Feb 10 2022 11:19 AM - edited Feb 10 2022 11:29 AM
Feb 10 2022 11:19 AM - edited Feb 10 2022 11:29 AM
A company I work for have issues with the reset password function with AD Connect.
In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'OnPremisesAdminActionRequired', with a follow up event log within the AD connect server:
event ID: 33004 with error "hr=80230626, message=The password could not be updated because the management agent credentials were denied access"
I face this issue before and this was causing because the AD DS connector account did not have the right permissions. In this case this is not.
What I have done so far:
- Updated AD Connect from 22.214.171.124 to 126.96.36.199
- enforced TLS 1.2: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement
- Checked AD DS connecter account 'MSOL_xxxxxxxx' permissions: https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#v...
- the user do not have the options 'password never expires' or 'user cannot change password' configured
- Let AD connect talk to another DC dc02 instead of dc01
- Checked connection to SSPR service from DC's : Test-NetConnection -ComputerName ssprdedicatedsbprodscu.servicebus.windows.net -Port 443
- The action 'Change password (self-service)' are successful (via my account portal) , only action 'Reset password (self-service)' face this issue (via passwordreset.microsoftonline.com)
-- both use the same OnPremisesAgent ->> AADConnect
Have anyone a idea what else I can try more?
Feb 11 2022 12:18 AM
Feb 11 2022 01:38 AM - edited Feb 11 2022 01:51 AM
Hi BilalelHadd, thank you for the response!
- Did you enable inheritance for the AD account(s)
-- Yes, did check this also. The AD DS connector account has all the rights:
- Did you enable Password writeback in the Azure AD Connect configuration?
- Did you enable SSPR in the Azure AD Portal?
- Do you have a valid Azure AD Premium license?
It just stopped working since (2/7/22) Monday this week, and only for action 'Reset password (self-service)'.
'Change password (self-service)', works like it supposed to be. So users can change password via account settings in de M365 user portal. But cannot reset it on passwordreset.microsoftonline.com. Both used the OnPremisesAgent ->> AADConnect .
Feb 11 2022 01:55 AM
Feb 11 2022 06:01 AM - edited Feb 11 2022 06:34 AM
Thanks for trouble shooting with me!
* Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly.
Yes, please check below screenshot
Inheritance = enabled and MSOL_xxxx have all the right to reset password on object.
* Do you have a screenshot of the current Domain Policy where the password policy is stated?
Feb 14 2022 12:17 AM
Feb 14 2022 04:58 AM - edited Feb 14 2022 05:52 AM
Thank you for this, unfortunately no luck. Had a call about this with MS support last Friday, we did set the AD DS connector have the default permissions and set password write back permissions with the trouble shoot tool within AD connect.
I assume that to regarding the message we get from event viewer from event id 33004. I face the same error many times, and is was always the AD DS connector account. The strange thing is that as mentioned SSPR (change action) still is working and it goes over the same connector as SSPR (reset action). So with setting all the default permissions and seeing that the AD DS connector account can change or reset the passowrd of the the object, Both MS support and I cross it off that it concerns this account.
MS support told me to change the Default domain policy GPO to Maximum password age: 30 or 42 days. But the policy is not managed with this GPO but with using fine-grained password policies (FGPP) in ADAC which set maximum password age to 90 days. And also here, we did not change anything, it just begun on Monday 7/2/22 without us to change anything.
I ask the team if they can clarify this.
Feb 14 2022 06:43 AM
Feb 15 2022 12:48 PM
Feb 17 2022 01:13 AM - edited Feb 17 2022 01:15 AM
Hi Bilal, had a call yesterday with Microsoft regarding the issue. Microsoft told me to check the “Network access: Restrict clients allowed to make remote calls to SAM” GPO. However this GPO is not defined on both Domain or Domain Controller GPO policies. But the reg key ‘RestrictRemoteSam’ that is tied to that GPO setting, is listed in the DC's that talks with AD connect, this interesting. I propose a change to delete the REG key on 1 domain controller first and let AD Connect talk with that DC only that has not the REG key ‘RestrictRemoteSam’.
But it remains strange that the SSPR reset function has suddenly stopped since Monday 7/2/22, but this is an interesting progression.
Will update this post ASAP.
Feb 18 2022 07:43 AM - edited Feb 18 2022 07:44 AMSolution
Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.
For future readers:
1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OK
Thank you again for your knowledge and time.
Feb 23 2022 02:58 AM
Feb 23 2022 04:51 AM