SSPR 0029 We are unable to reset your password due to an error in your on-premises configuration.

This was one of those annoying ones that took hours (days) with Microsoft to resolve. 



We're sorry


We cannot reset your password at this time because of a problem with your organisation’s password reset configuration. There is no further action you can take to resolve this situation. Please contact your admin and ask them to investigate. To learn more about the potential issue, read the article Troubleshoot password writeback.

If you'd like, we can contact another administrator in your organisation to reset your password for you.

Additional details: SSPR _0029: We are unable to reset your password due to an error in your on-premises configuration. Please contact your admin and ask them to investigate.



EVENTID 6329 - An unexpected error has occurred during a password set operation. 
 "ERR_: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMADoNormalization', 0x2
BAIL: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveUserDelete', 0x2
BAIL: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(58): Failed getting registry value 'ADMARecursiveComputerDelete', 0x2
BAIL: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(59): 0x80070002 (The system cannot find the file specified.): Win32 API failure: 2
BAIL: MMS(5624): E:\bt\863912\repo\src\dev\sync\ma\shared\inc\MAUtils.h(114): 0x80070002 (The system cannot find the file specified.)
ERR_: MMS(5624): admaexport.cpp(2939): Failed to acquire user information: 0x5
BAIL: MMS(5624): admaexport.cpp(2963): 0x80230626 (The password could not be updated because the management agent credentials were denied access.)
BAIL: MMS(5624): admaexport.cpp(3296): 0x80230626 (The password could not be updated because the management agent credentials were denied access.)
ERR_: MMS(5624): ..\ma.cpp(8195



EVENTID 33004 PasswordResetService - TrackingId: f70ceaf2-2222-48ba-9980-a2ff2967b069, Reason: Synchronization Engine returned an error hr=80230626, message=The password could not be updated because the management agent credentials were denied access., Context: cloudAnchor: User_6b7f2062-f1c1-4fe8-ab99-7831ac2c6f2f, SourceAnchorValue: GtEexc9xeUOab2eksaFdig==, UserPrincipalName: Test.User1@domain.com, unblockUser: True, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230626, message=The password could not be updated because the management agent credentials were denied access.
   at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
   at AADPasswordReset.SynchronizationEngineManagedHandle.ResetPassword(String cloudAnchor, String sourceAnchor, String password, Boolean fForcePasswordChangeAtLogon, Boolean fUnlockAccount, Boolean isSelfServiceOperation)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ResetUserPassword(String passwordResetXmlRequestString, Boolean unlockUser)


  • We disabled and re-enabled password writeback within Azure AD Connect. enabled.
  • Check the permissions for the account 
  • Checked the the account did not have the do not allow user to reset password and password never expires properties configured.
  • Check the permissions for the account and tried resetting the permissions for the AADC account using the following TechNet gallery script https://gallery.technet.microsoft.com/AD-Advanced-Permissions-49723f74
  • We were told by Microsoft to upgrade the DFL and FFL to Windows 2012 R2 (this did not work).

The resolution came by changing the Domain Controller in use by Azure AD Connect. (Still investigating the issue with the DC as everything else with it seems fine.)



  1. Open up the Synchronization Service Manager on your AAD Connect server. This executable (miisclient.exe) is typically located in “C:\Program Files\Microsoft Azure AD Sync\UIShell”
  2. Navigate to Connectors and locate the connector, specific for your domain (forest). 
  3. Right-click the connector and choose Properties.
  4. In the properties window, go to Configure Directory Partitions and make sure to check the box next to Only use preferred Domain Controllers:
  5. In the Configure Preferred DCs window, add the Domain Controllers you want AAD Connect to use
  6. Click OK to confirm the changes.

******** Update ********

Just ran into another issue where a user couldn't reset their password but others worked fine. This issue was being caused by inheritance of permissions of the MSOLxxxxx account being blocked at the user level. Simply enabled inheritance on the User Object and the issue was resolved.

Comments

Post a comment