cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Azure AD SSPR Password write back issue

ricardovand3rlinden
Brass Contributor

‎Feb 10 2022 11:19 AM - last edited on ‎Feb 10 2023 02:34 PM by

‎Feb 10 2022 11:19 AM - last edited on ‎Feb 10 2023 02:34 PM by

Azure AD SSPR Password write back issue

Hi all,

 

A company I work for have issues with the reset password function with AD Connect.

 

In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'OnPremisesAdminActionRequired', with a follow up event log within the AD connect server:

 

event ID: 33004 with error "hr=80230626, message=The password could not be updated because the management agent credentials were denied access"

 

I face this issue before and this was causing because the AD DS connector account did not have the right permissions. In this case this is not.

 

What I have done so far:


- Updated AD Connect from 2.0.89.0 to 2.0.91.0
- enforced TLS 1.2: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement
- Checked AD DS connecter account 'MSOL_xxxxxxxx' permissions: https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#v...

-   the user do not have the options 'password never expires' or 'user cannot change password' configured
- Let AD connect talk to another DC dc02 instead of dc01
- Checked connection to SSPR service from DC's : Test-NetConnection -ComputerName ssprdedicatedsbprodscu.servicebus.windows.net -Port 443
- The action 'Change password (self-service)' are successful (via my account portal) , only action 'Reset password (self-service)' face this issue (via passwordreset.microsoftonline.com)
-- both use the same OnPremisesAgent ->> AADConnect

 

Have anyone a idea what else I can try more?

 

Regards,

 

Ricardo

10.8K Views
0 Likes
13 Replies
Reply
13 Replies
BilalelHadd

‎Feb 11 2022 12:18 AM

‎Feb 11 2022 12:18 AM

Re: Azure AD SSPR Password write back issue

Hi @ricardovand3rlinden,

Do you experience this issue with one user or with all the users? Some things that you possibly can check:

- Did you enable inheritance for the AD account(s)
- Did you enable Password writeback in the Azure AD Connect configuration?
- Did you enable SSPR in the Azure AD Portal?
- Do you have a valid Azure AD Premium license?

Let me know!
0 Likes
Reply
ricardovand3rlinden

‎Feb 11 2022 01:38 AM - edited ‎Feb 11 2022 01:51 AM

‎Feb 11 2022 01:38 AM - edited ‎Feb 11 2022 01:51 AM

Re: Azure AD SSPR Password write back issue

Hi BilalelHadd, thank you for the response!

- Did you enable inheritance for the AD account(s)
-- Yes, did check this also. The AD DS connector account has all the rights:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#v...
- Did you enable Password writeback in the Azure AD Connect configuration?
Yes
- Did you enable SSPR in the Azure AD Portal?
Yes
- Do you have a valid Azure AD Premium license?
Yes

It just stopped working since (2/7/22) Monday this week, and only for action 'Reset password (self-service)'.
'Change password (self-service)', works like it supposed to be. So users can change password via account settings in de M365 user portal. But cannot reset it on passwordreset.microsoftonline.com. Both used the OnPremisesAgent ->> AADConnect .

0 Likes
Reply
BilalelHadd

‎Feb 11 2022 01:55 AM

‎Feb 11 2022 01:55 AM

Re: Azure AD SSPR Password write back issue

Hi @ricardovand3rlinden,

Thanks for the answer. Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly. Do you have a screenshot of the current Domain Policy where the password policy is stated?
0 Likes
Reply
ricardovand3rlinden

‎Feb 11 2022 06:01 AM - edited ‎Feb 11 2022 06:34 AM

‎Feb 11 2022 06:01 AM - edited ‎Feb 11 2022 06:34 AM

Re: Azure AD SSPR Password write back issue

@BilalelHadd 

 

Thanks for trouble shooting with me!

 

* Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly.

 

Yes, please check below screenshot

inheritance-enabled.png



Inheritance = enabled and MSOL_xxxx have all the right to reset password on object.

 

* Do you have a screenshot of the current Domain Policy where the password policy is stated?

domain-policy-pw-policy.png

Preview file
75 KB
0 Likes
Reply
BilalelHadd

‎Feb 14 2022 12:17 AM

‎Feb 14 2022 12:17 AM

Re: Azure AD SSPR Password write back issue

Hi @ricardovand3rlinden,

No problem! We are here to help.
In regards to your password policy, this is configured correctly. The event id 33004 is related to credentials. I am pretty sure that your issue is related to the service accounts permissions. If you are stating that the permissions are configured correctly, I would like to ask you to run the below commands on the Service Account(s):

Set-ADSyncPasswordHashSyncPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

Set-ADSyncExchangeHybridPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

Set-ADSyncMsDsConsistencyGuidPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

Set-ADSyncPasswordWritebackPermissions -ADConnectorAccountName <svc_accountname> -ADConnectorAccountDomain <domainname>

More information about running these commands and the module can be found here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-configure-ad-ds-connec...

