AADConnect – Password Writeback - Unable to Configure Password Writeback

This error message is little misleading “Ensure you have a required license”.  The issue is AADConnect cannot verify the licensing or any other information from Azure at this point. It could be a license or some other issues. You can get some additional information by verifying the Application Event log on the AADConnect server. 

Unable to configure password writeback.  Ensure you have a required license and consult the event log for additional information.



Event Log message:
Log Name:      Application
Source:        PasswordResetService
Date:          11/11/2015 11:01:20 AM
Event ID:      32011
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      AADConnect Server
Description:
TrackingId: f771fb12-ccca-49bc-80aa-7235c97369be, Error connecting to OnPremisesPasswordResetOnboarding Service, Details: System.TimeoutException: The request channel timed out while waiting for a reply after 00:00:59.9589823. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'https://passwordreset.microsoftonline.com/OnboardingService/OnPremisesPasswordResetOnboardingService.svc/OnboardTenantForOnPremisesPasswordResetWithSymmetricKey' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   --- End of inner exception stack trace ---
Server stack trace:
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at IOnPremisesPasswordResetOnboarding.OnboardTenantForOnPremisesPasswordResetWithSymmetricKey(OnPremisesPasswordResetOnboardingRequest request)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.Invoke[TResult](Func`2 operation)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.InvokeWithRetry[TResult](Func`2 operation, String onboardingServiceUrl, String authenticationToken)
Event Xml:
http://schemas.microsoft.com/win/2004/08/events/event
"> 
   
    32011
    2
   0
    0x80000000000000
   
    8469
    Application
    AADConnect Server
   
 
 
    TrackingId: f771fb12-ccca-49bc-80aa-7235c97369be, Error connecting to OnPremisesPasswordResetOnboarding Service, Details: System.TimeoutException: The request channel timed out while waiting for a reply after 00:00:59.9589823. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'https://passwordreset.microsoftonline.com/OnboardingService/OnPremisesPasswordResetOnboardingService.svc/OnboardTenantForOnPremisesPasswordResetWithSymmetricKey' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   --- End of inner exception stack trace ---
Server stack trace:
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at IOnPremisesPasswordResetOnboarding.OnboardTenantForOnPremisesPasswordResetWithSymmetricKey(OnPremisesPasswordResetOnboardingRequest request)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.Invoke[TResult](Func`2 operation)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.InvokeWithRetry[TResult](Func`2 operation, String onboardingServiceUrl, String authenticationToken)
 


Resolution
According to the event log message, we had some type of connection time out issue. These types of errors are mainly due to firewall or proxy issues.  The required firewall and port details are documented in the
https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-getting-started/#step-3-configure-your-firewall
article.  Make sure to enable these ports for password writeback configuration.

Step 3: Configure your firewall
After you have enabled Password Writeback in the Azure AD Connect tool, you will need to make sure the service can connect to the cloud.
1. Once installation is complete, if you are blocking unknown outbound connections in your environment, you will also need to add the following rules to your firewall. Make sure you reboot your AAD Connect machine after making these changes:
· Allow outbound connections over port 443 TCP
· Allow outbound connections to https://ssprsbprodncu-sb.accesscontrol.windows.net/

· When using a proxy or having general connectivity issues, allow outbound connections over port 9350-9354 TCP

Posted in: