Share via

Troubleshooting Intermittent M365 Authentication Failures in Hybrid Entra ID Environment

JG 0 Reputation points
2025-07-18T19:31:00.41+00:00

Support Post - Question

Question:

We are troubleshooting persistent and intermittent authentication failures in our hybrid Microsoft Entra ID environment. Our users are receiving frequent reauthentication prompts, and we are seeing a high volume of Event ID 1098 and 1097 errors on our devices. We've done extensive analysis and are looking for guidance on our next steps.

Here is a summary of our findings:

Network Connectivity: We have ruled out a simple network block to core services. Test-NetConnection to login.microsoftonline.com and enterpriseregistration.windows.net shows successful TCP connectivity on port 443. nslookup also confirms correct DNS resolution for these endpoints.

Device Status: dsregcmd /status confirms the device is properly Hybrid Joined and has a valid Primary Refresh Token (PRT). However, the Ngc Prerequisite Check shows a WillNotProvision result.

On-Premises AD Account: We have also examined the AZUREADSSOACC service account. The pwdLastSet property shows the password has not been updated since October 2023.

Event Log Errors: The specific errors we are seeing are: AADSTS50196 (request loop), 0xCAA90014 (WS-Trust failure), 0xCAA90056 (PRT renewal failure), and a Microsoft service-to-service preauthorization error AADSTS65002.

Given these findings, we are trying to determine how the lack of password rollover for the AZUREADSSOACC account may be contributing to our authentication issues, especially with a valid PRT present. What are the next steps for resolving these issues, including the AADSTS65002 error?

Microsoft 365 and Office | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alex_T 565 Reputation points Microsoft External Staff Moderator
    2025-07-19T15:45:52.59+00:00

    Hello JG,

    Thank you for reaching out here in the Microsoft Q&A.

    I understand that you are having trouble with persistent and intermittent authentication failures in your hybrid Microsoft Entra ID environment, and I can understand the inconvenience this has caused you.

    Based on your detailed findings, the core issue is almost certainly an outdated password for the AZUREADSSOACC computer account in your on-premises Active Directory. This account is critical for Seamless Single Sign-On (SSO). Microsoft strongly recommends that its Kerberos decryption key (password) be rolled over at least every 30 days. Since the password was last set in October 2023, it is no longer valid for decrypting authentication tickets, which explains the errors you are seeing.

    To resolve this, you must immediately perform a rollover of the Kerberos decryption key for the AZUREADSSOACC account.

    You will need to run these commands on your Microsoft Entra Connect server:

    1. Open PowerShell as an administrator.
    2. Import the Seamless SSO PowerShell module: Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADSSO.psd1"
    3. Establish a new authentication context with Azure AD (you will be prompted for Hybrid Identity Administrator credentials): New-AzureADSSOAuthenticationContext
    4. Perform the Kerberos key rollover (you will be prompted for Domain Administrator credentials): Update-AzureADSSOForest

    After completing these steps, the authentication issues should be resolved. For future prevention, we recommend creating a Scheduled Task to run the Update-AzureADSSOForest command automatically every 30 days.

    Please feel free to post back if you need further assistance.

    Best Regards,

    Alex | Microsoft Q&A Support Specialist

     

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.