Azure AD Connect – “Cannot retrieve single sign on status”

Issue

When trying to modify the Azure AD Connect configuration on an Azure AD Connect v1.1.443.0 instance, no configuration options could be updated as the Azure AD Connect wizard errors with “Cannot retrieve single sign on status”.

SSOError

Azure AD Connect v1.1.443 has been running since March 2017 with no operational issues.  The configuration is Azure AD Sync with SSO (Password Synchronization).

The Azure AD Connect log (found in %ProgramData%\AADConnect\trace-*.log) shows the following error that corresponds with the above screenshot.

[20:15:36.626] [  1] [ERROR] ConfigDesktopSsoPage: Exception caught in GetDesktopSsoStatus There was no endpoint listening at https://58c73dp9-7c63-4322-8132-5901e1f913ba.register.msappproxy.net:9090/register/GetDesktopSsoStatus that could accept the message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more details.. Skipping configuration

[20:15:36.642] [  1] [ERROR] Cannot retrieve single sign-on status.

Investigation

  • Confirmed TCP/9090 is open outbound from the Azure AD Connect server.
  • Verified that DNS for 58c73dp9-7c63-4322-8132-5901e1f913ba.register.msappproxy.net resolved in public DNS.
  • Unable to telnet to 58c73dp9-7c63-4322-8132-5901e1f913ba.register.msappproxy.net on TCP/9090 – the port is not open.
  • Unable to telnet to 58c73dp9-7c63-4322-8132-5901e1f913ba.register.msappproxy.net on TCP/9090 from outside of the corporate network.

Cause & Resolution

As of the next version of Azure AD Connect, v1.1.484.0 (released in April 2017), Azure AD Connect wizard no longer requires port 9090 to be opened outbound when configuring Pass-through Authentication and Desktop SSO.  Only port 443 is required.

Microsoft dropped port 9090 as an endpoint, therefore any versions of Azure AD Connect prior to and including v1.1.443, where SSO is enabled, will encounter this issue if configuration needs to be updated using the Azure AD Connect wizard.

Upgrade to the latest version, right now that is v1.1.654.0 (December 2017), and the issue is resolved.  Configuration can now be changed successfully.

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s