After configuring Pass-Through Authentication (PTA) as discussed in the hyperlink, you may run into several user sign-in issues. You will not be able to sign in to Microsoft Office 365, Microsoft Azure, Microsoft Intune, etc. The sign-in error message is as follows “Invalid username and password – Your account or password is incorrect if you cannot remember your account reset it now“. This could be a result of many other reasons: This can happen when Azure AD is unable to receive the Kerberos ticket from your on-premise user account or when a user’s on-premises UserPrincipalName (UPN) is different than the user’s cloud UPN. In this guide, you will learn how to fix SSO sign-in and non-routable domain issues leading to invalid usernames and passwords.
How to fix”sign-in, non-routable domains, invalid usernames, and passwords for SSO issues”?
To fix this issue, you need to use GPO to push some Azure URLs to your users’ internet zone settings. Here is a guide on how to synchronize your on-premises AD with Azure Active Directory using the Azure AD Connect tool, and how to use the built-in AAD Connect troubleshooting tool.
Note: Microsoft recommends not using a non-routable domain name suffix, such as Techdirect.local. The .local suffix isn’t routable and can cause issues with DNS resolution. With this fix, we are able to mitigate this issue.
For other similar causes that may apply to you, see the following possible fix for the issues below, they were not applicable to me.
– Your subscription has expired.
– Your user account is not enabled.
– You’re locked out of your user account.
– You tried to sign in with the wrong username and password.
– The password you tried to sign in with is temporary and expired. (This might happen if your user account is new or your password was recently reset.)
– Your password has expired.
– You’re blocked from signing in.
– If you’re a federated user, single sign-on is not working.
Note: Even when you try to reset the account, it will never be possible and the following error will be prompted. Let’s simulate the issue with the environment to ensure that the Pass-through Authentication agent is working correctly before proceeding to fix the issue.
1: Import the PowerShell module on the agent machine
Import-Module Adsync
2: Run the following command from PowerShell as shown below
Invoke-PassthroughAuthOnPremLogonTroubleshooter 
Upon entering your credentials, the login will fail as shown below displaying the error code and failure reason.
Since we are getting the same error “username and password is incorrect”, this means that the Pass-through Authentication agent is working correctly and the issue may be that the on-premises UPN is non-routable.
Create GPO to push Azure URLs to your users’ Internet Zone Settings
As you can see we are using a different UPN for on-premise and this is different from the cloud UPN. To fix this issue, you need to use GPO to push some Azure URLs to your users’ internet zone settings and to ensure AAD is able to process the Kerberos ticket. For more details on GPOs, see the following links. I have created a lot of articles on GPO.
This step ensures that the domain-joined computer automatically sends a Kerberos ticket to Azure AD when it’s connected to the corporate network.
Since this is a Domain controller, we will have to access the Group Policy Object in the following way below.
Upon clicking on the Group Policy Management as shown above this will open the Group Policy Management Console
Now, I want to create a new GPO that will be linked to our domain, so when our user’s log on to the network with PC, they will be able to perform SSO. There are various ways to go about this, see the following link.
When the GPO is created, right-click on it and select edit as shown below
Edit the GPO and Configure the Site to Zone Assignment List
The steps below will be broken into two parts as shown as you will apply them both to the User Configuration.
1: Navigate to the User Configuration > Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel, Security Page, and double click on the Site to Zone Assignment List to modify the values as shown below
Click on Enabled to enable the policy and click on the show button as shown below
This will open the show contents wizard as shown below.
You will have to populate the above image above with the following information below.
| Value Name | Value |
|---|---|
| login.microsoftonline.com | 3 |
| aadg.windows.net.nsatc.net | 1 |
| autologon.microsoftazuread-sso.com | 1 |
| secure.aadcdn.microsoftonline-p.com | 1 |
In the end, the “Show Contents” window will look this way. Note: Whenever a value is entered, a new line will be created.
