cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

AD Connect passthrough authentication fails for some users

mark1nh
Copper Contributor

‎Jun 27 2022 04:54 AM - edited ‎Jun 28 2022 02:38 AM

‎Jun 27 2022 04:54 AM - edited ‎Jun 28 2022 02:38 AM

AD Connect passthrough authentication fails for some users

Hi

with Azure AD Connect passthrough authentication we see "50126 InvalidUserNameOrPassword" for some users.

In C:\ProgramData\Microsoft\Azure AD Connect Authentication Agent\Trace\AzureADConnectAuthenticationAgent_....

I can see the corresponding error: 

"Passthrough Authentication request failed....  Reason: '1326'."

The majority of users authenticates ok in azure.

 

In the trace Log I see many System.OperationCanceledException

 

At the AD Domain Controllers I see no "badpassword". I guess at some point Azure AD Connect decides the username is wrong - but there is no differnce in UPN compared to working users.

 

where can i find a solution?

 

best regards

Markus

 

 

 

 

 

Labels:
3,794 Views
0 Likes
3 Replies
Reply
3 Replies
mark1nh

‎Jul 02 2022 11:44 AM

‎Jul 02 2022 11:44 AM

Re: AD Connect passthrough authentication fails for some users

answering my own question:

the onpremisesuserprincipalname has to be set to the correct value in Azure AD. We did not know about this attribute. Our Azure UPN does not match the one premises one.
It seems PTA uses the onpremisesuserprincipalname to authenticate.
0 Likes
Reply
Kriz123

‎Aug 18 2022 01:33 AM

‎Aug 18 2022 01:33 AM

Re: AD Connect passthrough authentication fails for some users

@mark1nh 

 

Thank you for your information on the behavior. The same seems to affect us. Where do you put the on-prem upn in the azure ad? The corresponding field is deactivated and already filled with the on-prem upn. Wasn't that the case with you?


Users can no longer log in here unless I change the azure upn to the email address instead of the onmicrosoft.com address.
I think we have the same problem but different causes. We have a not routable on-prem domain "cpny.local" and a routable mail domain "company.com". Only when I select the "company.com" domain in the on-prem AD user settings and change the Azure-AD UPN to the email address login work. Curiously, that was not the case at the beginning, since onmicrosoft.com could remain as Azure UPN.

 

Regards

Kriz

0 Likes
Reply
mark1nh

‎Aug 18 2022 01:46 AM

‎Aug 18 2022 01:46 AM

Re: AD Connect passthrough authentication fails for some users

The field onpremisesuserprincipalname is filled during Azure AD Sync. We have a transformation for the correct value since Azure UPN ist not the right one in our case.

As far as I know Passthrough Authentication uses the onpremisesuserprincipalname mainly if "Alternate Login" Feature is enabled. In other cases it might not use this field.

Check what you have as UPN in your Azure AD and what your AD Controllers understand as valid login-Name(s).

0 Likes
Reply