25 March 2022

Azure AD Connect password hash sync stopped - no-start-credentials - failed-authentication

 The following error in the Office365 portal:


The following errors in the Syncronization service Manager:


And this event id in the event viewer:


Now the thing that threw me off was the "The supplied credential is invalid" error.
After confirming that the password set correctly ( https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-change-addsacct-pass#how-to-update-the-synchronization-service-with-new-password-for-ad-ds-account )

I remembered a case from a few weeks ago that had to do with cipher suites.

There was a difference in ciphers on the DC's and on the ADCS server (certificate authority).
The problem was that RC4 had been turned off, but the CA was requesting it.

After confirming my suspicion and checking the registry key on the AADConnect server:
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes with a value of 0x7ffffff8. I knew I had found the problem. After setting the value to "0x7ffffffc" and thereby turning on the RC4 cipher, restarting the "Microsoft Azure AD Sync" service and starting an export all password hashes started syncing again.

I have absolutely no idea why the sync would stop after not having the old and deprecated RC4 cipher turned on. But that is a question for another day.




1 comment:

  1. Good day, I'm running into a similar issue as you but I'm not finding the Kerberos folder mentioned above. Are you running Windows Server 2012r2? Could this folder be located somewhere else on the machine?

    ReplyDelete