Azure Pass-Through Authentication Issue:
We recently ran into an issue where we were facing authentication issues with Azure Pass-through Authentication. After ensuring that Pass-Through Authentication was still enabled in the Azure Portal and the hosting server was in an Active state, I went to the logs. In the logs I found the following error.
Error:
“AADSTS80001: No Microsoft Azure AD Connect Authentication Agent was found. Make sure that your environment is configured correctly. If your directory is set for pass-through authentication, make sure that your Microsoft Azure AD Connect Authentication Agent is online.”
Resolution:
The error message was helpful and led me to our Azure Active Directory services. I noticed that the Microsoft AAD Application Proxy Connector was stopped. So even though Azure shows the service and server as healthy, it was stopped. A quick start to this service got us back up and running again.
NOTE: I think it’s also worth mentioning that for this error Microsoft states the following, “Ensure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they are able to connect to Active Directory.”
Additional Error Information:
User-facing sign-in error messages
| AADSTS80001 | Unable to connect to Active Directory | Ensure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they are able to connect to Active Directory. |
| AADSTS8002 | A timeout occurred connecting to Active Directory | Check to ensure that Active Directory is available and is responding to requests from the agents. |
| AADSTS80004 | The username passed to the agent was not valid | Ensure the user is attempting to sign in with the right username. |
| AADSTS80005 | Validation encountered unpredictable WebException | A transient error. Retry the request. If it continues to fail, contact Microsoft support. |
| AADSTS80007 | An error occurred communicating with Active Directory | Check the agent logs for more information and verify that Active Directory is operating as expected. |
Sign-in Error Codes
| 50144 | User’s Active Directory password has expired. | Reset the user’s password in your on-premises Active Directory. |
| 80001 | No Authentication Agent available. | Install and register an Authentication Agent. |
| 80002 | Authentication Agent’s password validation request timed out. | Check if your Active Directory is reachable from the Authentication Agent. |
| 80003 | Invalid response received by Authentication Agent. | If the problem is consistently reproducible across multiple users, check your Active Directory configuration. |
| 80004 | Incorrect User Principal Name (UPN) used in sign-in request. | Ask the user to sign in with the correct username. |
| 80005 | Authentication Agent: Error occurred. | Transient error. Try again later. |
| 80007 | Authentication Agent unable to connect to Active Directory. | Check if your Active Directory is reachable from the Authentication Agent. |
| 80010 | Authentication Agent unable to decrypt password. | If the problem is consistently reproducible, install and register a new Authentication Agent. And uninstall the current one. |
| 80011 | Authentication Agent unable to retrieve decryption key. | If the problem is consistently reproducible, install and register a new Authentication Agent. And uninstall the current one. |
