Follow

Troubleshooting the synctool

Table of Contents

 

Overview

While installing or running the synctool, you may run into some problems. Always check the synctool error and general logs for further troubleshooting. You can find the error/general log folder at the same place where the tool is running. This article points out some error codes and fixes to help you out. We recommend going through the configuration & troubleshooting wizard first. 

 

Configuration & troubleshooting wizard


Requirements

Microsoft Online Services Sign-In Assistant
https://www.microsoft.com/en-us/download/details.aspx?id=28177
Install PowerShell 5.0
Install module in PowerShell 5.0:
"install-module Azure"
"install-module AzureRm"
An active Azure subscription is required.

 

Errors & solutions

API Endpoint or resource ID was not found

018-08-16 16:42:00.689 ActiveDirectoryToWorkspaceSyncTool.ActiveDirectory.NotificationService - Error during W365 notification
 ActiveDirectoryToWorkspaceSyncTool.ActiveDirectory.NotificationService.A(:0) (null)
 NDAW.AdSyncApi.Client.Exceptions.NotFoundException: API Endpoint or resource id was not found

The error explains that some information that was put in is invalid.
This issue could be solved by checking the following:

Back to top

 

Server refused to authenticate client, check if API is enabled and authentication token is correct

 NotificationService - Error during W365 notification
NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(:0) (null)
NDAW.AdSyncApi.Client.Exceptions.AuthenticationException: Server refused to authenticate client, check if API is enabled and authentication token is correct

The error explains that there is no connection between the synctool and Workspace.
This issue could be solved by checking the following:


The Workspace site URL

Just the site name without any attribute behind the "/". Example:"https://portal.workspace365.net"


API Token

Make sure the right API authentication token is set and "Enable sync from Active Directory" is turned on.

mceclip0.pngEnvironment name

The environment name has to be set, this can be found after the /.
Example: portal.workspace365.net/"john"

Back to top

 

FirstName and LastName are required

NDAW.AdSyncApi.Client.Exceptions.ServerValidationException: Server
validation failed: FirstName:This field is required, LastName:This field is requiredTh

The error explains that the workspace synctool is trying to synchronize a user without a first and last name assigned to them in azure. Fix this by making sure all users have a first and last name assigned to them.

Back to top

 

The remote server returned an error: (400) Bad Request

ActiveDirectoryToWorkspaceSyncTool.AzureAD.Exceptions.AzureAdParsedDataServiceException - Exception parsing failed
ActiveDirectoryToWorkspaceSyncTool.AzureAD.Exceptions.AzureAdParsedDataServiceException.Parse(:0) (null)
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.WebClient.DownloadDataInternal(Uri address, WebRequest& request)
at System.Net.WebClient.DownloadData(Uri address)
at ActiveDirectoryToWorkspaceSyncTool.AzureAD.GraphQuery.AzureAdGraphQuery.A()
2020-06-10 09:53:08.562 AzureAdParsedDataServiceException - Exception parsing failed 
 NDAW.AzureActiveDirectorySync.AzureAD.Exceptions.AzureAdParsedDataServiceException.Parse(:0) (null)
 System.Net.WebException: The remote server returned an error: (400) Bad Request.

This happens when the Azure AD token that is stored in the sync database is not working (anymore). Probably because the sync token is expired OR you have copied the sync folder from customer A (already configured) to customer B. 

  • Always start a clean configuration for each customer
    • On the sync tool VM/client place a blank sync tool configuration from where you can start the configuration for each customer.

Resolution:

  • You can try to clear the cache (if its a new configuration).
  • Delete the database from the database folder.

Back to top

 

System.TimeoutException: Failed to make the request within '00:01:40'

 2020-07-03 07:00:10.020 NotificationService - Error during W365 notification 
NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(:0) (null)
System.TimeoutException: Failed to make the request within '00:01:40'.
at NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.<MakeRequestWithTimeoutAsync>d__20`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.MakeRequestWithTimeout[TResult](Func`2 request)
at NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.GetUserProfilePhoto(String userId)
at NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.ProcessProfilePicture(String activeDirectoryUserId, String email)
at NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(String userPrincipalName, CreateOrUpdateUserParameters createOrUpdateUserParameters)

Since the Azure AD synctool version 3.0 we make use of the Microsoft Graph instead of the Azure AD Graph. This error is happening when you did update the synctool application, but didn't update the permissions on the Azure AD App registration. Please read this article once more.

Back to top

 

Synctool old version, new application

Do you have a old version of the synctool, versions below 3.0? And the new way of creating the applications? The synctool wont work. You need to update the synctool to version 3.0. 

 To check the synctool version go to:

  • Open de synctool files
  • Right click on the Configuration tool
  • Click on Properties
  • Click on Details
  • File Version ...

 

mceclip2.png

If the File Version is lower then 3.0 click on the following link : Updating The sync tool

Follow the steps of the article.

Back to top


API server failed with internal error

This happens when "Your workspace site url" contains illegal characters, e.g. spaces. Please make sure to remove these illegal characters. The workspace site url is the root url from the workspace, thus environment name excluded. 

2020-08-27 11:47:42.886 NotificationService - Error during W365 notification 
NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(:0) (null)
NDAW.AdSyncApi.Client.Exceptions.ServerException: API server failed with internal error
at NDAW.AdSyncApi.Client.Implementation.ActiveDirectorySyncApiClient.HandleErrors(HttpResponseMessage response)
at NDAW.AdSyncApi.Client.Implementation.ActiveDirectorySyncApiClient.CreateOrUpdateUser(CreateOrUpdateUserParameters parameters)
at NDAW.AzureActiveDirectorySync.ActiveDirectory.NotificationService.CreateOrUpdateUserNotification(String userPrincipalName, CreateOrUpdateUserParameters createOrUpdateUserParameters)

  Back to top


Test connection failed! Please check AAD configuration settings!

mceclip0.png

Make sure the app registration information (tenant ID, object ID, etc.) is filled in correctly. If the same error remains, please delete and re-create the client app registration, explained in "Step 2. Create client application in Azure for the AD synctool". 

Back to top

Error getting photo for user

  • Make sure you run the latest version of our synctool.
  • Make sure the correct API permissions are set for the Microsoft Graph in Azure AD. 
  • Make sure the correct values are present in AAD for the user using the Graph Explorer from Microsoft: https://developer.microsoft.com/en-us/graph/graph-explorer
    If the photo is not present, try uploaden another photo in the Microsoft profile. 
    If the photo is present, check the sync tool error logs for more information.
  • Bare in mind, there are some photo restrictions: https://docs.microsoft.com/en-us/graph/known-issues.
2021-02-16 14:35:26.465 AzureAdDataService - Error getting photo for user ... in AzureAD
NDAW.AzureActiveDirectorySync.AzureAD.AzureAdDataService.GetUserProfilePhoto(:0) (null)
Status Code: Forbidden
Microsoft.Graph.ServiceException: Code: ErrorAccessDenied
Message: Access is denied. Check credentials and try again.

Back to top

DeltaLink older than 30 days is not supported

  • Make sure you run the latest version of our synctool.
  • Reinstall the service of the synctool.
  • Clear cache as last resort and restart the service.  

Back to top

 

Discrepancy between users and groups in AAD and the Workspace

Always check the error log files to figure out why there is a discrepancy in the first place. 

Problem importing or editing users and groups

Bare in mind that you will have to temporarily stop the sync from the Active Directory settings in the Workspace first by unchecking the box "Enable sync from Active Directory", before you are able to edit users (e.g. restore or permanently delete). 

Back to top