AADConnect

Recently I faced an issue with Azure AD Connect.

The scenario:

A Windows Server 2012 R2 box with direct access to the internet with Azure AD Connect installed and running under the context of a service account.

As Azure AD Connect was running in the context of a service account, it wanted to utilise a proxy server to connect to the internet as it is WPAD aware.

The error message given was:

An error occurred executing Configure AAD Sync task: user_realm_discovery_failed: User Realm Discovery Failed

The trace log file also reported:

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: user_realm_discovery_failed: User realm discovery failed —> System.Net.WebException: The remote server returned an error: (407) Proxy Authentication Required.

All the solutions (AADConnect Troubleshooting) I found on the internet pointed me at configuring the machine.config (C:\Windows\Microsoft.NET\Framework64\v4.0.30319\config) with the required proxy server settings, but in my scenario I did not want to utilise a proxy server.

To resolve the issue I added the syntax below to the machine.config file which resolved the issue.

<system.net>
                <defaultProxy enabled=”false”></defaultProxy>
 </system.net>

As always test in your environment before deploying into production.

AADConnect Troubleshooting – https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect-troubleshoot-connectivity/ (Accessed 16/05/2016)

 

 

 

Posted by markparris

Microsoft MVP - Enterprise mobility.

9 Comments

  1. Had the same issue mark, annoying and took some time to hunt down.

    Reply

  2. […] articles that matched the same error. The first one I went to was by Mark Parris. His blog post (available here) had all the makings of a solution. I followed those instructions to try and resolve my […]

    Reply

  3. Jakob Kvistgaard April 24, 2017 at 11:12 am

    Thanks, this fixed my issue as well

    Reply

  4. Thanks so much, definitely helped me resolve my issue. I appreciate you writing this. 🙂

    Reply

  5. Hi there,

    I have a different scenario where I have to use a proxy server – which doesn’t use authentication.

    So in my case, I add the entry

    And then I finally manage to finish the AD connect wizard, but got this on the last page: AD connect was successfully configured, password sync cannot be configured. Check event log for more info.

    Going there, i can see some information events (no errors) saying that the sync failed to resolve the name ‘login.windows.net’

    I tried browsing to it – it’s working (this is part of the URL list that the network admin has already whitelisted on the web proxy)

    I then went to powershell: import-module AdSync
    Start-AdSyncSyncCicle -policyType initial

    Received a big big error saying that “user realm discovery failed—>System.Net.WebException: The remote name could not be resolved: ‘login.windows.net’

    My understanding is that the sync is trying to access that fqdn through 443 and is not going through the proxy server.

    Any ideas?

    Reply

    1. sorry, the entry i added in the machine.config is, right before the last line:

      <proxy
      usesystemdefault="true"
      proxyaddress="http://:”
      bypassonlocal=”true”
      />

      Not sure why it didnt take it before

      Reply

      1. still, it wont take all my copy-paste heh; sorry for the spam:

        <proxy
        usesystemdefault="true"
        proxyaddress="http://:”
        bypassonlocal=”true”
        />

    2. I added the entry found in the article below in the machine.config in order for it to go through a web proxy

      https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-troubleshoot-connectivity

      My copy-paste of entry wasn’t working, not sure why

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s