Azure AD connect Health on ADFS WAP servers

0
votes

Can you please suggest how to correct the connectivity issue on ADFS WAP 2016 servers to install AAD connect health agent

Here is the error :

Test-AzureADConnectHealthConnectivity : Azure AD Connect Health agent could not communicate to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc using port 443. Please allow outbound communication using port 443. At line:1 char:1

  • Test-AzureADConnectHealthConnectivity -Role adfs
  •   + CategoryInfo          : ConnectionError: (:) [Test-AzureADConnectHealthConnectivity], WebException
  + FullyQualifiedErrorId : Unable to connect to the remote server,Microsoft.Identity.Health.Common.Clients.PowerSh
ll.ConfigurationModule.TestAzureADConnectHealthConnectivity

Test-AzureADConnectHealthConnectivity's execution in details are as follows: Starting Test-AzureADConnectHealthConnectivity ...

Connectivity Test Step 1 of 3: Testing dependent service endpoints begins ... AAD CDN connectivity is skipped. Connecting to endpoint https://login.microsoftonline.com Unhandled exception occurred: The operation has timed out Connecting to endpoint https://login.windows.net Unhandled exception occurred: The operation has timed out Connecting to endpoint https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc Azure AD Connect Health agent could not communicate to endpoint https://policykeyservice.dc.ad.msft.net/clientregistr onmanager.svc using port 443. Please allow outbound communication using port 443. Unhandled exception occurred: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets cketException: A connection attempt failed because the connected party did not properly respond after a period of tim or established connection failed because connected host has failed to respond 40.126.9.98:443 at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress) at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPA ess& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception) --- End of inner exception stack trace --- at System.Net.HttpWebRequest.GetResponse() at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.Te ependentServiceEndpoints() at Microsoft.Identity.Health.Common.Clients.PowerShell.ConfigurationModule.TestAzureADConnectHealthConnectivity.Pr ssRecord()*****

Thanks

1
azureazure-active-directory

1 Answers

0
votes

Clearly this is a connectivity issue between your box and azure. Follow the documentation here to make sure all the requirements are met: System.Net.Sockets cketException: A connection attempt failed because the connected party did not properly respond after a period of tim or established connection failed because connected host has failed to respond 40.126.9.98:443

specifically,

"If IE Enhanced Security is enabled, then the following websites must be allowed on the server that is going to have the agent installed.

https://login.microsoftonline.com https://secure.aadcdn.microsoftonline-p.com https://login.windows.net https://aadcdn.msftauth.net The federation server for your organization trusted by Azure Active Directory. For example: https://sts.contoso.com"

if this does not fix it then you have something blocking some part of the network attempts to azure. you'll have to test it, figure out what it is and fix your network or machine firewall. easiest way is to open an IE browser and try to hit those endpoints by browsing to https://login.microsoftonline.com etcetc. they should all return something.