Home | Recovery | Cisco How To Net How To | Blog | Search | Forums | Services | Setup Guide | Chicagotech MVP | IT Exam Practice  |  About Us | Contact Us|
 

 

ADFS doesn't work with Event ID 6110 and 6803 - Resolution with screenshots

Situation: The client is running ADFS to sync to office 365. But it doesn't work with these event ID:

Log Name: Application
Source: FIMSynchronizationService
Date: 7/20/2015 5:31:57 PM
Event ID: 6110
Description:
The management agent "Windows Azure Active Directory Connector" step execution completed on run profile "Delta Import Delta Sync" but the watermark was not saved.

Additional Information
Discovery Errors : "0"
Synchronization Errors : "0"
Metaverse Retry Errors : "0"
Export Errors : "0"
Warnings : "0"

User Action
View the management agent run history for details.

Log Name: Application
Source: FIMSynchronizationService
Date: 7/20/2015 5:31:57 PM
Event ID: 6803
Description:
The management agent "Windows Azure Active Directory Connector" failed on run profile "Delta Import Delta Sync" because the server encountered errors.

They also receive a message from Microsoft:
On Tuesday, 21 July 2015 04:51:41 GMT, Azure Active Directory did not register a synchronization attempt from the Identity synchronization tool in the last 24 hours for Howard Simon & Associates [hsa.onmicrosoft.com].

You can troubleshoot this issue by running the Directory Synchronization troubleshooter on the server that has Azure Active Directory identity synchronization tools installed.

The ADFS Sync show this error:


PROBLEM:       ADFS Service Communication Certificate Renewal warning

 RESOLUTION:  Updated the certificates ADFS 2.0 server and update the Federation Metadata.

AUTO CERTIFICATE ROLLOVER MECHANISM

If you are receiving any error on the portal then I would like to mention that the notification for ADFS Certificate expiration on the portal is usually because the Token-Decrypting & Token-Signing Certificate of ADFS are going to expire soon enough. There is a feature known as "AutoCertificateRollver" which controls the renewal of these certificates. I am sharing some commands below which you can run on the Powershell on the ADFS server & if you find the attribute named "AutoCertificateRollover" is set to "TRUE", then you need not to worry about the renewal of the certificates which are Token-Signing & Token-Decrypting. I am describing the mechanism in details to help you understand it better.

AUTO CERTIFICATE ROLLOVER MECHANISM  :

1.       The Global Admin starts getting notified on the Office 365 portal at around 45 days prior when the Token-Signing & Token-Decrypting certificates are going to expire.

2.      If the AutoCertificateRollover feature is turned on in ADFS Properties, then these will automatically get generated & replaced by the ADFS Service & Administrator doesn't have to worry about them.

3.      The new certificates will get generated 20 days prior to the expiration date of the current certificate & will be labelled as Secondary

4.      The new Secondary certificates will replace the old ones after 5 days from generation

5.      Administrator would have to update the Federation Metadata using Azure PowerShell module & command would be : Update-MsolFederatedDomain -DomainName < domain >

Example :

Current Expiration Date of Certificates :   30/7/2014

Current Date :    30/6/2014

New certificate will get generated on :   30/7/2014  - 20 days    =     10/7/2014

Auto Certificate Rollover will take place on :   10/7/2014  +  5 days  =   15/7/2014

Number of days left in hand & mentioned on the portal notification =   15/7/2014  - 30/6/2014   =   15 days

STEPS TO CHECK ADFS PROPERTIES :

1.       Open PowerShell as  Administrator on ADFS machine

2.      Type : Add-Pssnapin Microsoft.adfs.powershell  ( only needed in 2008 / 2008 R2 )

3.      Type : Get-ADFSProperties

4.      Check for the attribute "AutoCertificateRollover" value, should be set to TRUE

1.       Set-adfsproperties -autocertificaterollover $true

STEPS FOR UPDATING ADFS CERTIFICATE MANUALLY :

1)      Login to the Primary ADFS Server as an Administrator

2)      Open the Windows PowerShell as Administrator

3)      Type : Add-Pssnapin Microsoft.adfs.powershell

4)      Type : Update-ADFSCertificate -Urgent

5)      Update the Relying Party Trust immediately by following below steps

STEPS TO UPDATE THE FEDERATION METADATA :

1.       Download & install Sign In Assistant : http://www.microsoft.com/en-us/download/details.aspx?id=39267

2.      Download & install Azure Powershell : http://technet.microsoft.com/en-us/library/jj151815.aspx#bkmk_installmodule

3.      Run the PowerShell as Administrator

4.      Type : Connect-MsolService, enter the global admin credential ( onmicrosoft.com )

5.      Type : Update-MsolFederatedDomain -DomainName <domain>,   to update the new federation metadata of ADFS

6.      Restart the ADFS Services on the ADFS Server(s)

7.      Re-run the ADFS Proxy configuration on ADFS Proxy Server(s) if any.

http://social.technet.microsoft.com/wiki/contents/articles/16156.ad-fs-2-0-understanding-autocertificaterollover-threshold-properties.aspx

Articles referred: http://social.technet.microsoft.com/wiki/contents/articles/1673.active-directory-certificate-services-ad-cs-powershell-examples.aspx

https://msdn.microsoft.com/en-us/library/azure/dn194098.aspx

 

 

 

Contact a consultant

Related Topics

 

 
 

Bob Lin Photography services

Real Estate Photography services 

 

  This web is provided "AS IS" with no warranties.
Copyright © 2002-2018 ChicagoTech.net, All rights reserved. Unauthorized reproduction forbidden.