Single sign-on (SSO) is an identification method that enables users to log in to multiple applications and websites with one set of credentials. SSO streamlines the authentication process for users. After configuring Pass-Through Authentication (PTA) as discussed in the hyperlink, you may run into several user sign-in issues. In this guide, you will learn how to fix SSO sign-in and non-routable domain issues leading to invalid usernames and passwords. See how to Setup a Domain Controller as Recommended by Microsoft.
Note: Azure Active Directory (Azure AD) is being renamed to Microsoft Entra ID as part of our commitment to simplify secure access experiences for everyone. So, in this article, ensure to note the difference as this guide was created before it was renamed.
Please see how to fix the “Error: The processing of Group Policy failed because of lack of network connectivity to a DC. This may be a transient condition. A success message would be generated once the machine gets connected“, and how to Reset a Snom Phone.
Why was the error “SSO sign-in and non-routable domain issues” prompted?
You will not be able to sign in to Microsoft Office 365, Microsoft Azure, Microsoft Intune, etc. The sign-in error message is as follows “Invalid username and password – Your account or password is incorrect if you cannot remember your account reset it now“.
This could be a result of many other reasons: This can happen when Azure AD is unable to receive the Kerberos ticket from your on-premise user account or when a user’s on-premises UserPrincipalName (UPN) is different than the user’s cloud UPN.
Fix”sign-in, non-routable domains, invalid usernames, and passwords for SSO issues”?
To fix this issue, you need to use GPO to push some Azure URLs to your users’ internet zone settings. Here is a guide on how to synchronize your on-premises AD with Azure Active Directory using the Azure AD Connect tool, and how to use the built-in AAD Connect troubleshooting tool.
Note: Microsoft recommends not using a non-routable domain name suffix such as the dotlocal. The .local suffix isn’t routable and can cause issues with DNS resolution. With this fix, we can mitigate this issue.
For other similar causes that may apply to you, see the following possible fix for the issues below, they did not apply to me. Your subscription has expired.
- Your user account is not enabled.
- You're locked out of your user account.
- You tried to sign in with the wrong username and password.
- The password you tried to sign in with is temporary and expired. (This might happen if your user account is new or your password was recently reset.)
- Your password has expired.
- You're blocked from signing in.
- If you're a federated user, single sign-on is not working.
Note: Even when you try to reset the account, it will never be possible and the following error will be prompted.
Let’s simulate the issue with the environment to ensure that the Pass-through Authentication agent is working correctly before proceeding to fix the issue.
1: Import the PowerShell module on the agent machine
Import-Module Adsync
2: Run the following command from PowerShell as shown below
Invoke-PassthroughAuthOnPremLogonTroubleshooter 
Upon entering your credentials, the login will fail as shown below displaying the error code and failure reason.
Since we are getting the same error “username and password is incorrect”, this means that the Pass-through Authentication agent is working correctly and the issue may be that the on-premises UPN is non-routable.
Create GPO to push Azure URLs to your users’ Internet Zone Settings
As you can see we are using a different UPN for on-premise and this is different from the cloud UPN. To fix this issue, you need to use GPO to push some Azure URLs to your users’ internet zone settings and to ensure AAD is able to process the Kerberos ticket.
This step ensures that the domain-joined computer automatically sends a Kerberos ticket to Azure AD when it’s connected to the corporate network.
Since this is a Domain controller, we will have to access the Group Policy Object in the following way below.
Upon clicking on the Group Policy Management as shown above this will open the Group Policy Management Console
Now, I want to create a new GPO that will be linked to our domain. So when our user’s log on to the network with a PC. They will be able to perform SSO.
When the GPO is created. Right-click on it and select edit as shown below
Edit the GPO and Configure the Site to Zone Assignment List
The steps below will be broken into two parts as shown as you will apply them both to the User Configuration.
Please see how to configure Pleasant Password MsSQL SSO, how to configure and use Pleasant Password RDP SSO, How to disable or enable automatic login from the sign-in screen in Windows, and how to fix “Errors associated with Pleasant Password RDP SSO and SSH SSO”.
1: Navigate to the User Configuration > Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel, Security Page, and double click on the Site to Zone Assignment List to modify the values as shown below
Click on Enabled to enable the policy and click on the show button as shown below
This will open the show contents wizard as shown below.
You will have to populate the above image above with the following information below.
| Value Name | Value |
|---|---|
| login.microsoftonline.com | 3 |
| aadg.windows.net.nsatc.net | 1 |
| autologon.microsoftazuread-sso.com | 1 |
| secure.aadcdn.microsoftonline-p.com | 1 |
In the end, the “Show Contents” window will look this way.
