Active Directory User Missing ms-DS-ConsistencyGuid
I had a user that had an unset value for ms-DS-ConsistencyGuid in the user attributes, which was causing the user to be unable to login to Microsoft 365 (formerly Office 365). This presented itself as an error through our Duo single sign on application when the user tried to access Microsoft 365.
Error: Cannot create NameID. Source attribute 'ms-DS-ConsistencyGuid' does not exist.
All the other users were able to login, so the error was specific to the user. This error occurred when I switched from the Duo self hosted gateway to the Duo cloud SSO solution.
Duo's help article on the error gives some suggestions to look, but no actual directions. After digging around Google, I pieced together a solution that worked for me.
I didn't spend much time analyzing this error for the root cause of the error. So the solution below fixes it on a per user basis, but it is possible it works in my scenario because there was a simple issue somewhere. For example my AD Connect was working fine previously.
Honestly the sequence of events below is odd, because what I see is that that Guid being returned is coming from AD, but the ms-DS-ConsistencyGuid attribute for the user is unset in the user profile. So where is the Guid coming from?
Rather than spend a lot of time going down a rabbit hole, here is what worked, and like I said, might be specific to my scenario.
Check to see which user(s) is missing the ms-DS-ConsistencyGuid
From Windows Powershell on the Active Directory controller
Import-Module ActiveDirectory
Get-ADUser -Filter * -Properties CN,mS-DS-ConsistencyGuid | Where-Object {$_.'mS-DS-ConsistencyGuid' -ne $null} | Select-Object CN,SamAccountName,mS-DS-ConsistencyGuid
This returns a list of users that have a ms-DS-ConsistencyGuid set. If the user is missing from this list, the value is not set. You can also confirm by going to Active Directory Users and Computers, open up the user in question, and go to Attribute Editor and look for the ms-DS-ConsistencyGuid attribute.
Make sure Advanced Features is turned on under the View menu so you can see this tab.
Get the missing attribute
Once I verified the issue was the ms-DS-ConsistencyGuid was unset, and I knew that the user had worked before, I used Powershell to find what the attribute value was in Guid form.
Replace username with the user in question.
$User = Get-ADUser -Identity username -Properties mS-DS-ConsistencyGUID
$User.ObjectGUID
This returns a Guid that is the ms-DS-ConsistencyGuid value. Once you have that, convert it to hex. I used Robobunny GUID Converter to do it quick. The output you want is the Oracle RAW(16) format.
Enter in the missing attribute
Now take this value, and go to the Attribute Editor for that user in Active Directory Users and Computers and enter that hex value in for the ms-DS-ConstitencyGuid value. Keep in mind when you enter it in, to put a space between each two characters. So it should look something like the below when entering.
00 11 22 33 44 55 66 77 88 99
When you save it and view it in Attribute Editor in the list of all the values, you will see it have a \ between the characters, this is normal.
Sync AD Connect
Now open AD Connect and run a Full Synchronization on your connectors.
That fixed it for me. But like I said, I am a little questionable on why, since I don't know the root cause. I did notice an error in AD Connect for that user regarding a permissions error for that specific attribute, which had never appeared before. I reran the Full Synchronization a second time and the error went away.
So it is entirely possible all this work was for naught, and it was a transient AD Connect error. Either way I understand better the use of ms-DS-ConsistencyGuid going forward in federated services.
References
https://help.duo.com/s/article/6968?language=en_US
Camille Debay
ImmutableID | ObjectGUID | mS-Ds-ConsistencyGuid from Office365