Click on okay when you are done.
Note: If Seamless SSO is to be disabled for individual groups or users, the GPO must be turned to the Value 4 for these people.Enable the GPO “Allow updates to the status bar via script“
When this is done, navigate one step backward or follow the path: Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone and set the Allow updates to the status bar via script entry to Enabled as shown below
Now, you will have to link the GPO to the domain. There are various ways to do this.
– You can drag and drop the GPO wherever OU you want to via the Group Policy Management Console. I want this to apply to domain-wide computers and as such, I will be linking it there.
– But to be sure and never to make mistakes, I will recommend you click on the domain, OU, etc where you want to link the GPO to as shown below.
Note: You can also create a GPO and link it here immediately. But this is not recommended if you do not know what you are doing.
This will now open the Select GPO window, select the GPO you wish to link and in my case AAD SSO and click on ok.
Now, we have the policy linked to our domain as shown below.
Now you can run the GPO switch to update the policy immediately instead of waiting for the default 90 minutes.
Renew the Kerberos Decryption Key
Microsoft recommends rolling out the Kerberos Decryption Key at least every 30 days. This reduces the risk of spying on the Kerberos Decryption Key.
To renew the Kerberos Decryption Key of the AZUREADSSOACC computer account, you must first download the Azure AD PowerShell module from the PowerShell Gallery. Start PowerShell as the administrator on the computer on which AD Connect is installed and run the following command.
Install-Module MSOnline
Note: You may get a prompt requesting you to confirm the installation of the module since it’s source is regarded as untrusted.
Import the module AzureADSSO.psd1
When this is done installing, navigate to this path via PowerShell “C:\Program Files\Microsoft Azure Active Directory Connect” to import the module AzureADSSO.psd1
Next, execute the “New-AzureADSSOAuthenticationContext” command as shown below.
– This will open the console registration page as shown below “enter the credentials of an Azure administrator in the following window”.
Enter the username and password
click on continue as shown above, then you will be required to perform some security checks as shown below
– Enter your phone number and enter the OTP that is sent to yo and
– Finally, click on finish to complete the verification process.
Next, run the command below. This checks which domains are stored and activated in the Seamless SSO tenant.
Get-AzureADSSOStatus
Then run the command below and enter the credentials of a local domain administrator in the following window.
$passwd = Get-Credential
Lastly, we will have to run the following command below to complete the update of the Decryption Key of the AZUREADSSOACC computer account.
Update-AzureADSSOForest -OnPremCredentials $passwd
Note: If you have multiple domains or child-domains, This must be done for all domains configured for Seamless SSO regardless.
– Ensure cloud policy is applied on the end devices in your organisation as shown below
Now, let’s perform some testing to ensure single sign-on (PTA) works. Before proceeding with this test, ensure the user is properly sync and available on Azure AD. See this guide for how this is achieved via Pass-Through Authentication.
Test 1: Company network with company address
Follow these steps to test the Company network with the company address “https://myapps.microsoft.com/techdirectarchive.com“
In this scenario, your PC is part of the domain in the corporate network that opens the following page via Chrome
You are now granted access to the my-apps application without entering your password.
Test 2 – Company network with normal web address
Follow these steps to test your Company network with normal web address “https://myapps.microsoft.com/“
– Here you will be required to enter an account or pick an existing account as shown below. Since I have an existing account, there is no need to enter a new account.
Note: Your password will never be requested in this method, but you may be asked to perform additional security verification as shown below. I do not have the time to work you through this, have fun 😉
Test 3 – Outside company network with company address
Outside company network with company address “https://myapps.microsoft.com/techdirectarchive.com“. In this example, you will be required to enter your username and password. For other possible errors, see the following link. For more details on these steps, see this article.
I hope you found this blog post helpful. Now, you have learned how to fix SSO sign-in and non-routable domain issues leading to invalid usernames and passwords. If you have any questions, please let me know in the comment session.
