We are trying to enable Seamless Single Sign-On(SSSO) while the Authentication enabled with Password Hash Sync Authentication(PHS). But When we try to enable the Seamless Single Sign-on using the AADConnect Configuration Wizard. The configuration failed with the error message : “An Error occurred while locating computer account“
Encountering the error message ‘An Error occurred while locating computer account’ during Seamless Single Sign-On (SSSO) activation can result from many factors. Ensure you follow these steps to troubleshoot:
Make sure you activate the Seamless SSO feature in Azure AD Connect.
Verify that the corporate device has properly joined the Active Directory domain.
If the computer account is missing or deleted, use PowerShell cmdlets to recreate them.
Check for the presence of Kerberos tickets issued for the AZUREADSSOACC computer account.
Purge existing Kerberos tickets using the klist purge command from the device, then retry the process.
Verify that the device’s time synchronises with Active Directory and the domain controllers.
Confirm the presence and activation status of the AZUREADSSOACC computer account in each AD forest where Seamless SSO is needed.
If issues persist, consult the following resources for more in-depth troubleshooting guidance:
The error “An Error occurred while locating computer account” is usually experienced anytime you want to enable SSSO WITH PHS while configuring Azure AD using the Configuration wizard of PowerShell. When encountering this error, it can be pretty annoying, but knowing what causes it and how to fix it will be beneficial.
Possible Causes
Incorrect Permissions: It is also possible that while running the Azure AD Connect wizard, if the account to perform the wizard does not possess the necessary permissions, then the computer account cannot be located in Active Directory.
Computer Account Issues: Domain controllers active directory might not have computer account for the azure ad connect server in Active Directory or its configuration is not correct.
Network Connectivity: Disconnection between the Azure AD Connect server and the Domain Controller is also another major cause of this error.
Service Principal Name (SPN) Issues: This problem is caused by issues with the SPN for the Azure AD Connect server.
Troubleshooting Steps
Here are some steps to troubleshoot and resolve this error:
Verify Permissions:
Make sure the account under which Azure AD Connect wizard runs have all the necessary privileges. Ideally, it should be # member of the Enterprise Admins group or have at least delegation rights to create and manage computer account within Active Directory.
Check Computer Account:
Ensure that the computer account of the Azure AD Connect server has being created in the Active Directory. But you can verify this on the Active Directory Users and Computers (ADUC) tool.
If the account is missing from the ADUEM list, then either you may have to create the account on your own or join the server back to the appropriate domain.
Network Connectivity:
As a best practice make sure that the Azure AD Connect server is in a position to communicate with the Domain Controllers. Some of the basic commands to check network connection include using the ping command and the nslookup command.
Search for ban on the internal firewalls and other related policies that can hinder the connectivity.
SPN Configuration:
Verify that the SPN for the Azure AD Connect server is correctly configured. You can use the setspn command to check and set the SPN if necessary.
