Problem
When configuring SSSD with id_provider=ad and auth_provider=idp for
AD+Entra hybrid authentication (MFA via Entra ID device-code flow), login
always fails with:
UUID of user and input do not match.
This makes it impossible to use Entra ID as an MFA authentication provider
for users whose identity is sourced from on-premises Active Directory.
Root Cause
SSSD caches the AD objectGUID as SYSDB_UUID during identity lookups.
During authentication, oidc_child calls the Microsoft Graph API
/v1.0/me endpoint and returns the Entra id field as the user
identifier. The Entra id is a cloud-generated UUID that is completely
independent of the AD objectGUID. These two values never match, so
eval_access_token_buf() always rejects the user.
Proposed Fix
Azure AD Connect synchronizes the on-premises AD objectGUID to Entra ID
as the onPremisesImmutableId field (base64-encoded raw 16-byte GUID). The
Graph API /v1.0/me endpoint returns this field when requested via
$select.
get_user_identifier() in oidc_child_json.c should check the userinfo
JSON response for onPremisesImmutableId. If present, base64-decode it and
convert to a UUID string using Microsoft GUID mixed-endian (bytes_le)
format -- the same format SSSD uses when storing objectGUID in sysdb.
This decoded UUID will match the cached AD objectGUID.
For cloud-only Entra users (no on-premises AD object),
onPremisesImmutableId is absent and the existing behavior (return the
Entra id) is preserved. Pure IdP deployments (id_provider=idp) are
unaffected.
Steps to Reproduce
- Join a Linux host to an AD domain with SSSD
- Configure
sssd.conf with id_provider=ad and auth_provider=idp
pointing to an Entra ID tenant synced via Azure AD Connect
- Attempt to SSH as an AD user and complete the device-code MFA flow
- Observe UUID mismatch error in
/var/log/sssd/sssd_<domain>.log
Environment
- SSSD 2.12.0
- Ubuntu 24.04 / Rocky Linux 9
- Active Directory with Azure AD Connect sync to Entra ID
- Entra app registration with
User.Read scope, device-code flow enabled
Configuration Note
The fix requires that idp_userinfo_endpoint include
?$select=id,userPrincipalName,onPremisesImmutableId so that the Graph
API returns the onPremisesImmutableId field. The default /v1.0/me
response omits it. This should be documented in the sssd.conf man page.
Patch Available
Pacific Northwest National Laboratory (PNNL) has developed and tested a
patch for this issue in production AD hybrid environments. We will submit
a pull request with the fix.
Problem
When configuring SSSD with
id_provider=adandauth_provider=idpforAD+Entra hybrid authentication (MFA via Entra ID device-code flow), login
always fails with:
UUID of user and input do not match.
This makes it impossible to use Entra ID as an MFA authentication provider
for users whose identity is sourced from on-premises Active Directory.
Root Cause
SSSD caches the AD
objectGUIDasSYSDB_UUIDduring identity lookups.During authentication,
oidc_childcalls the Microsoft Graph API/v1.0/meendpoint and returns the Entraidfield as the useridentifier. The Entra
idis a cloud-generated UUID that is completelyindependent of the AD
objectGUID. These two values never match, soeval_access_token_buf()always rejects the user.Proposed Fix
Azure AD Connect synchronizes the on-premises AD
objectGUIDto Entra IDas the
onPremisesImmutableIdfield (base64-encoded raw 16-byte GUID). TheGraph API
/v1.0/meendpoint returns this field when requested via$select.get_user_identifier()inoidc_child_json.cshould check the userinfoJSON response for
onPremisesImmutableId. If present, base64-decode it andconvert to a UUID string using Microsoft GUID mixed-endian (bytes_le)
format -- the same format SSSD uses when storing
objectGUIDin sysdb.This decoded UUID will match the cached AD
objectGUID.For cloud-only Entra users (no on-premises AD object),
onPremisesImmutableIdis absent and the existing behavior (return theEntra
id) is preserved. Pure IdP deployments (id_provider=idp) areunaffected.
Steps to Reproduce
sssd.confwithid_provider=adandauth_provider=idppointing to an Entra ID tenant synced via Azure AD Connect
/var/log/sssd/sssd_<domain>.logEnvironment
User.Readscope, device-code flow enabledConfiguration Note
The fix requires that
idp_userinfo_endpointinclude?$select=id,userPrincipalName,onPremisesImmutableIdso that the GraphAPI returns the
onPremisesImmutableIdfield. The default/v1.0/meresponse omits it. This should be documented in the
sssd.confman page.Patch Available
Pacific Northwest National Laboratory (PNNL) has developed and tested a
patch for this issue in production AD hybrid environments. We will submit
a pull request with the fix.