Troubleshooting Microsoft Entra ID
Learn how to troubleshoot issues related to Microsoft Entra ID.
Single sign-on
You don't have permission to sign in to the VPN portal. Contact your firewall administrator.
Issue
A user can't sign in to the VPN portal and it shows the following error:
You don't have permission to sign in to the VPN portal. Contact your firewall administrator.
Users can't access the VPN portal because of several issues, such as the browser used and configuration issues.
You can see the following error messages in the log viewer:
User not authorizedInvalid credentials
What to do
To resolve this, try the following solutions:
-
Browser check
Sign in using a different browser to rule out browser compatibility and extension issues.
-
VPN portal access
Make sure that the user's Microsoft Entra ID group is added to the remote access IPsec VPN or remote access SSL VPN allowed user list. Users who aren't allowed in either policy can't access the VPN portal, even if SSO authentication is successful.
To check the user's VPN portal access, do as follows:
-
Remote access IPsec VPN
- Go to Remote access VPN > IPsec.
- Make sure that the user's Microsoft Entra ID group is selected in Allowed users and groups.
-
Remote access SSL VPN
- Go to Remote access VPN > SSL VPN.
- Click your remote access SSL VPN configuration.
- Make sure that the user's Microsoft Entra ID group is selected in Policy members.
-
-
Authentication methods
Check the requirements for the remote access IPsec VPN and remote access SSL VPN authentication methods. See Requirements.
Misconfiguration can cause sign-in failures, such as authorization and credential mismatch errors.
SSO is not configured. Please contact your administrator.
Issue
You can't click the Single sign on (SSO) button in the Sophos Connect client (SCC) and it shows the following error:
SSO is not configured. Please contact your administrator.
This is caused by configuration issues.
What to do
To resolve this, try the following solutions:
-
Connection test
Check the firewall's connection to the Microsoft Entra ID server as follows:
- Go to Authentication > Servers.
- Click your Microsoft Entra ID server.
- Click Test connection.
Make sure that the test is successful. If not, check your configuration. See Microsoft Entra ID SSO.
-
Authentication methods
Check the authentication method for SSL VPN authentication methods as follows:
- Go to Authentication > Services.
- Make sure that your Microsoft Entra ID server is set in SSL VPN authentication methods.
Selected user account does not exist in tenant <tenant ID> and cannot access the application <application ID> in that tenant.
Issue
SSO doesn't work and shows the following error:
Selected user account does not exist in tenant <tenant ID> and cannot access the application <application ID> in that tenant.
The user doesn't exist in the tenant application because the remote access IPsec VPN and remote access SSL VPN authentication methods use different Microsoft Entra ID servers.
What to do
To resolve this, try the following solutions:
-
Authentication methods
Check the requirements for the remote access IPsec VPN and remote access SSL VPN authentication methods. See Requirements.
Misconfiguration can cause sign-in failures, such as authorization and credential mismatch errors.
-
Force SSO re-login
If users sign in using SSO and connect to the network using a shared endpoint, we recommend that you force SSO re-login. See Force SSO re-login.
TLS certificate verification fails
Issue
Authentication or test connection fails with a TLS certificate error.
Depending on which service you're using, you may see the following errors in the oauth_sso_webadmin.log, oauth_sso_captive.log, or oauth_sso_vpn.log log files:
Example
tls: failed to verify certificate: x509: certificate signed by unknown authority
[oauthproxy.go:766] Error redeeming code during OAuth2 callback:
error performing request:
Post "https://login.microsoftonline.com/.../oauth2/token":
tls: failed to verify certificate:
x509: certificate signed by unknown authority
The possible causes are as follows:
- Missing intermediate CA certificate
- Incomplete certificate chain
- TLS handshake failure with Microsoft Entra ID endpoints
What to do
To resolve this, do as follows:
-
Verify the certificate chain and upload the required CA certificates as follows:
- Sign in to the CLI console. See Accessing Command Line Console.
- Type
5to selectDevice Management, then type3to selectAdvanced Shell. -
Run the following command:
openssl s_client -connect login.microsoftonline.com:443 -showcerts
Example output
CONNECTED(00000003) depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root G2 verify return:1 depth=1 C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1 verify return:1 depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = graph.windows.net verify return:1 --- Certificate chain 0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = graph.windows.net i:C = US, O = DigiCert Inc, CN = DigiCert Global G2 TLS RSA SHA256 2020 CA1From this output, the certificate chains are as follows:
Certificate Purpose DigiCert Global Root G2 Root CA DigiCert Global G2 TLS RSA SHA256 2020 CA1 Intermediate CA graph.windows.net Server certificate - Review the output and identify the issuer certificates.
- Download the required root and intermediate CA certificates from a trusted source. See Azure Certificate Authority details.
- Go to Certificates > Certificate Authority.
-
Click Add and upload the missing CA certificates.
Note
Make sure that the certificate names don't contain leading or trailing spaces.
-
Click Apply.
-
After you upload the required certificates, test the connection as follows:
- Go to Authentication > Servers and click your Microsoft Entra ID server.
- To verify that the issue is resolved, click Test connection.
-
(Optional) If the issue persists after uploading the required CA certificates, restart the OAuth SSO service as follows:
- Sign in to the CLI console. See Accessing Command Line Console.
- Type
5to selectDevice Management, then type3to selectAdvanced Shell. -
Run the command for the service you're using:
-
Web admin
service oauth_sso_webadmin:restart -ds nosync -
Captive portal
service oauth_sso_captive:restart -ds nosync -
VPN
service oauth_sso_vpn:restart -ds nosync
-
-
(Optional) Click Test connection again to confirm that the issue is resolved.