Azure AD Connect version is here

Earlier this week, Microsoft released a new version of Azure AD Connect for all your on-premises Active Directory Domain Services and LDAP v3 to Azure Active Directory, and thus Office 365, synchronization needs.

Version of Azure AD Connect, dated June 3, 2016, adds two fixes.


Fixed issues

This version introduces two fixes:

Password Sync can now be USed on FIPS compliant serverS

In previous versions of Azure AD Connect, Password Sync failed to run on Federal Information Processing Standard (FIPS) compliant Windows Servers. This is because FIPS compliant systems bar the use of MD5 hash algorithms, so they block Password Sync  when the tool tries to access MD5 functions.

User passwords are stored as a non-reversible hash in Windows Server Active Directory Domain Controllers (DCs). When the Password Sync agent attempts to synchronize the password hash from a DC over a secure RPC interface, the DC encrypts that password hash using an MD5 key. The MD5 key that the DC uses is derived from the RPC session key and a salt. Once this happens, the password hash is now wrapped in an MD5 encryption envelope. The Password Sync agent gets this encrypted password hash from the Domain Controller (DC) over the secure RPC interface.

Once the Password Sync agent has the encrypted password hash, it uses MD5CryptoServiceProvider to generate a hash key used for decrypting the envelope containing the password hash.

At no point in time does Azure AD Connect’s Password Sync agent have access to the clear text password.

When MD5CryptoServiceProvider is used in a FIPS compliant environment, it throws a System.InvalidOperation exception. This is because the MD5 hash is considered a weak hash and not recommended for use in a FIPS compliant environment.

To get Password Sync running on FIPS-compliant systems, add enforceFIPSPolicy in the  miiserver.exe.config file for your Azure AD Connect implementation:

  • Go to %programfiles%\Azure AD Sync\Bin.
  • Open miiserver.exe.config.
  • Go to the configuration/runtime node (at the end of the file).
  • Add the following node: <enforceFIPSPolicy enabled="false"/> like this:
      <enforceFIPSPolicy enabled="false"/> 
    Save your changes.


NetBIOS name to FQDN resolution

The team also fixed an issue where a NetBIOS name could not be resolved to the Fully Qualified Domain Name (FQDN) in the Active Directory Connector, hindering communications between Azure AD Connect and your Active Directory Domain Services (AD DS) environment.


Version information

This is version of Azure AD Connect.


Download information

You can download Azure AD Connect here.
The download weighs 74,5 MB.



If the Automatic Updating functionality  hasn’t already upgraded your Azure AD Connect installation to version, you can download and install this version of Azure AD Connect above.

 Further reading

AAD Password Sync, Encryption and FIPS compliance
DirSync: Password Sync failing in FIPS-compliant systems
Microsoft Identity Software: Public Release Build Versions

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.