环境:运行具有最新版本的 Windows ServerAzureADConnect (2.1.20.0)安装后,一切似乎都运行正常。
然而使用任何ADSyncPowershell 命令时,例如:
Get-ADSyncScheduler
日志报告此错误本质上是:
Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50126: Error
validating credentials due to invalid username or password.
问题:
- ADSync Powershell Cmdlets 将其配置存储在哪里?
- 连接到 Azure 所需的用户名/密码从哪里获取或者我如何覆盖它?
- 还有其他有帮助的提示或指导吗?
大型异常踪迹:
PS C:\Windows\system32> Get-ADSyncScheduler
Get-ADSyncScheduler : System.InvalidOperationException: There was an issue obtaining cloud sync intervals ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50126: Error
validating credentials due to invalid username or password.
Trace ID: 58528f5c-6207-495e-9171-be0b61a22c00
Correlation ID: 2bc43dca-124e-46cc-97b2-27b3dd133d3a
Timestamp: 2022-11-18 16:00:14Z
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AuthenticateMSAL(AzureService azureService, String userName, SecureString password, Boolean
useCachedToken, String& accessToken, String& errorCode, String& additionalDetails, Boolean throwOnException, Boolean throwExceptionOnMFAError)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& errorCode, String&
additionalDetail, AuthenticationStatus& status, Boolean throwOnException, Boolean throwExceptionOnMFAError)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail,
AuthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& additionalDetail, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
--- End of inner exception stack trace ---
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char** syncSettingsSerialized, Char** errorString)
At line:1 char:1
+ Get-ADSyncScheduler
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : WriteError: (Microsoft.Ident...ADSyncScheduler:GetADSyncScheduler) [Get-ADSyncScheduler], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException: There was an issue obtaining cloud sync intervals ---> Microsoft.Identity.Client.MsalUiRequiredException: AADSTS50126
: Error validating credentials due to invalid username or password.
Trace ID: 58528f5c-6207-495e-9171-be0b61a22c00
Correlation ID: 2bc43dca-124e-46cc-97b2-27b3dd133d3a
Timestamp: 2022-11-18 16:00:14Z
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AuthenticateMSAL(AzureService azureService, String userName, SecureString password, Boolean useCach
edToken, String& accessToken, String& errorCode, String& additionalDetails, Boolean throwOnException, Boolean throwExceptionOnMFAError)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& errorCode, String&
additionalDetail, AuthenticationStatus& status, Boolean throwOnException, Boolean throwExceptionOnMFAError)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& serviceEndpoint, String& additionalDetail, A
uthenticationStatus& status, Boolean throwOnException)
at Microsoft.Online.Deployment.Client.Framework.MSALAuthenticationProvider.AcquireServiceToken(AzureService azureService, String& additionalDetail, Boolean throwOnException)
at Microsoft.Online.Coexistence.ProvisionHelper.GetSecurityToken()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.InitializeProvisionHelper()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.Initialize()
at Microsoft.Azure.ActiveDirectory.Synchronization.ProvisioningWebServiceAdapter.ProvisioningWebServiceAdapter.GetCompanyConfiguration(Boolean includeLicenseInformation)
at Microsoft.Azure.ActiveDirectory.Synchronization.AADConfig.get_CloudEnforcedSyncSchedulerInterval()
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
--- End of inner exception stack trace ---
at Microsoft.MetadirectoryServices.Scheduler.SchedulerSettingUtilities.get_CurrentSchedulerSettings()
at SchedulerUtils.GetCurrentSchedulerSettings(SchedulerUtils* , _ConfigAttrNode* pcanList, UInt32 ccanItems, Char** syncSettingsSerialized, Char** errorString),Microsoft.Iden
tityManagement.PowerShell.Cmdlet.GetADSyncScheduler
答案1
我想知道连接到 Azure 所需的用户名/密码从何而来,或者我如何覆盖它?
您可以使用以下命令设置凭据Add-ADSyncADDSConnectorAccount:
此 cmdlet 重置服务帐户的密码并在 Azure AD 和同步引擎中更新它。
Add-ADSyncADDSConnectorAccount [-Identifier] <Guid> [-EACredential <PSCredential>] [<CommonParameters>]
或者
Add-ADSyncADDSConnectorAccount [-Name] <String> [-EACredential <PSCredential>] [<CommonParameters>]
例子:
Add-ADSyncADDSConnectorAccount -Name contoso.com -EACredential $EAcredentials
来源:Azure AD Connect:ADSync PowerShell 参考 - Microsoft Entra | Microsoft Learn
也可以看看:
答案2
配置 Azure AD Connect 服务器服务提示
PowerShell 使用这些命令的身份验证凭据都存储在Azure AD 连接服务器配置发布您运行的每个配置。通常,您不必担心这么多,只需将每次更改的导出保存为备份,并安全地存储这些凭据以供将来需要时参考即可。
再次运行 Azure AD Connect 配置向导并相应地输入适当的凭据应该会使身份验证问题重新同步。您应该能够将所有这些步骤转换为 PowerShell,并模拟您通过 UI 选择的选项。
要解决此问题,请执行以下操作:
登录 Azure AD Connect 服务器
发射Azure AD 连接
选择配置
按照配置向导逐步进行配置,并根据您的环境进行相应配置。请参阅Azure AD 登录配置 了解更多技术细节和配置指导细节。
要求
其他建议:
- 全局管理员(或混合身份管理员)帐户必须启用
- 全局管理员(或混合身份管理员)帐户不得过期
- 为该账户设置永不过期的密码
- 将此账户的密码设置得特别长、特别复杂
- 全局管理员(或混合身份管理员)帐户不得要求 MFA连接到 Azure AD
- 相应地配置策略以做出例外
电源外壳
示例将密码设置为永不过期
Set-AzureADUser -ObjectId x9xxx999-999-9x99-999x-x9xxx99x99xx -PasswordPolicies DisablePasswordExpiration;
支持资源
-
-
指定Azure AD 中的用户 ID(作为
UPN或)ObjectId -
表示账户是否已启用。
类型:
Boolean
-