EntraLab

Fix: An error occurred executing Configure AAD sync task: An error occurred while sending the request.

·

Dan

Microsoft recently released Entra Connect Sync (AAD connect) version 2.3.20.0, which is a security update. With speed in which Microsoft is currently deprecating (12 months from the date that a newer version is released.) you will be faced with challenge to upgrade into this latest version sooner.

Some customers who are trying to upgrade (auto upgrade also runs into the same issue) to the version 2.3.20.0 can be faced with the following error. 

Configure AAD Sync
An error occurred executing Configure AAD sync task: An error occurred while sending the request.

As you see in the error screenshot above, there is not much shared on what the actual error or cause of the error. You have the option to check the trace logs which is located at C:\ProgramData\AADConnect\trace-date-time.log

Looking at the trace logs brings you to something shown in the below screenshot, which again doesn’t reveal much on what is happening other than showing bunch of errors.

This error can also happen during the auto-upgrade of the AAD connect, and you wont notice until you receive emails noting the admin of synchronization issues. I have seen administrators panicking and uninstalling AAD connect and re-installing it in an effort to resolve it. However, this will further complicate the issue.

A major change Microsoft announced with the v2.3.20.0 of Microsoft Entra Connect is that the Microsoft Entra Connect requires TLS 1.2. The installation will fail if this is not enabled properly.

Now some of you may have TLS 1.2 already enabled but still get the error. This is because you may not have enabled all the registry keys required for the Entra connect requirement.

Check if TLS 1.2 is properly enabled on your Entra connect server using the Powershell script below.

Function Get-ADSyncToolsTls12RegValue
{
    [CmdletBinding()]
    Param
    (
        # Registry Path
        [Parameter(Mandatory=$true,
                   Position=0)]
        [string]
        $RegPath,

# Registry Name
        [Parameter(Mandatory=$true,
                   Position=1)]
        [string]
        $RegName
    )
    $regItem = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Ignore
    $output = "" | select Path,Name,Value
    $output.Path = $RegPath
    $output.Name = $RegName

If ($regItem -eq $null)
    {
        $output.Value = "Not Found"
    }
    Else
    {
        $output.Value = $regItem.$RegName
    }
    $output
}

$regSettings = @()
$regKey = 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'

$regKey = 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'

$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'

$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'

$regSettings

I received the following output.

However, the expected outcome is below.

You can use the Powershell script below to enable TLS 1.2 properly on your server. This is the Microsoft recommended method to enable TLS 1.2 on the Entra connect server rather than editing the registry manually.

If (-Not (Test-Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'))
{
    New-Item 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SystemDefaultTlsVersions' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

If (-Not (Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'))
{
    New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
}
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'Enabled' -Value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Name 'DisabledByDefault' -Value '0' -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.2 has been enabled. You must restart the Windows Server for the changes to take affect.' -ForegroundColor Cyan

You should get an output like below.

Now, make sure to restart your server. Once restarted, open the Entra connect wizard, and ready to be faced with the following error.

An internal problem has occurred

Unlike last time, we have clear instructions as to what to do ie., uninstall and try again.

Go to programs and features in Windows and uninstall the AAD connect installation.

You may now download the latest version of the Entra connect from the Microsoft link below.

Download latest Entra connect version

You can now follow the normal custom/express installation steps for the Entra connect installation, and you will not be faced with the error this time.

I highly recommend choosing the option ‘Create new AD account’ while connecting your local AD to the Entra connect. Many mistake the use of this option, thinking they have to use an existing AD connect and type their local admin account credentials. It works sometimes, however this is the step where Entra connect creates your connector account for Entra connect -if you give your existing account it may not have all the permission that it needs and will give you issues at some point.

Instead, choose ‘Create new AD account’, and then type in the credentials of your local AD admin account with enterprise admin, schema admin and domain admin permissions. This will ensure Entra connect created a brand new connector account with all necessary permissions using the credentials provided.

Hope this worked. If you have any questions or concerns about any steps above, please leave comment and I will get back to you.

References:


https://www.microsoft.com/en-us/download/details.aspx?id=47594
https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-tls-enforcement#powershell-script-to-check-tls-12
https://www.microsoft.com/en-us/download/details.aspx?id=47594

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *