Recently I was working with a client implementing password writeback, and we received an error, which we resolved, but for which I could find little information on, so am documenting it here.
The existing on-premise AD environment was Windows 2008 R2 forest and domain functional level. Azure AD Connect (1.1.380.0) had been installed with default synchronisation options, password synchronisation and password writeback enabled.
Appropriate Azure AD premium licensing had been purchased and the domain was configured for self-service password reset (SSPR) and password writeback.
Everything appeared to be healthy and ready, so we tried resetting the password for a test user using self-service functionality.
We entered all the verification information and could get to the new password page, but when we tried to apply the password change the below error was received:
Additionally, on the Azure AD Connect server, we received the errors below in the Application event log:
After browsing How to troubleshoot Password Management, I found event 33009 related to an AD configuration error preventing the password write-back to on-premises.
The error message indicated ‘Not implemented’, and event 6329 included messages stating ‘Failed getting registry value’ and ‘The system cannot find the file specified’, which all obviously pointed to something missing in the installation, but it wasn’t on the Azure AD Connect server.
The resolution was to install hotfix KB 2386717 on the DC holding the PDC emulator role, which was a Windows 2008 R2 server.
This is actually listed in the prerequisites listed here and should’ve been installed; specifically;
However, what was interesting was if you read the information in the KB article it states that the ‘Enforce password history and Minimum password age policy settings will not work’ without this hotfix, and you can set the account password to a previous password in the password history at any time. This suggests that the action should still work but will not work as expected. But what we found with regards to Azure SSPR at least, was that it stopped the password reset altogether.
Once this hotfix was installed the SSPR write-back worked as expected.
As a side note, another thing I discovered when researching this (March 2017) was with regards to the prerequisites for password write-back.
In Prerequisites for Azure AD Connect, it states ‘If you plan to use the feature password writeback, then the Domain Controllers must be on Windows Server 2008 (with latest SP) or later. If your DCs are on 2008 (pre-R2), then you must also apply hotfix KB2386717.’
However, in Getting started with Password Management, as stated above it says ‘If you are running an older version of Windows Server 2008 or 2008 R2, you can still use this feature, but will need to download and install KB 2386717’.
Furthermore, under the KB article it states:
‘To apply this hotfix, you must be running one of the following operating systems:
And, you must have PDC Emulator role installed.’
So obviously, the latter article above appears to offer the correct guidance, i.e. that the hotfix is required even on 2008 R2.
Until next time…