work for have issues with the reset password function with AD Connect.   In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'On...
Authentication
Identity
On-Premises
  • vand3rlinden's avatar
    vand3rlinden
    Feb 18, 2022

    Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.

    For future readers:

    1: Open Local Security Policy, click Start, type secpol.msc
    2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
    3: Right-Click and Select Properties
    4: On the Template Security Policy Setting, Click Edit Security
    5: Under Group or user names, Click Add the AD DS connector account
    7: Leave everything default, and Click OK

     

     

    Thank you again for your knowledge and time.

BilalelHadd's avatar
BilalelHadd
Iron Contributor
Feb 14, 2022
Hi vand3rlinden,

No problem! We are here to help.
In regards to your password policy, this is configured correctly. The event id 33004 is related to credentials. I am pretty sure that your issue is related to the service accounts permissions. If you are stating that the permissions are configured correctly, I would like to ask you to run the below commands on the Service Account(s):

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

More information about running these commands and the module can be found here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connector-account

Let me know what happens when a user tries to reset his password after running the commands.
vand3rlinden's avatar
vand3rlinden
Brass Contributor
Feb 14, 2022

Hi BilalelHadd,

Thank you for this, unfortunately no luck. Had a call about this with MS support last Friday, we did set the AD DS connector have the default permissions and set password write back permissions with the trouble shoot tool within AD connect.

I assume that to regarding the message we get from event viewer from event id 33004. I face the same error many times, and is was always the AD DS connector account. The strange thing is that as mentioned SSPR (change action) still is working and it goes over the same connector as SSPR (reset action). So with setting all the default permissions and seeing that the AD DS connector account can change or reset the passowrd of the the object, Both MS support and I cross it off that it concerns this account.

MS support told me to change the Default domain policy GPO to Maximum password age: 30 or 42 days. But the policy is not managed with this GPO but with using fine-grained password policies (FGPP) in ADAC which set maximum password age to 90 days. And also here, we did not change anything, it just begun on Monday 7/2/22 without us to change anything.

I ask the team if they can clarify this.

  • BilalelHadd's avatar
    BilalelHadd
    Iron Contributor
    Feb 14, 2022
    Hi,

    Thanks for the heads-up. Let us know what the Microsoft engineers states. Did you not harden the domain by implementing features or policies?

    You might want to check this article: https://social.msdn.microsoft.com/Forums/en-US/6082daf5-2893-407b-b009-bc49464df984/aadsync-password-reset?forum=WindowsAzureAD
    • vand3rlinden's avatar
      vand3rlinden
      Brass Contributor
      Feb 15, 2022
      Hi BilalelHadd,

      We are using fine-grained password policies (FGPP) in ADAC. The maximum age is setup to 90 days in that policy, and minimum is not set. But we did not change any settings there, so with the same settings as we still have in the FGPP in ADAC, SSPR (reset function) just worked fine all the time before 7/2/22.

      Thanks for the article, our Minimum password age in the is Default Domain GPO is 0 and in the FGPP it is not set. Have a call again with another Microsoft Support engineer regarding this issue, I will share the outcome of that call in this post.

      • vand3rlinden's avatar
        vand3rlinden
        Brass Contributor
        Feb 17, 2022

        Hi Bilal, had a call yesterday with Microsoft regarding the issue. Microsoft told me to check the “Network access: Restrict clients allowed to make remote calls to SAM” GPO. However this GPO is not defined on both Domain or Domain Controller GPO policies. But the reg key ‘RestrictRemoteSam’ that is tied to that GPO setting, is listed in the DC's that talks with AD connect, this interesting. I propose a change to delete the REG key on 1 domain controller first and let AD Connect talk with that DC only that has not the REG key ‘RestrictRemoteSam’.


        https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls

         

        But it remains strange that the SSPR reset function has suddenly stopped since Monday 7/2/22, but this is an interesting progression.

         

        Will update this post ASAP.

Resources