-
Title
Active Roles Administration service won't start if Azure is configured and connection to Azure is lost -
Description
Active Roles Administration service won't start if Azure is configured and connection to Azure is lost or if the Active Roles configuration is moved to a host which cannot communicate with Azure.
The Active Roles Administration Service Event Viewer shows the following error message:
Event ID 2501. One or more errors occurred.
Verbose service logging shows one of the following error:
One or more errors occurred.Response status code does not indicate success: 400 (BadRequest).One or more errors occurred.Response status code does not indicate success: 401 (Unauthorized).The Active Roles Administration Service will also not start properly if MFA is enabled on the Service Account used to access Azure. In this scenario, the Active Roles Administration Service verbose logging will show error messages similar to the following:[2018-11-12T17:13:23.001] [0x25C]: AzureTenant:GetAllObjects-Start[2018-11-12T17:13:23.004] [0x25C]: AzureTenant:GetAllObjects-Completed[2018-11-12T17:13:23.004] [0x25C]: AzureApplication:GetAllObjects-Start[2018-11-12T17:13:23.249] [0x25C]: AzureApplication:GetAllObjects-Completed[2018-11-12T17:13:23.250] [0x25C]: AzureLicensesReport:GetAllObjects-Start[2018-11-12T17:13:23.252] [0x25C]: AzureLicensesReport:GetAllObjects-Completed[2018-11-12T17:13:23.255] [0x25C]: AzureApplication:GetAllObjects-Start[2018-11-12T17:13:23.257] [0x25C]: AzureDomain::GetDomains - Process[2018-11-12T17:13:24.062] [0x25C]: [Error] (severity=Minor) System.AggregateException: One or more errors occurred. ---> Microsoft.IdentityModel.Clients.ActiveDirectory.HttpRequestWrapperException ---> System.Net.Http.HttpRequestException: Response status code does not indicate success: 500 (InternalServerError).at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpClientWrapper.d__29.MoveNext()--- End of inner exception stack trace ---at Microsoft.IdentityModel.Clients.ActiveDirectory.HttpClientWrapper.d__29.MoveNext() -
Cause
This is a product defect and is being tracked as Defect ID 709345.
Steps to reproduce:
1. Install and Configure Active Roles.
2. Configure Azure Tenant and Application.
3. Provide application consent.
4. Apply Azure Policy on an Organizational Unit.
5. Check Azure user creation from Active Roles Web Interface.
6. Stop the Active Roles Administration Service.
7. Disable internet connection on the Active Roles host.
8. Start the Active Roles Administration Service.
Expected: Service should start with warning.
-
Resolution
If the Active Roles Administration Service is already running, only Azure-related functionality will be unavailable. The Active Roles Web Interface and Active Roles Console will still function as expected.
If the service is stopped and cannot be started, there are three options:
WORKAROUND 1
If an Active Roles Administration Service is still functional, update the password for the service account used to connect to Azure.
WORKAROUND 2
Restore or create firewall rules so that the Active Roles Administration Service host can connect to Azure. For more information, please see this Microsoft resource.WORKAROUND 3
Manually clear out the Azure configuration from the Active Roles SQL Configuration database.Backup the Active Roles configuration database and then run the following tSQL queries:Delete FROM [dbo].[AzureDomains] where ParentObjectGUID IS NOT NULLDelete FROM [dbo].[AzureTenants] where ParentObjectGUID IS NOT NULLDelete FROM [dbo].[AzureApplications] where ParentObjectGUID IS NOT NULL
STATUS:
This Product Defect ID 98173 (previously tracked as Defect ID 709345)has been resolved in Active Roles 7.3.3 and later versions. The latest Active Roles installation media can be obtained here.
-
Change Request
98173 -
Additional Information
If the Active Roles Administration Service is already running, only Azure-related functionality will be unavailable. The Active Roles Web Interface and Active Roles Console will still function as expected.
If the service is stopped and cannot be started, there are three options:
WORKAROUND 1
If an Active Roles Administration Service is still functional, update the password for the service account used to connect to Azure.
WORKAROUND 2
Restore or create firewall rules so that the Active Roles Administration Service host can connect to Azure. For more information, please see this Microsoft resource.WORKAROUND 3
Manually clear out the Azure configuration from the Active Roles SQL Configuration database.Backup the Active Roles configuration database and then run the following tSQL queries:Delete FROM [dbo].[AzureDomains] where ParentObjectGUID IS NOT NULLDelete FROM [dbo].[AzureTenants] where ParentObjectGUID IS NOT NULLDelete FROM [dbo].[AzureApplications] where ParentObjectGUID IS NOT NULL
STATUS:
This Product Defect ID 98173 (previously tracked as Defect ID 709345)has been resolved in Active Roles 7.3.3 and later versions. The latest Active Roles installation media can be obtained
Did this article solve an issue for you?
Request a KB ArticleLeave a Comment
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center