SOLVED

Connector for Active Directory enrollment fails

Brass Contributor

Hi all,

My customer is unable to enroll its Intune Connector for Active Directory.

Once he signs in the UI keeps coming back to the enrollment page. I had a look at the ODJConnectorUI.log file but I don't understand why does the connection close:
"ODJ Connector UI Information: 0 : User clicked on SignIn

    DateTime=2021-12-02T09:31:21.9240384Z

ODJ Connector UI Information: 0 : Navigating to URL https://portal.manage.microsoft.com/Home/ClientLogon

    DateTime=2021-12-02T09:31:21.9240384Z

ODJ Connector UI Information: 0 : Browser loaded page https://portal.manage.microsoft.com/Home/ClientLogonSuccess

    DateTime=2021-12-02T09:31:23.4746356Z

ODJ Connector UI Information: 0 : Getting the URL for EnrollmentService from https://manage.microsoft.com/RestUserAuthLocationService/RestUserAuthLocationService/ServiceAddresse...

    DateTime=2021-12-02T09:31:23.5296295Z

ODJ Connector UI Error: 2 : ERROR: Enrollment failed. Detailed message is: System.Net.WebException: The underlying connection was closed: An unexpected error occurred on a send. ---> System.IO.IOException: Authentication failed because the remote party has closed the transport stream.

   at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)

   at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)

   at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state, Boolean preserveSyncCtx)

   at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)

   at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)

   at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)

   at System.Net.PooledStream.Write(Byte[] buffer, Int32 offset, Int32 size)

   at System.Net.ConnectStream.WriteHeaders(Boolean async)

   --- End of inner exception stack trace ---

   at System.Net.HttpWebRequest.GetResponse()

   at ODJConnectorUI.Enrollment.GetURLFromLocationService(String userToken, String LSUrl, String key)

   at ODJConnectorUI.Enrollment.webBrowser_LoadCompleted(Object sender, NavigationEventArgs e)

    DateTime=2021-12-02T09:31:23.5747625Z"

I tried multiple reinstall but I keep getting the same error.

The connector is installed on a fully updated Server 2019 (en-US), intune endpoints URLs are opened, the user is Intune Administrator and has an Intune license.

5 Replies
Do you have access to firewall logs to see if anything is blocked / Can you temporarily allow everything from that machine from inside to outside network? Logging into portal.office.com does work on that server?

Did you turn IESC off?

Follow these steps to disable Internet Explorer Enhanced Security Configuration:
On the computer the agent is installed (Windows Server operating system), open Server Manager.
Navigate to the Internet Explorer Enhanced Security Configuration window.
Select the Off option under Administrators.
Click OK.
Hi! Unfortunately I don't have access yet to the firewall logs. I would love to allow everything temporarily but my customer is a huge company with a cautious security team...
Yeah I disabled IESC, I even tried to force TLS 1.2 using the registry, still no clue...
I also have doubts about the network but the security team claims all Intune URLs are opened.
I can't access to portal.office.com from this server, since this is not a required URL for Intune, but I have access to config.office.com.
You could try running the setup again with a tcpview.exe running (Ihttps://docs.microsoft.com/en-us/sysinternals/downloads/tcpview) and filter the setup executable in there. You can see there if it can open certain fqdn's or not
best response confirmed by MatAitAzzouzene (Brass Contributor)
Solution
OK I finally figured out what was the problem: one URL is missing in the Microsoft doc for Intune network requirements.
Indeed, the doc tells us to allow "*.manage.microsoft.com" but does not mention "manage.microsoft.com", which is not included in "*.manage.microsoft.com" because of the dot before. Once the network team added manage.microsoft.com, everything went fine!
Great to hear, glad everything is ok now!
1 best response

Accepted Solutions
best response confirmed by MatAitAzzouzene (Brass Contributor)
Solution
OK I finally figured out what was the problem: one URL is missing in the Microsoft doc for Intune network requirements.
Indeed, the doc tells us to allow "*.manage.microsoft.com" but does not mention "manage.microsoft.com", which is not included in "*.manage.microsoft.com" because of the dot before. Once the network team added manage.microsoft.com, everything went fine!

View solution in original post