A post of mine on X.com regarding some issues centered around Microsoft Entra ID Connect gained some attention. I had some difficulties setting up the new Microsoft Entra ID Connect agent in my environment, and could not successfully sync a defined OU. When attempting to provision users, I received a full screen error message simply stating that an unexpected error occurred.
Confused, I opened a ticket with Microsoft Entra ID support where i was helped by a friendly engineer that recommended falling back to Microsoft Azure AD Connect because it wasn’t ready for production workloads. I quickly configured the classic agent, and within fifteen minutes, my local Active Directory server had successfully synced with Entra ID.
Why Microsoft Entra ID Connect?
I made the decision to centralize sysadminafterdark operations by setting up a Microsoft System Center Service Manager server. This enabled us to centralize server notifications, plan projects, and keep track of progress (or regressions) in the environment. Part of this deployment included creating tickets from email, enabled by the Service Manager Exchange Connector, which requires the service account to be Entra ID synced.
Public Reaction To Microsoft Entra ID Connect
Many fans chimed in they were unaware Microsoft released a new agent and agreed falling back to the classic Microsoft Azure AD Sync client was the best path forward. I documented my process and stuck a warning in the introduction just in case anyone wanted to follow suit with deployment on their homelabs. I intended to follow up and revisit this deployment at a later date until I checked my X direct messages the next day.
Microsoft Communication
I woke up the next morning with a handful of direct messages from Microsoft employees asking if they could help. We started collecting logs, network pcaps, trying multiple syncs from the portal, and they even sent me internal beta builds (versions 1.1.1673 and 1.1.1676) to see if we could resolve the issue. It is an understatement to say I was impressed with their commitment to contact me and fix issues with their new client. Their communications spanned multiple email threads and in-person Microsoft Teams calls with 5-7 people from around the world participating in them. I REALLY stirred up the hive with this one.
Finally, after a week of daily troubleshooting and communications back and forth, we were able to resolve the issue by creating a single registry key.
Fixing Microsoft Entra ID
To resolve this issue, in addition to following the steps laid out in my Microsoft Entra ID documentation, we discovered that everything would successfully sync if TLS 1.3 is disabled on the server.
The following must be performed to disable TLS 1.3 on the server:
Open Windows Registry Editor (regedit.exe) and navigate to the following hive:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\ProtocolsCreate a new key called TLS 1.3 then create a new key within called Client. In the Client key, create a DWORD 32-bit value called Enabled and set the value to 0. Please see the image above for a correctly configured environment reference.
Give the server a reboot and attempt to provision a user on the Entra ID Connect console. The users you have specified to sync to the directory should now successfully sync!
Conclusion
I was very impressed with the Entra ID connect team reaching out to me to resolve the issue. The teamwork was incredibly impressive and responsive with around 5-7 people from from around the world talking with mandolinsara and I at a time. The issue was resolved within a week and after thorough testing, I have not had any issues syncing my directory since. I have removed the warning from my documentation and included the above TLS 1.3 configuration steps in its place.
In the future, I would like the team to focus on making the registry hack unnecessary and work properly with TLS 1.3 or make this customization a mandatory setup instruction. I find it extremely odd utilizing default enabled, strong crypto breaks the product and requires direct Microsoft employee level support.
