-
Title
Error syncing AD object after setting up SSO -
Description
After setting up SSO, an error is observed in Azure AD Connect for the userPrincipalName of the SSO user created by the SMA stating it contains an invalid character.
The object failed to be synchronized because the attribute did not meet the validation requirements (format, character set etc.) of Azure AD.
-
Cause
This is caused by a forward-slash in the userPrincipalName for the [hostname]-HTTP user created by the SMA during SSO domain join.
-
Resolution
This issue has been resolved in SMA version 11.0.270 for new domain joins. When configuring SSO for Azure AD Connect, check the "Enable Azure AD Connect Support" box.
NOTE: If SSO has already been configured for Azure AD, the workaround below can still be used. Alternatively, the domain can be un-joined and re-joined using the "Enable Azure AD Connect Support" checkbox.
Workaround
To resolve the error and allow the user object to properly sync with Azure AD Connect, the userPrincipalName for the [hostname]-HTTP user object in AD for the SMA can be adjusted manually in Active Directory. KACE suggests changing the forward slash ( / ) to a hyphen ( - ).
Example:
UPN with error: HTTP/kbox.domain.com@kbox.domain.com
UPN fixed: HTTP-kbox.domain.com@kbox.domain.com
This issue will be permanently resolved during domain join in a future release of the product.
-
Defect ID
K1-20585