Errors & Solutions (Azure AD synctool)
Table of Contents
- Introduction
- API Endpoint or resource ID was not found
- Server refused to authenticate client, check if API is enabled and authentication token is correct
- FirstName and LastName are required
- The remote server returned an error: (400) Bad Request
- System.TimeoutException: Failed to make the request within '00:01:40'
- Synctool old version, new application
- API server failed with internal error
- Invalid URI: The hostname could not be parsed
- Test connection failed! Please check AAD configuration settings!
- Error getting photo for user
- DeltaLink older than 30 days is not supported
Introduction
While installing or running the synctool, you may run into some problems. This article points out some error messages and solutions. The synctool general/error logs can can be found at the same place where the synctool is running.
API Endpoint or resource ID was not found
018-08-16 16:42:00.689 ActiveDirectoryToWorkspaceSyncTool.ActiveDirectory.NotificationService - Error during W365 notification
ActiveDirectoryToWorkspaceSyncTool.ActiveDirectory.NotificationService.A(:0) (null)
NDAW.AdSyncApi.Client.Exceptions.NotFoundException: API Endpoint or resource id was not found
Explanation: some information that was put in, is invalid.
Solution: please check the following:
- The Workspace site URL
- API Token
- Environment name
Server refused to authenticate client, check if API is enabled and authentication token is correct
NotificationService - Error during W365 notification
NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(:0) (null)
NDAW.AdSyncApi.Client.Exceptions.AuthenticationException: Server refused to authenticate client, check if API is enabled and authentication token is correct
Explanation: there is no connection between the synctool and Workspace.
Solution: please check the following:
- The Workspace site URL:
- Just the site name without any attribute behind the "/".
Example: "https://portal.workspace365.net".
- Just the site name without any attribute behind the "/".
- API Token & Enable sync from Active Directory:
- Make sure the right API authentication token is set and Enable sync from Active Directory is turned on under the Active Directory settings in Workspace.
- Environment name:
- The environment name has to be set, this can be found after the /.
Example: "https://portal.workspace365.net/john"
- The environment name has to be set, this can be found after the /.
FirstName and LastName are required
NDAW.AdSyncApi.Client.Exceptions.ServerValidationException: Server
validation failed: FirstName:This field is required, LastName:This field is requiredTh
Explanation: first- and last names are prerequisites to sync users.
Solution: make sure all users have a first and last name assigned to them in Azure AD.
The remote server returned an error: (400) Bad Request
ActiveDirectoryToWorkspaceSyncTool.AzureAD.Exceptions.AzureAdParsedDataServiceException - Exception parsing failed
ActiveDirectoryToWorkspaceSyncTool.AzureAD.Exceptions.AzureAdParsedDataServiceException.Parse(:0) (null)
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadData(Uri address)
at ActiveDirectoryToWorkspaceSyncTool.AzureAD.GraphQuery.AzureAdGraphQuery.A()
2020-06-10 09:53:08.562 AzureAdParsedDataServiceException - Exception parsing failed
NDAW.AzureActiveDirectorySync.AzureAD.Exceptions.AzureAdParsedDataServiceException.Parse(:0) (null)
System.Net.WebException: The remote server returned an error: (400) Bad Request.
Explanation: this happens when the Azure AD token that is stored in the sync database is not working (anymore). Probably because the sync token is expired or you have copied the sync folder from customer A (already configured) to customer B.
Solution:
- Always start a clean configuration for each customer. On the synctool VM/client, place a blank sync tool configuration from where you can start the configuration for each customer.
- You can try to clear the cache (if its a new configuration).
- Delete the database from the database folder.
System.TimeoutException: Failed to make the request within '00:01:40'
2020-07-03 07:00:10.020 NotificationService - Error during W365 notification
NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(:0) (null)
System.TimeoutException: Failed to make the request within '00:01:40'.
at NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.<MakeRequestWithTimeoutAsync>d__20`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.MakeRequestWithTimeout[TResult](Func`2 request)
at NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.GetUserProfilePhoto(String userId)
at NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.ProcessProfilePicture(String activeDirectoryUserId, String email)
at NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(String userPrincipalName, CreateOrUpdateUserParameters createOrUpdateUserParameters)
Explanation: since the Azure AD synctool version 3.0 we make use of the Microsoft Graph instead of the Azure AD Graph. This error is happening when you did update the synctool application, but didn't update the permissions on the Azure AD App registration.
Solution: update the synctool accordingly. Please read this article once more.
Synctool old version, new application
Explanation: do you have a old version of the synctool, versions below 3.0? And the new way of creating the applications? The synctool won't work.
Solution: you need to update the synctool to the newest version. To check the synctool version go to:
- Open de synctool files
- Right click on the Configuration tool
- Click on Properties
- Click on Details
- File Version ...
API server failed with internal error
Explanation: this happens when "Your workspace site url" contains illegal characters, such as spaces.
Solution: please make sure to remove these illegal characters. The workspace site url is the root url from the workspace (environment name excluded).
2020-08-27 11:47:42.886 NotificationService - Error during W365 notification
NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(:0) (null)
NDAW.AdSyncApi.Client.Exceptions.ServerException: API server failed with internal error
at NDAW.AdSyncApi.Client.Implementation.ActiveDirectorySyncApiClient.HandleErrors(HttpResponseMessage response)
at NDAW.AdSyncApi.Client.Implementation.ActiveDirectorySyncApiClient.CreateOrUpdateUser(CreateOrUpdateUserParameters parameters)
at NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(String userPrincipalName, CreateOrUpdateUserParameters createOrUpdateUserParameters)
Invalid URI: The hostname could not be parsed
2022-02-16 08:50:31.472 AzureAdToWorkspaceSyncTool - Invalid URI: The hostname could not be parsed.
NDAW.AzureActiveDirectorySync.AzureAD.AzureAdToWorkspaceSyncTool+<StartDifferentialSyncAsync>d__15.MoveNext(:0) (null)
System.UriFormatException: Invalid URI: The hostname could not be parsed.
Explanation: this happens when "Your workspace site url" contains illegal characters, such as spaces.
Solution: remove spaces, (just plain text).
Test connection failed! Please check AAD configuration settings!
Explanation: information put is, is invalid.
Solution: make sure the app registration information (tenant ID, object ID, etc.) is filled in correctly. If the same error remains, please delete and re-create the client app registration, explained in step 1.
Error getting photo for user
2021-02-16 14:35:26.465 AzureAdDataService - Error getting photo for user ... in AzureAD
NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.GetUserProfilePhoto(:0) (null)
Status Code: Forbidden
Microsoft.Graph.ServiceException: Code: ErrorAccessDenied
Message: Access is denied. Check credentials and try again.
Bare in mind, there are some photo restrictions: https://docs.microsoft.com/en-us/graph/known-issues.
Solution:
- Make sure you run the latest version of our synctool.
- Make sure the correct API permissions are set for the Microsoft Graph in Azure AD.
- Make sure the correct values are present in AAD for the user using the Graph Explorer from Microsoft: https://developer.microsoft.com/en-us/graph/graph-explorer.
If the photo is not present, try uploaden another photo in the Microsoft profile.
If the photo is present, check the sync tool error logs for more information.
DeltaLink older than 30 days is not supported
Solution:
- Make sure you run the latest version of our synctool.
- Reinstall the synctool Windows service.
- As last resort Clear cache and restart the service.
