"Unable to communicate with the Windows Azure Active Directory service" or "Unable to establish a connection with the authentication service" error

Symptoms
If your environment includes an unauthenticated proxy server, your identity sync client may not authenticate to Microsoft Azure Active Directory. 

For example, you experience this issue when you use an identity sync client such as Azure AD Connect, Azure Active Directory Sync Services (Azure AD Sync), or the Azure Active Directory Sync Tool.

If you're using Azure AD Connect or Azure AD Sync

The wizard displays the following configuration error message:

Ready to configure.

We have gathered enough information to configure Azure AD Sync and will now create a default configuration.

Failed even after 5 retries. Action: PingProvisioningServiceEndPoint, Exception: Unable to communicate with the Windows Azure Active Directory service. Tracking ID: 01601250-7951-469c-8973-34e2a8e1ca10 See the event log for more details.
When this problem occurs, an "Error 906" entry that resembles the following is logged in the Azure AD Connect or Azure AD Sync log. This entry indicates that the identity sync appliance tries to make a direct connection to the Internet.

AzureActiveDirectoryDirectorySyncTool Error: 906 : System.Management.Automation.CmdletInvocationException: Failed even after 5 retries. Action: PingProvisioningServiceEndPoint, Exception: Unable to communicate with the Windows Azure Active Directory service. Tracking ID: 90edf657-f63e-46cc-94ec-df88817f4c73 See the event log for more details.. ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Failed even after 5 retries. Action: PingProvisioningServiceEndPoint, Exception: Unable to communicate with the Windows Azure Active Directory service. Tracking ID: 90edf657-f63e-46cc-94ec-df88817f4c73 See the event log for more details..

If you're using the Azure Active Directory Sync Tool

The following Directory Synchronization event ID 0 is logged in the Application log of the identify sync client computer:

Log name: Application
Source: Directory Synchronization
Event ID: 0
Task Category: None
Level: Error
Description:
Unable to establish a connection to the authentication service. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support. (0x80048862)

Additionally, a Network Monitor (Netmon.exe) trace indicates that the Microsoft Online Services Sign-in Assistant uses the proxy and accesses login.microsoftonline.com.
Cause
This problem occurs because the Microsoft .NET Framework on which your identity sync appliance is based doesn't recognize your proxy settings.
Resolution
To fix this issue, follow these steps:
  1. Open the following file:
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config
  2. Add the following text to the end of the file:
    <system.net>    <defaultProxy>      <proxy        usesystemdefault="true"        proxyaddress="http://<PROXYIP>:80"        bypassonlocal="true"      />    </defaultProxy>  </system.net>
    Note In this text, the placeholder <PROXYIP> represents the actual proxy IP address. For more information about the proxy settings in this context, see  Element (Network Settings).
References
For more information, see the following articles in the Microsoft Knowledge Base:
  • 318140 Error on .NET client that consumes a web service through an HTTP proxy server
  • 307220 How to configure an XML web service client by using the .NET Framework to work with a proxy server
  • 330221 Common proxy server and firewall issues with MapPoint web services
  • 953890 Error message when you try to configure the Microsoft Dynamics CRM 4.0 Online client for Outlook or the Data Migration client for Microsoft Dynamics CRM Online: "Mandatory updates for Microsoft Dynamics CRM could not be applied successfully"
Properties

Article ID: 3013032 - Last Review: 12/22/2015 22:06:00 - Revision: 10.0

Microsoft Azure Active Directory

  • kbprb kbtshoot kbexpertiseadvanced kberrmsg kbsurveynew o365022013 o365 o365a o365e o365m KB3013032
Feedback