A couple of weeks ago I was working with a client in order to implement Azure Self Service Password Reset for on-premise Active Directory Users. This solution builds on the integration of Azure AD Premium and the local Active Directory. This is achieved using the Azure AD Sync. Although everything was implemented as described in the instructions I still got some errors when executing a password reset from Azure with an on-premise AD user.
Microsoft described the required permissions for the AAD Sync service account to be set at the root of the local Active Directory in its documentation on MSDN:
– Reset Password
– Change Password
– Read all properties.
These permissions are not sufficient, but let me first describe what happened:
After configuring SSPR I tried to test a SSPR for a standard AD account. This resulted in an error that the password cannot be reset for this user. The eventlog on the AAD Sync server records messages about this error:
Eventlog entry:
Log Name: Application
Source: PasswordResetService
Date: 3/5/2015 4:12:44 PM
Event ID: 31001
Task Category: None
Level: Information
Keywords: Classic
User: N/A
Computer: (computer)
Description:
TrackingId: (id), PasswordResetRequestStart, Details: (UPN)
The user is presented with an error that the password could not be reset.
Eventlog entry:
Log Name: Application
Source: PasswordResetService
Date: 3/5/2015 4:12:43 PM
Event ID: 33001
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: (computer)
Description:
TrackingId: (hash), Reason: Synchronization Engine returned an error hr=80004005, message=Unspecified error, Context: cloudAnchor: User_(guid), SourceAnchorValue: (anchor) UserPrincipalName: (UPN), unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80004005, message=Unspecified error
at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount)
at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String encryptedResetPasswordRequestString, String publicKeyEncryptedSymmetricKey, String publicKeyEncryptedSymmetricIV, Boolean unblockUser)
Eventlog entry:
Log Name: Application
Source: ADSync
Date: 3/5/2015 4:12:44 PM
Event ID: 6329
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: (computer)
Description:
An unexpected error has occurred during a password set operation.
BAIL: MMS(1512): ..\server.cpp(11060): 0x80004005 (Unspecified error)
Azure AD Sync 1.0.0485.0222
Eventlog entry:
Log Name: Application
Source: ADSync
Date: 3/5/2015 4:12:44 PM
Event ID: 6329
Task Category: Server
Level: Error
Keywords: Classic
User: N/A
Computer: (computer)
Description:
An unexpected error has occurred during a password set operation.
ERR_: MMS(1512): ..\session.cpp(2114): Asynchronous modify result (dn=(GUID=(guid))) failed
WARNING: MMS(1512): ..\session.cpp(2115): Asynchronous modify result (dn=(GUID=(guid))) failed
BAIL: MMS(1512): ..\session.cpp(2121): 0x80070005 (Access is denied.)
ERR_: MMS(1512): admaexport.cpp(4253): The password change operation failed: ERR_: MMS(1512): admaexport.cpp(4259): Insufficient Rights 0x32
BAIL: MMS(1512): admaexport.cpp(3516): 0x80004005 (Unspecified error)
ERR_: MMS(1512): ..\ma.cpp(8322): ExportPasswordSet failed with 0x80004005
Azure AD Sync 1.0.0485.0222
Most of us would conclude that the password reset operation has failed. But now comes the interesting part: The users password was reset, so although the eventlog and the user both reports that the password has not been reset it actually is reset indeed. The eventlogs on the domain controller are confirming that too. So why is it recording it as a failure?
The permissions weve set for the AAD Sync service account in the local AD where all focused on setting the password, what it was not able to do is adjust settings regarding the lockout time. As you may can image is that a user can be locked out and in the time that the lockout is still active the user decides to reset its password using SSPR. But because the password lockout time is still valid the user will not be able to sign-in until the lockout time is expired. Thats why AAD Sync also wants to adjust that to. The Microsoft documentation at that time was not complete on this. To be able to set the lockout time for an users AD object two additional permissions had to be given to the AAD Sync service account in the local Active Directory:
– Read lockout time
– Write lockout time.
After that it was possible to reset the users password without any error messages.
Currently Microsoft has updated its article on MSDN that describes the additional permissions described above. Microsoft also states that read and write pwdLastSet is necessary too. I can imagine that this is needed, but in my case it was not resulting in an error when this permission was not given to the AAD Sync service account. As sayd, I can image that this parameter must be set too, so if you set the permissions for the AAD Sync service account regarding SSPR please use permissions for all decent user objects in AD:
– Reset Password
– Change Password
– Write Permissions on lockoutTime
– Write Permissions on pwdLastSet
– Read all properties.
Login