- Article
This article helps you find information on troubleshooting common Azure AD pass-through authentication issues.
Important
If you experience user login issues with pass-through authentication, do not disable the feature or uninstall pass-through authentication agents without having a cloud-only global administrator account or hybrid identity administrator account to which to turn. learn aboutadd a cloud-only global admin account. Performing this step is critical and ensures that you are not locked out of your tenant.
General questions
Check the status of the feature and authentication agents
Make sure the pass-through authentication feature is still enabledActivatedin your tenant and shows the status of the approval agentsAsset, and notIdle. You can check the status by going toAzure AD connectionsheet onLogin to the administration center.
User login error messages
If the user can't sign in with pass-through authentication, you might see one of the following user errors on the Azure AD sign-in screen:
| Error | Description | Solution |
|---|---|---|
| AADSTS80001 | Cannot connect to Active Directory | Make sure that the agent servers are members of the same AD forest as the users whose passwords need to be validated and can connect to Active Directory. |
| AADSTS80002 | Timed out connecting to Active Directory | Verify that Active Directory is available and responding to agent requests. |
| AADSTS80004 | The username passed to the agent was invalid | Make sure the user tries to log in with the correct username. |
| AADSTS80005 | Validation encountered an unpredictable WebException | A temporary error. Try the request again. If it continues to fail, contact Microsoft Support. |
| AADSTS80007 | An error occurred while communicating with Active Directory | Check the agent logs for more information and verify that Active Directory is working as expected. |
Users get invalid username/password error
This can happen when a user's on-premises UserPrincipalName (UPN) is different from the user's cloud UPN.
To confirm that this is the problem, first test that the pass-through authentication agent is working correctly:
Create a test account.
Import the PowerShell module on the agent machine:
Import module "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\PassthroughAuthPSModule\PassthroughAuthPSModule.psd1"Run the Invoke PowerShell command:
Invoke-PassthroughAuthOnPremLogonSolucionador de problemasWhen prompted for credentials, enter the same username and password you used to log in (https://login.microsoftonline.com).
If you get the same username/password error, it means that the pass-through authentication agent is working correctly and the problem could be that the local UPN is not routable. For more information, seeAlternate Login ID Configuration.
Important
If the Azure AD Connect server is not joined to a domain, a requirement is mentioned in theAzure AD Connect: Prerequisites, the invalid username/password problem occurs.
Azure portal sign-in failure reasons (requires Premium license)
If your tenant has an Azure AD Premium license associated with it, you can also take a looklogin activity reportin thatLogin to the administration center.
navigate toAzure Active Directory->loginsin thatblue portaland click on the login activity of a specific user. Look afterLOGIN ERROR CODEField. Assign the value of this field to an error cause and solution using the following table:
| Error code when logging in | Reason for login failure | Solution |
|---|---|---|
| 50144 | The user's Active Directory password has expired. | Reset the user's password in your local Active Directory. |
| 80001 | No authentication agent available. | Install and register an authentication agent. |
| 80002 | Authentication agent password validation request timed out. | Check if your Active Directory is accessible from the authentication agent. |
| 80003 | Invalid response received by the authentication agent. | If the issue can be reproduced consistently across multiple users, check your Active Directory settings. |
| 80004 | Incorrect username (UPN) used in the login request. | Ask the user to sign in with the correct username. |
| 80005 | Authentication Agent: An error occurred. | transient error. Try it again later. |
| 80007 | The authentication agent cannot connect to Active Directory. | Check if your Active Directory is accessible from the authentication agent. |
| 80010 | The authentication agent cannot decrypt the password. | If the issue can be consistently reproduced, install and register a new authentication agent. And uninstall the current one. |
| 80011 | The authentication agent could not retrieve the decryption key. | If the issue can be consistently reproduced, install and register a new authentication agent. And uninstall the current one. |
| 80014 | The validation request was answered after the maximum elapsed time was exceeded. | Authentication agent timed out. Please open a support ticket with the error code, correlation ID, and timestamp for more details on this error. |
Important
Pass-through authentication agents authenticate users to Azure AD by validating their usernames and passwords against Active Directory by callingWin32 LogonUser API. As a result, if you have configured the "Login To" setting in Active Directory to restrict workstation login access, you will also need to add servers that host Pass-Through Authentication Agents to the "Login To" server list. . If you don't do this, your users won't be able to sign in to Azure AD.
