Forum Discussion
Solved
Azure AD SSPR Password write back issue
Hi all,
A company I work for have issues with the reset password function with AD Connect.
In the SSPR audit logs in Azure AD, we face on 'Reset password (self-service)' the status reason 'OnPremisesAdminActionRequired', with a follow up event log within the AD connect server:
event ID: 33004 with error "hr=80230626, message=The password could not be updated because the management agent credentials were denied access"
I face this issue before and this was causing because the AD DS connector account did not have the right permissions. In this case this is not.
What I have done so far:
- Updated AD Connect from 2.0.89.0 to 2.0.91.0
- enforced TLS 1.2: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-tls-enforcement
- Checked AD DS connecter account 'MSOL_xxxxxxxx' permissions: https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#verify-that-azure-ad-connect-has-the-required-permissions
- the user do not have the options 'password never expires' or 'user cannot change password' configured
- Let AD connect talk to another DC dc02 instead of dc01
- Checked connection to SSPR service from DC's : Test-NetConnection -ComputerName ssprdedicatedsbprodscu.servicebus.windows.net -Port 443
- The action 'Change password (self-service)' are successful (via my account portal) , only action 'Reset password (self-service)' face this issue (via passwordreset.microsoftonline.com)
-- both use the same OnPremisesAgent ->> AADConnect
Have anyone a idea what else I can try more?
Regards,
Ricardo
Hi Bilal, the SSPR reset is functioning again! I found out that the “Network access: Restrict clients allowed to make remote calls to SAM” GPO was setup in the local GPO of the DCs. The issue is resolved by adding the AD DS connector account into that GPO on both domain.
For future readers:
1: Open Local Security Policy, click Start, type secpol.msc
2: Navigate the console tree to Security Settings\Security Options\Network access: Restrict clients allowed to make remote calls to SAM
3: Right-Click and Select Properties
4: On the Template Security Policy Setting, Click Edit Security
5: Under Group or user names, Click Add the AD DS connector account
7: Leave everything default, and Click OKThank you again for your knowledge and time.
- Hi vand3rlinden,
Do you experience this issue with one user or with all the users? Some things that you possibly can check:
- Did you enable inheritance for the AD account(s)
- Did you enable Password writeback in the Azure AD Connect configuration?
- Did you enable SSPR in the Azure AD Portal?
- Do you have a valid Azure AD Premium license?
Let me know!Hi BilalelHadd, thank you for the response!
- Did you enable inheritance for the AD account(s)
-- Yes, did check this also. The AD DS connector account has all the rights:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/troubleshoot-sspr-writeback#verify-that-azure-ad-connect-has-the-required-permissions
- Did you enable Password writeback in the Azure AD Connect configuration?
Yes
- Did you enable SSPR in the Azure AD Portal?
Yes
- Do you have a valid Azure AD Premium license?
Yes
It just stopped working since (2/7/22) Monday this week, and only for action 'Reset password (self-service)'.
'Change password (self-service)', works like it supposed to be. So users can change password via account settings in de M365 user portal. But cannot reset it on passwordreset.microsoftonline.com. Both used the OnPremisesAgent ->> AADConnect .- Hi vand3rlinden,
Thanks for the answer. Do you know that there is a difference between AD DS connect permissions and inheritance permissions? If so, then I assume that the user object rights are configured correctly. Do you have a screenshot of the current Domain Policy where the password policy is stated?