Let me know what happens when a user tries to reset his password after running the commands.
0 Likes
Reply
ricardovand3rlinden

‎Feb 14 2022 04:58 AM - edited ‎Feb 14 2022 05:52 AM

‎Feb 14 2022 04:58 AM - edited ‎Feb 14 2022 05:52 AM

Re: Azure AD SSPR Password write back issue

Hi BilalelHadd,

Thank you for this, unfortunately no luck. Had a call about this with MS support last Friday, we did set the AD DS connector have the default permissions and set password write back permissions with the trouble shoot tool within AD connect.

I assume that to regarding the message we get from event viewer from event id 33004. I face the same error many times, and is was always the AD DS connector account. The strange thing is that as mentioned SSPR (change action) still is working and it goes over the same connector as SSPR (reset action). So with setting all the default permissions and seeing that the AD DS connector account can change or reset the passowrd of the the object, Both MS support and I cross it off that it concerns this account.

MS support told me to change the Default domain policy GPO to Maximum password age: 30 or 42 days. But the policy is not managed with this GPO but with using fine-grained password policies (FGPP) in ADAC which set maximum password age to 90 days. And also here, we did not change anything, it just begun on Monday 7/2/22 without us to change anything.

I ask the team if they can clarify this.

0 Likes
Reply
BilalelHadd

‎Feb 14 2022 06:43 AM

‎Feb 14 2022 06:43 AM

Re: Azure AD SSPR Password write back issue

Hi,

Thanks for the heads-up. Let us know what the Microsoft engineers states. Did you not harden the domain by implementing features or policies?

You might want to check this article: https://social.msdn.microsoft.com/Forums/en-US/6082daf5-2893-407b-b009-bc49464df984/aadsync-password...
0 Likes
Reply
ricardovand3rlinden

‎Feb 15 2022 12:48 PM

‎Feb 15 2022 12:48 PM

Re: Azure AD SSPR Password write back issue

Hi BilalelHadd,

We are using fine-grained password policies (FGPP) in ADAC. The maximum age is setup to 90 days in that policy, and minimum is not set. But we did not change any settings there, so with the same settings as we still have in the FGPP in ADAC, SSPR (reset function) just worked fine all the time before 7/2/22.

Thanks for the article, our Minimum password age in the is Default Domain GPO is 0 and in the FGPP it is not set. Have a call again with another Microsoft Support engineer regarding this issue, I will share the outcome of that call in this post.

0 Likes
Reply
ricardovand3rlinden

‎Feb 17 2022 01:13 AM - edited ‎Feb 17 2022 01:15 AM

‎Feb 17 2022 01:13 AM - edited ‎Feb 17 2022 01:15 AM

Re: Azure AD SSPR Password write back issue

Hi Bilal, had a call yesterday with Microsoft regarding the issue. Microsoft told me to check the “Network access: Restrict clients allowed to make remote calls to SAM” GPO. However this GPO is not defined on both Domain or Domain Controller GPO policies. But the reg key ‘RestrictRemoteSam’ that is tied to that GPO setting, is listed in the DC's that talks with AD connect, this interesting. I propose a change to delete the REG key on 1 domain controller first and let AD Connect talk with that DC only that has not the REG key ‘RestrictRemoteSam’.


https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/network...

 

But it remains strange that the SSPR reset function has suddenly stopped since Monday 7/2/22, but this is an interesting progression.

 

Will update this post ASAP.

1 Like
Reply
BilalelHadd

‎Feb 17 2022 01:16 AM

‎Feb 17 2022 01:16 AM

Re: Azure AD SSPR Password write back issue

Hi @ricardovand3rlinden,

Thanks for the heads-up. Please keep us posted. You've mentioned earlier that there were no changes within the environment, so it should be Microsoft that made a change, I assume.
1 Like
Reply
best response confirmed by ricardovand3rlinden (Brass Contributor)
ricardovand3rlinden

‎Feb 18 2022 07:43 AM - edited ‎Feb 18 2022 07:44 AM

‎Feb 18 2022 07:43 AM - edited ‎Feb 18 2022 07:44 AM

Solution

Re: Azure AD SSPR Password write back issue

Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.

For future readers:

1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OK

 

 

Thank you again for your knowledge and time.

2 Likes
Reply
Jan Bakker

‎Feb 23 2022 02:58 AM

‎Feb 23 2022 02:58 AM

Re: Azure AD SSPR Password write back issue

Lot's of password writeback issues since the last patches. I bumped into this one last week:

https://janbakker.tech/kb-selfservicepasswordreset-write-back-problem-error-hr80230818/
1 Like
Reply
ricardovand3rlinden

‎Feb 23 2022 04:51 AM

‎Feb 23 2022 04:51 AM

Re: Azure AD SSPR Password write back issue

Thank you for sharing Jan and great that you have fix event ID 33001, will save your solution!

For ID 33008, I updated my blog post as well. 33008 can have multiple solutions:

https://vand3rlinden.nl/index.php/2020/07/03/fix-sspr-failure-reason-onpremisesadminactionrequired/
1 Like
Reply