Problems installing the authentication agent
an unexpected error occurred
Collect agent logsfrom the server and contact Microsoft Support with your problem.
Authentication agent registration issues
Authentication agent registration failed due to blocked ports
Make sure the server where the authentication agent is installed can communicate with the listed URLs and ports of our serviceare.
Authentication agent registration failed due to account or token authorization errors
Be sure to use a cloud-only global administrator account or hybrid identity administrator account for all Azure AD Connect or standalone authentication agent setup and registration operations. There is a known issue with MFA-enabled global administrator accounts; disable MFA temporarily (just to complete operations) as a workaround.
an unexpected error occurred
Collect agent logsfrom the server and contact Microsoft Support with your problem.
Problems uninstalling the authentication agent
Warning message when uninstalling Azure AD Connect
If you have enabled pass-through authentication in your tenant and you try to uninstall Azure AD Connect, the following warning message appears: "Users will not be able to sign in to Azure AD unless you have other pass-through authentication agents installed on other servers".
Make sure your configuration isvery accessiblebefore uninstalling Azure AD Connect to avoid breaking user sign-in.
Problems activating the function
Feature activation failed because no authentication agents were available
You must have at least one active authentication agent to enable pass-through authentication in your tenant. You can install an authentication agent by installing Azure AD Connect or a standalone authentication agent.
Feature activation failed due to blocked ports
Make sure that the server where Azure AD Connect is installed can communicate with the specified URLs and ports of our service.are.
Feature activation failed due to token or account authorization error
Make sure to use a cloud-only global administrator account when enabling the feature. There is a known issue with global administrator accounts enabled for multi-factor authentication (MFA); disable MFA temporarily (just to complete the operation) as a workaround.
Collecting Pass-Through Authentication Agent logs
Depending on the type of problem you may be having, look for the Passthrough Authentication Agent log files in different places.
Azure AD Connect logs
For installation related errors, see the Azure AD Connect logs%ProgramData%\AADConnect\trace-*.log.
Authentication Agent event logs
For authentication agent related errors, open the Event Viewer app on the server and check belowApplications: og servicelogfiler\Microsoft\AzureAdConnect\AuthenticationAgent\Admin.
For detailed analysis, enable "Session" logging (right-click inside the Event Viewer app to find this option). Do not run the authentication agent with this logging enabled during normal operations; it is used for troubleshooting only. The log content is only visible after logging is disabled again.
Detailed trace logs
To troubleshoot user login errors, look for trace logs in%ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\. These logs include the reasons why a specific user's login failed when using the pass-through authentication feature. These errors are also linked to the login failure causes listed in the login failure causes table. The following is an example login entry:
AzureADConnectAuthenticationAgentService.exe error: 0: Passthrough authentication request failed. Request ID: 'df63f4a4-68b9-44ae-8d81-6ad2d844d84e'. Reason: '1328'. ThreadId=5 DateTime=xxxx-xx-xxTxx:xx:xx.xxxxxxZYou can get descriptive details about the error ('1328' in the example above) by opening a command prompt and running the following command (Note: Replace '1328' with the actual error number you see in your logs):
Net help message 1328
Domain controller log files
If audit logging is enabled, additional information can be found in the security logs of your domain controllers. An easy way to query the login requests sent by the pass-through authentication agents is as follows:
Performance Monitor Counters
Another way to monitor authentication agents is to trace specific Performance Monitor counters on each server where the authentication agent is installed. Use the following global counters (# PTA approvals,Failed #PTA approvalsy#PTA successful approvals) and error counters (# PTA authentication error):
Important
Pass-through authentication provides high availability by using multiple authentication agents andit's notload balancing. Depending on your configuration,it's notall their authentication agents receive approx.fairnumber of requests. A specific authentication agent may not receive any traffic.