Troubleshoot Microsoft Entra pass-through authentication
This article helps you find troubleshooting information about common issues regarding Microsoft Entra pass-through authentication.
Important
If you are facing user sign-in issues with Pass-through Authentication, don't disable the feature or uninstall Pass-through Authentication Agents without having a cloud-only a Hybrid Identity Administrator account to fall back on.
Ensure that the Pass-through Authentication feature is still Enabled on your tenant and the status of Authentication Agents shows Active, and not Inactive. You can check status by going to the Microsoft Entra Connect blade on the Microsoft Entra admin center.
If the user is unable to sign into using Pass-through Authentication, they may see one of the following user-facing errors on the Microsoft Entra sign-in screen:
Error | Description | Resolution |
---|---|---|
AADSTS80001 | Unable to connect to Active Directory | Ensure that agent servers are members of the same AD forest as the users whose passwords need to be validated and they are able to connect to Active Directory. |
AADSTS80002 | A timeout occurred connecting to Active Directory | Check to ensure that Active Directory is available and is responding to requests from the agents. |
AADSTS80004 | The username passed to the agent was not valid | Ensure the user is attempting to sign in with the right username. |
AADSTS80005 | Validation encountered unpredictable WebException | A transient error. Retry the request. If it continues to fail, contact Microsoft support. |
AADSTS80007 | An error occurred communicating with Active Directory | Check the agent logs for more information and verify that Active Directory is operating as expected. |
This can happen when a user's on-premises UserPrincipalName (UPN) is different than the user's cloud UPN.
To confirm that this is the issue, first test that the Pass-through Authentication agent is working correctly:
Create a test account.
Import the PowerShell module on the agent machine:
Import-Module "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\PassthroughAuthPSModule\PassthroughAuthPSModule.psd1"
Run the Invoke PowerShell command:
Invoke-PassthroughAuthOnPremLogonTroubleshooter
When you are prompted to enter credentials, enter the same username and password that are used to sign in to (https://login.microsoftonline.com).
If you get the same username/password error, this means that the Pass-through Authentication agent is working correctly and the issue may be that the on-premises UPN is non-routable. To learn more, see Configuring Alternate Login ID.
Important
If the Microsoft Entra Connect server isn't domain joined, a requirement mentioned in Microsoft Entra Connect: Prerequisites, the invalid username/password issue occurs.
Sign-in failure reasons on the Microsoft Entra admin center (needs Premium license)
If your tenant has a Microsoft Entra ID P1 or P2 license associated with it, you can also look at the sign-in activity report on the Microsoft Entra admin center.
Navigate to Microsoft Entra ID -> Sign-ins on the [Microsoft Entra admin center](https://portal.azure.com/) and click a specific user's sign-in activity. Look for the SIGN-IN ERROR CODE field. Map the value of that field to a failure reason and resolution using the following table:
Sign-in error code | Sign-in failure reason | Resolution |
---|---|---|
50144 | User's Active Directory password has expired. | Reset the user's password in your on-premises Active Directory. |
80001 | No Authentication Agent available. | Install and register an Authentication Agent. |
80002 | Authentication Agent's password validation request timed out. | Check if your Active Directory is reachable from the Authentication Agent. |
80003 | Invalid response received by Authentication Agent. | If the problem is consistently reproducible across multiple users, check your Active Directory configuration. |
80004 | Incorrect User Principal Name (UPN) used in sign-in request. | Ask the user to sign in with the correct username. |
80005 | Authentication Agent: Error occurred. | Transient error. Try again later. |
80007 | Authentication Agent unable to connect to Active Directory. | Check if your Active Directory is reachable from the Authentication Agent. |
80010 | Authentication Agent unable to decrypt password. | If the problem is consistently reproducible, install and register a new Authentication Agent. And uninstall the current one. |
80011 | Authentication Agent unable to retrieve decryption key. | If the problem is consistently reproducible, install and register a new Authentication Agent. And uninstall the current one. |
80014 | Validation request responded after maximum elapsed time exceeded. | Authentication agent timed out. Open a support ticket with the error code, correlation ID, and timestamp to get more details on this error |
Important
Pass-through Authentication Agents authenticate Microsoft Entra users by validating their usernames and passwords against Active Directory by calling the Win32 LogonUser API. As a result, if you have set the "Logon To" setting in Active Directory to limit workstation logon access, you will have to add servers hosting Pass-through Authentication Agents to the list of "Logon To" servers as well. Failing to do this will block your users from signing into Microsoft Entra ID.
