AADSync installation fails over a web proxy or an authenticated proxy

Symptoms

If you have a proxy server that allows anonymous access, and you try to install Azure Active Directory Sync (AADSync), the installation is successful. When you configure the machine.config file that uses the proxy information, the installation also works. However, if you have a proxy server that requires user authentication, AADSync installation fails. 

More specifically, AADSync installation fails over a web proxy or an authenticated proxy, and the following event log is logged:


Additionally, the event XML file documents the following:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
<System>
<Provider Name="Directory Synchronization" />
<EventID Qualifiers="0">0</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-06-01T18:44:30.000000000Z" />
<EventRecordID>1324</EventRecordID>
<Channel>Application</Channel>
<Computer>%computername%</Computer>
<Security />
</System>
<EventData>
<Data>Unable to establish a connection to the authentication service. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult:0. Contact Technical Support. (0x80048862)</Data>
</EventData>
</Event>

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> 
<System>
<Provider Name="AzureActiveDirectoryDirectorySyncTool" />
<EventID Qualifiers="0">906</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2015-06-01T18:44:30.000000000Z" />
<EventRecordID>1325</EventRecordID>
<Channel>Application</Channel>
<Computer>%computername%.</Computer>
<Security />
</System>
<EventData>
<Data>System.Management.Automation.CmdletInvocationException: Unable to establish a connection to the authentication service. Contact Technical Support. ---> Microsoft.IdentityManagement.PowerShell.ObjectModel.SynchronizationConfigurationValidationException: Unable to establish a connection to the authentication service. Contact Technical Support.
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.ValidateConfigurationParameters(Connector connector)
at Microsoft.DirectoryServices.MetadirectoryServices.UI.WebServices.MMSWebService.CreateConnector(Connector connector, Boolean validate)
at Microsoft.IdentityManagement.PowerShell.Cmdlet.AddADSyncConnectorCmdlet.ProcessRecord()
--- End of inner exception stack trace ---
at System.Management.Automation.Runspaces.PipelineBase.Invoke(IEnumerable input)
at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.TypeDependencies.InvokePipeline(Pipeline pipeline)
at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.PowerShellAdapter.InvokePowerShellCommand(String commandName, InitialSessionState initialSessionState, IDictionary`2 commandParameters, Boolean isScript)
at Microsoft.Azure.ActiveDirectory.Synchronization.PowerShellConfigAdapter.ConnectorConfigAdapter.AddConnector(Connector connector)
at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnectorCore()
at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.<>c__DisplayClass1.<CreateOrUpdateConnector>b__0()
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
at Microsoft.Azure.ActiveDirectory.Synchronization.Config.ConnectorAdapterBase.CreateOrUpdateConnector(IEnumerable`1 objectClassInclusions, IEnumerable`1 attributeNameInclusions, Boolean createRunProfile)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.ADDSApplyConfigurationPageViewModel.UpdateConnector(HybridContext context, SynchronizationRuleTemplateEngine srTemplateEngine, BackgroundWorker backgroundWorker, String wizardPageName, String progressMsg, ConnectorAdapterBase connector, Boolean isNewConnector, Boolean updateInclusions, List`1 attributeExclusions)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.ADDSApplyConfigurationPageViewModel.ApplyConfigurationCore(BackgroundWorker backgroundWorker)
at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action action, Boolean isProgressIndeterminate)</Data>
</EventData>
</Event>

Workaround

To work around this problem, add an allow list to the web proxy. For more information about the allow list, check URLs and IP addresses in the table on the Office 365 portal and identity page. The following address extensions should be included in the allow list:
  • *.microsoft.com
  • *.microsoftonline.com
  • *.microsoftonline-p.com

More Information

For more information about this problem, see the following Microsoft articles:
Properties

Article ID: 3080526 - Last Review: 04 Dec 2015 - Revision: 1

Feedback