STICKY POST: Will be updated ongoing while I built a list of error codes. If you encounter an error which is not listed, please let me know in the comments below.
With this post I’ll try a new format. This will be an ongoing sticky post which will be a continuous work-in-progress gathering common error codes for Jamf Connect Login, Sync or Verify.
Please note that the exact root cause behind the error code might differ depending the exact environment, but I’ll try to list the most common reasons why you might be hitting the roadblock.
I hope this simplifies your search for a solution to different configuration challenges.
Please note that the error you might see in the GUI might not be verbose enough in some situations. I recommend checking the Jamf Connect Logs and the sign-in logs of your iDP to get the full picture and exact error code.
Azure error codes starting with “AADSTS”
AADSTS7000218: AADSTS7000218: The request body must contain the following parameter: ‘client_assertion’ or ‘client_secret’.
Issue related to ROPG when validating the password in the second authentication when OIDCNewPassword is set to false. Most likely you did not configure the Jamf Connect app in Azure as Public Client. Go to Azure Portal -> Azure Active Directory -> App Registrations -> Jamf Connect App (which you created) -> Authentication and set "Treat application as a public client" to YES.
AADSTS50126: Error validating credentials due to invalid username or password.
Issue related to ROPG when validating the password in the second authentication when the OIDCNewPassword key is set to false. Obviously, first check if the username and password are really correct... If this is the case, you probably have your Azure AD federated with ADFS. Either the ADFS farm is not running on Win2016 with ADFS 4.0, or the farm is not running level 3. You need to split the Jamf Connect config up into a hybrid setup, pointing OIDC to Azure and ROPG to ADFS. See "Configuring Jamf Connect with a Federated Integration (AD FS)" here. Alternative solution which you can try: https://travellingtechguy.eu/jamf-connect-with-adfs-federation-and-allowcloudpasswordvalidation/
AADSTS900144: The request body must contain the following parameter: ‘resource’.
You probably configured Jamf Connect to authenticate against the Azure_v2 endpoint. This config needs the ROPGTenant key to be defined in the config. https://docs.jamf.com/jamf-connect/1.19.2/administrator-guide/Configuring_Jamf_Connect_Login_with_Microsoft_Azure_AD.html
ADFS error codes starting with “MSIS“
MSIS9602: The received ‘resource’ parameter is invalid. The authorization server can not find a registered resource with the specified identifier.
Many people see the 'resource' as the Client ID of the app in ADFS. This is not entirely true and causes confusion in how to fix this error. ClientID and resource are different things. ClientID is the ID of the application in the ADFS and Resource means as to whom do we need the token for. So, Resource means the Audience of the Token. https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios#resource-owner-password-credentials-grant-flow-not-recommended "If resource is not passed here or in scope ADFS will use a default resource urn:microsoft:userinfo." As Jamf Connect is not passing a specific resource, it default to urn:microsoft:userinfo. This resource needs to be enabled on the ADFS farm. By default this is the case on ADFS 4.0, but production servers might have been tweaked for one reason or another. You need to confirm if the ServerRoleIdentifier urn:microsoft:userinfo is enabled on the ADFS server farm. I will make a separate post on this later.
MSIS9623: Received invalid Client credentials. The OAuth client is not configured to authenticate using passed in client credentials
You probably defined a 'Client Secret' key in the Jamf Connect configuration. Following the workflow on how to configure the ADFS app for Jamf Connect does not instruct you to configure Client Secret on the ADFS app (only for cloud iDP if needed). https://www.jamf.com/jamf-nation/articles/697/configuring-jamf-connect-with-azure-ad-hybrid-identity-solutions https://docs.microsoft.com/en-gb/windows-server/identity/ad-fs/development/enabling-openid-connect-with-ad-fs Remove the Client Secret keys in the Jamf Connect configuration.
That’s it! As said, this will be a work in progress post. More error codes coming up!
As always, if you liked the post, hit the like button, tell your friends about it and leave a comment down below!