Collect agent logs from the server and contact Microsoft Support with your issue.
Ensure that the server on which the Authentication Agent has been installed can communicate with our service URLs and ports listed here.
Ensure that you use a cloud-only Hybrid Identity Administrator account for all Microsoft Entra Connect or standalone Authentication Agent installation and registration operations. There is a known issue with MFA-enabled Hybrid Identity Administrator accounts; turn off MFA temporarily (only to complete the operations) as a workaround.
Collect agent logs from the server and contact Microsoft Support with your issue.
If you have Pass-through Authentication enabled on your tenant and you try to uninstall Microsoft Entra Connect, it shows you the following warning message: "Users will not be able to sign-in to Microsoft Entra ID unless you have other Pass-through Authentication agents installed on other servers."
Ensure that your setup is highly available before you uninstall Microsoft Entra Connect to avoid breaking user sign-in.
You need to have at least one active Authentication Agent to enable Pass-through Authentication on your tenant. You can install an Authentication Agent by either installing Microsoft Entra Connect or a standalone Authentication Agent.
Ensure that the server on which Microsoft Entra Connect is installed can communicate with our service URLs and ports listed here.
Ensure that you use a cloud-only Hybrid Identity Administrator account when enabling the feature. There is a known issue with multi-factor authentication (MFA)-enabled Hybrid Identity Administrator accounts; turn off MFA temporarily (only to complete the operation) as a workaround.
Depending on the type of issue you may have, you need to look in different places for Pass-through Authentication Agent logs.
For errors related to installation, check the Microsoft Entra Connect logs at %ProgramData%\AADConnect\trace-*.log
.
For errors related to the Authentication Agent, open up the Event Viewer application on the server and check under Application and Service Logs\Microsoft\AzureAdConnect\AuthenticationAgent\Admin.
For detailed analytics, enable the "Session" log (right-click inside the Event Viewer application to find this option). Don't run the Authentication Agent with this log enabled during normal operations; use only for troubleshooting. The log contents are only visible after the log is disabled again.
To troubleshoot user sign-in failures, look for trace logs at %ProgramData%\Microsoft\Azure AD Connect Authentication Agent\Trace\. These logs include reasons why a specific user sign-in failed using the Pass-through Authentication feature. These errors are also mapped to the sign-in failure reasons shown in the preceding sign-in failure reasons table. Following is an example log entry:
AzureADConnectAuthenticationAgentService.exe Error: 0 : Passthrough Authentication request failed. RequestId: 'df63f4a4-68b9-44ae-8d81-6ad2d844d84e'. Reason: '1328'.
ThreadId=5
DateTime=xxxx-xx-xxTxx:xx:xx.xxxxxxZ
You can get descriptive details of the error ('1328' in the preceding example) by opening up the command prompt and running the following command (Note: Replace '1328' with the actual error number that you see in your logs):
Net helpmsg 1328
If audit logging is enabled, additional information can be found in the security logs of your Pass-through Authentication server. A simple way to query sign-in requests is to filter security logs using the following query:
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[EventData[Data[@Name='ProcessName'] and (Data='C:\Program Files\Microsoft Azure AD Connect Authentication Agent\AzureADConnectAuthenticationAgentService.exe')]]</Select>
</Query>
</QueryList>
Another way to monitor Authentication Agents is to track specific Performance Monitor counters on each server where the Authentication Agent is installed. Use the following Global counters (# PTA authentications, #PTA failed authentications and #PTA successful authentications) and Error counters (# PTA authentication errors):
Important
Pass-through Authentication provides high availability using multiple Authentication Agents, and not load balancing. Depending on your configuration, not all your Authentication Agents receive roughly equal number of requests. It is possible that a specific Authentication Agent receives no traffic at all.