Note: Whenever a value is entered, a new line will be created.
Click on okay when you are done.
Note: If Seamless SSO is to be disabled for individual groups or users, the GPO must be turned to the Value 4 for these people.Enable the GPO “Allow updates to the status bar via script“
When this is done, navigate one step backward or follow the path:
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone and set the Allow updates to the status bar via script entry to Enabled as shown below
Now, you will have to link the GPO to the domain. There are various ways to do this.
You can drag and drop the GPO wherever OU you want to via the Group Policy Management Console. I want this to apply to domain-wide computers and as such, I will be linking it there.
But to be sure and never to make mistakes. I will recommend you click on the domain, OU, etc where you want to link the GPO as shown below.
Note: You can also create a GPO and link it here immediately. But this is not recommended if you do not know what you are doing.
This will now open the Select GPO window. Select the GPO you wish to link and in my case AAD SSO and click on OK.
Now, we have the policy linked to our domain as shown below.
Now you can run the GPO switch to update the policy immediately instead of waiting for the default 90 minutes.
Renew the Kerberos Decryption Key
Microsoft recommends rolling out the Kerberos Decryption Key at least every 30 days. This reduces the risk of spying on the Kerberos Decryption Key.
To renew the Kerberos Decryption Key of the AZUREADSSOACC computer account. You must first download the Azure AD PowerShell module from the PowerShell Gallery.
Start PowerShell as the administrator on the computer on which AD Connect is installed and run the following command.
Install-Module MSOnline
Note: You may get a prompt requesting you to confirm the installation of the module since its source is regarded as untrusted.
Import the module AzureADSSO.psd1
When this is done installing, navigate to this path via PowerShell “C:\Program Files\Microsoft Azure Active Directory Connect” to import the module AzureADSSO.psd1
Next, execute the “New-AzureADSSOAuthenticationContext” command as shown below.
This will open the console registration page as shown below “enter the credentials of an Azure administrator in the following window”.
Enter the username and password
Click on continue as shown above. Then you will be required to perform some security checks as shown below
Enter your phone number and the OTP that is sent to you and finally. Click on finish to complete the verification process.
Next, run the command below. This checks which domains are stored and activated in the Seamless SSO tenant.
Get-AzureADSSOStatus
Then run the command below and enter the credentials of a local domain administrator in the following window.
$passwd = Get-Credential
Lastly, we will have to run the following command below to complete the update of the Decryption Key of the AZUREADSSOACC computer account.
Update-AzureADSSOForest -OnPremCredentials $passwd
Note: If you have multiple domains or child-domains, This must be done for all domains configured for Seamless SSO regardless. Ensure cloud policy is applied on the end devices in your organisation as shown below
Now, let’s perform some testing to ensure single sign-on (PTA) works. Before proceeding with this test, ensure the user is properly sync and available on Azure AD.
See this guide for how this is achieved via Pass-Through Authentication. Also, see how to install and Configure Rancid, how to administer LXC Containers, how to remove a failed Edge Transport, and How to enable SSH access on Ubuntu server.
Test 1: Company network with company address
Follow these steps to test the Company network with the company address “https://myapps.microsoft.com/techdirectarchive.com“
In this scenario, your PC is part of the domain in the corporate network that opens the following page via Chrome
You are now granted access to the my-apps application without entering your password.
Please see how to fix We cannot sign you with this credential because your domain isn’t available: Make sure your device is connected to your organization’s network and try again.
Test 2 – Company network with normal web address
Follow these steps to test your Company network with the normal web address “https://myapps.microsoft.com/“
Here you will be required to enter an account or pick an existing account as shown below.
Since I have an existing account, there is no need to enter a new account.
Note: Your password will never be requested in this method. But you may be asked to perform additional security verification as shown below. I do not have the time to work you through this, have fun 😉
Here are some exciting articles: How to export PST from one Exchange Server to another server. How to fix PST Errors: The mailbox exceeds the maximum number of large items that were specified for this request.
Test 3 – Outside company network with company address
Outside company network with company address “https://myapps.microsoft.com/techdirectarchive.com“. In this example, you will be required to enter your username and password.
I hope you found this blog post helpful on how to fix SSO sign-in and non-routable domain issues. Now, you have learned how to fix SSO sign-in and non-routable domain issues leading to invalid usernames and passwords. If you have any questions, please let me know in the comment session.
