Skip to content

Troubleshooting Microsoft Entra ID

Learn how to troubleshoot issues related to Microsoft Entra ID.

Single sign-on

You don't have permission to sign in to the VPN portal. Contact your firewall administrator.

Issue

A user can't sign in to the VPN portal and it shows the following error:

You don't have permission to sign in to the VPN portal. Contact your firewall administrator.

Users can't access the VPN portal because of several issues, such as the browser used and configuration issues.

You can see the following error messages in the log viewer:

  • User not authorized
  • Invalid credentials

What to do

To resolve this, try the following solutions:

  • Browser check

    Sign in using a different browser to rule out browser compatibility and extension issues.

  • VPN portal access

    Make sure that the user's Microsoft Entra ID group is added to the remote access IPsec VPN or remote access SSL VPN allowed user list. Users who aren't allowed in either policy can't access the VPN portal, even if SSO authentication is successful.

    To check the user's VPN portal access, do as follows:

    • Remote access IPsec VPN

      1. Go to Remote access VPN > IPsec.
      2. Make sure that the user's Microsoft Entra ID group is selected in Allowed users and groups.
    • Remote access SSL VPN

      1. Go to Remote access VPN > SSL VPN.
      2. Click your remote access SSL VPN configuration.
      3. Make sure that the user's Microsoft Entra ID group is selected in Policy members.
  • Authentication methods

    Check the requirements for the remote access IPsec VPN and remote access SSL VPN authentication methods. See Requirements.

    Misconfiguration can cause sign-in failures, such as authorization and credential mismatch errors.

SSO is not configured. Please contact your administrator.

Issue

You can't click the Single sign on (SSO) button in the Sophos Connect client (SCC) and it shows the following error:

SSO is not configured. Please contact your administrator.

This is caused by configuration issues.

What to do

To resolve this, try the following solutions:

  • Connection test

    Check the firewall's connection to the Microsoft Entra ID server as follows:

    1. Go to Authentication > Servers.
    2. Click your Microsoft Entra ID server.
    3. Click Test connection.

    Make sure that the test is successful. If not, check your configuration. See Microsoft Entra ID SSO.

  • Authentication methods

    Check the authentication method for SSL VPN authentication methods as follows:

    1. Go to Authentication > Services.
    2. Make sure that your Microsoft Entra ID server is set in SSL VPN authentication methods.
Selected user account does not exist in tenant <tenant ID> and cannot access the application <application ID> in that tenant.

Issue

SSO doesn't work and shows the following error:

Selected user account does not exist in tenant <tenant ID> and cannot access the application <application ID> in that tenant.

The user doesn't exist in the tenant application because the remote access IPsec VPN and remote access SSL VPN authentication methods use different Microsoft Entra ID servers.

What to do

To resolve this, try the following solutions:

  • Authentication methods

    Check the requirements for the remote access IPsec VPN and remote access SSL VPN authentication methods. See Requirements.

    Misconfiguration can cause sign-in failures, such as authorization and credential mismatch errors.

  • Force SSO re-login

    If users sign in using SSO and connect to the network using a shared endpoint, we recommend that you force SSO re-login. See Force SSO re-login.

TLS certificate verification fails

Issue

Authentication or test connection fails with a TLS certificate error.

Depending on which service you're using, you may see the following errors in the oauth_sso_webadmin.log, oauth_sso_captive.log, or oauth_sso_vpn.log log files:

Example
tls: failed to verify certificate: x509: certificate signed by unknown authority
[oauthproxy.go:766] Error redeeming code during OAuth2 callback:
error performing request:
Post "https://login.microsoftonline.com/.../oauth2/token":
tls: failed to verify certificate:
x509: certificate signed by unknown authority

The possible causes are as follows:

  • Missing intermediate CA certificate
  • Incomplete certificate chain
  • TLS handshake failure with Microsoft Entra ID endpoints

What to do

To resolve this, do as follows:

  1. Verify the certificate chain and upload the required CA certificates as follows:

    1. Sign in to the CLI console. See Accessing Command Line Console.
    2. Type 5 to select Device Management, then type 3 to select Advanced Shell.
    3. Run the following command:

      openssl s_client -connect login.microsoftonline.com:443 -showcerts
      
    Example output
    CONNECTED(00000003)
    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2
    verify return:1
    depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
    verify return:1
    depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = graph.windows.net
    verify return:1
    ---
    Certificate chain
    0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = graph.windows.net
    i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1
    

    From this output, the certificate chains are as follows:

    Certificate Purpose
    DigiCert Global Root G2 Root CA
    DigiCert Global G2 TLS RSA SHA256 2020 CA1 Intermediate CA
    graph.windows.net Server certificate
    1. Review the output and identify the issuer certificates.
    2. Download the required root and intermediate CA certificates from a trusted source. See Azure Certificate Authority details.
    3. Go to Certificates > Certificate Authority.
    4. Click Add and upload the missing CA certificates.

      Note

      Make sure that the certificate names don't contain leading or trailing spaces.

    5. Click Apply.

  2. After you upload the required certificates, test the connection as follows:

    1. Go to Authentication > Servers and click your Microsoft Entra ID server.
    2. To verify that the issue is resolved, click Test connection.
    3. (Optional) If the issue persists after uploading the required CA certificates, restart the OAuth SSO service as follows:

      1. Sign in to the CLI console. See Accessing Command Line Console.
      2. Type 5 to select Device Management, then type 3 to select Advanced Shell.
      3. Run the command for the service you're using:

        • Web admin

          service oauth_sso_webadmin:restart -ds nosync
          
        • Captive portal

          service oauth_sso_captive:restart -ds nosync
          
        • VPN

          service oauth_sso_vpn:restart -ds nosync
          
    4. (Optional) Click Test connection again to confirm that the issue is resolved.