CYBERDOM

Just another day of IR, Threat-Hunting & Microsoft Security

SSL Encryption and AAD Connect

by · April 11, 2016

Azure Active Directory powers Microsoft Online Services, from Office 365 to Azure services, in identity.

Microsoft offers hybrid identity options to organizations running on-premises Windows Server Active Directory to stretch their identity layer to the cloud.

Azure AD Connect generally became available on June 24, 2015. Azure AD Sync generally became available in September 2014.

I’ve been designing, implementing, and managing Azure AD Connect and Azure AD Sync for several organizations since this time. It has become one of my favorite tools.

Recently I started another migration with a Hybrid scenario-based and the requirements to sync all users to Azure AD. The environment includes:

  • Active Directory-based Windows Server 2008 R2
  • Exchange 2013
  • SSL Encryption device (that encrypt all SSL traffic)

Like any other Exchange Hybrid project, I started with the Active Directory extended to the Azure Active Directory with the AAD Connect.

Once I finished the AAD Connect installation and started with the AAD Connect configuration wizard between local Active Directory and Azure Active Directory, I came across a few issues, and the AAD configuration fails with the following errors:

The remote server returned an unexpected response: (502) Proxy Error ( The Web site requires a client certificate, but a client certificate cannot be supplied when HTTPS inspection is applied to the request).

clip_image002

clip_image004

Then I started to check the issues with the following tools such:

  • Fiddler – to check the flow when the configuration wizard running and make sure which URL’s I’m receiving
  • PortQry – to check if all port has opened and how connections are established
  • Event Viewer – enable capi2 log and receive some errors about the certificate.
  • Office 365 URLs and IP address ranges – check Office 365 authentication and identity ports and access the websites.

When browsing to the login.microsoftonline.com or another URL that belongs to the identity URLs, I received an error and didn’t receive the correct path as need.

image

image

After investigating, I found a few findings:

  • The SSL encryption device encrypts all session between AAD Connect and the Office 365
  • The URL’s has received the certificate from the encryption device.
  • In the encryption device, I received errors with denied connections and certificate errors. (I didn’t have any chances to get log or screenshots from the encryption device).
Post Contents Show

The Solution

After instructing the network team to bypass the tunneling between AAD Connect to the Ofice 365 URL’s, the connections started to work, and the configuration wizard was done. All objects have synced to the Azure AD.

Once I was browsing the Office 365 URLs from the AAD Connect server, I received the correct certificate path as need.

image

SSL Encryption and AAD Connect

by · April 11, 2016

Azure Active Directory powers Microsoft Online Services, from Office 365 to Azure services, in identity.
Microsoft offers hybrid identity options to organizations running on-premises Windows Server Active Directory to stretch their identity layer to the cloud.
Azure AD Connect generally became available on June 24, 2015. Azure AD Sync generally became available in September 2014.
I’ve been designing, implementing, and managing Azure AD Connect and Azure AD Sync for several organizations since this time. It has become one of my favorite tools.
Recently I started another migration with a Hybrid scenario-based and the requirements to sync all users to Azure AD. The environment includes:

  • Active Directory-based Windows Server 2008 R2
  • Exchange 2013
  • SSL Encryption device (that encrypt all SSL traffic)

Like any other Exchange Hybrid project, I started with the Active Directory extended to the Azure Active Directory with the AAD Connect.
Once I finished the AAD Connect installation and started with the AAD Connect configuration wizard between local Active Directory and Azure Active Directory, I came across a few issues, and the AAD configuration fails with the following errors:

The remote server returned an unexpected response: (502) Proxy Error ( The Web site requires a client certificate, but a client certificate cannot be supplied when HTTPS inspection is applied to the request).

clip_image002
clip_image004
Then I started to check the issues with the following tools such:

  • Fiddler – to check the flow when the configuration wizard running and make sure which URL’s I’m receiving
  • PortQry – to check if all port has opened and how connections are established
  • Event Viewer – enable capi2 log and receive some errors about the certificate.
  • Office 365 URLs and IP address ranges – check Office 365 authentication and identity ports and access the websites.

When browsing to the login.microsoftonline.com or another URL that belongs to the identity URLs, I received an error and didn’t receive the correct path as need.
image
image
After investigating, I found a few findings:

  • The SSL encryption device encrypts all session between AAD Connect and the Office 365
  • The URL’s has received the certificate from the encryption device.
  • In the encryption device, I received errors with denied connections and certificate errors. (I didn’t have any chances to get log or screenshots from the encryption device).

The Solution

After instructing the network team to bypass the tunneling between AAD Connect to the Ofice 365 URL’s, the connections started to work, and the configuration wizard was done. All objects have synced to the Azure AD.
Once I was browsing the Office 365 URLs from the AAD Connect server, I received the correct certificate path as need.
image

Tags:

You may also like...

Leave a Reply

error: Content is Protected !!
%d bloggers like this: