FIX: We can’t connect to your on-premises writeback client

Users are unable to reset their password and password writeback in AD Connect is turned on. I will explain in this post on how to fix it.

Cause

When you start troubleshooting because users are not able to reset their password anymore, you will see that the on-premises integration says in Azure AD ‘We can’t connect to your on-premises writeback client right now’ and password writeback is turned on in the on-premises AD Connect tool.

This could be a hickup, which we can easily fix by turning password writeback off and on or it may also be due to the fact that TLS 1.2 is not enabled on the AD connect server.

Solution 1:

This one is simple, just turn off password writeback in Azure AD Connect and run a full sync:

Start-ADSyncSyncCycle -PolicyType Initial

Turn on password writeback and run a full sync again:


Start-ADSyncSyncCycle -PolicyType Initial

Go back to the on-premises integration in Azure AD and you should see ‘Your on-premises writeback client is up and running’!

Solution 2:

Facing error ‘Unable to configure password writeback’ when you try to enable password writeback in solution 1? This is cause since AD Connect version 1.2.65.0 and later fully support using only TLS 1.2 for communications with Azure. So we need to enforce strong authentication in the SCHANNEL and .NET regkeys.

To enable TLS 1.2 in the SCHANNEL regkey, start PowerShell as an admin and run:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -Force | Out-Null 
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null    
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null  
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

To enable TLS 1.2 in the .NET regkey in both 32 and 64 bit run:

#64BIT
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1'  -Type Dword
#32BIT
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type Dword

Restart the AD Connect server and enable password writeback again, it will be enabled without any error.

If you facing issues with above fix, you can easily rollback by running:

#Remove TLS 1.2 SCHANNEL regkeys
Remove-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\' -Recurse

#Disable Strong Authentication for .NET applications
#64BIT
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '0'  -Type Dword
#32BIT
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '0' -Type Dword

In case you are interest to disable old TLS protocols in your environment, check my GitHub page for scripts to enforce TLS 1.2, disable older TLS/ SSL and weak ciphers version.

Always check and test this kind of changes in small batches.


Share this: