Enabling SSO in Azure AD Connect Throws DesktopSSO Enablement Error

  • We are using hosted Exchange through O365. When we migrated away from hosted Exchange 2007 earlier in the year, we did not turn on password synchronization and AD Connect (don't want to go into the back story).  Now we're working to configure Azure AD Connect for password sync, password writeback, and for single sign-on (no federation).

    In house we're operating on AD functional level 2012 R2 with recycle bin enabled.  We have Azure AD Connect installed on a Server 2012 R2 VM.  I'm not doing the Express install because we only want to synchronize certain OUs (only one specifically to start testing).What's interesting to me is that if we run through the custom configuration and don't enable single sign-on (just password sync and password writeback), everything works as expected.  But if we select the option to enable single sign-on, we're met with the following error at the end of the configuration wizard:


    Whether we reboot the server, restart services, or run AD Connect again, there is no getting past the error.  Looking in the logs, here's what we found:

    [ERROR] Object reference not set to an instance of an object.
    Exception Data (Raw): System.NullReferenceException: Object reference not set to an instance of an object.
      at Microsoft.Online.Deployment.PSModule.Tasks.DesktopSso.EnableDesktopSsoTask1.SyncDssoSecrets(IDesktopSsoProvider dssoProvider)   at Microsoft.Online.Deployment.PSModule.Tasks.DesktopSso.EnableDesktopSsoTask1.Execute()
      at Microsoft.Online.Deployment.Framework.Workflow.WorkflowTask.ExecuteWrapper()
    [14:08:11.540] [ 28] [INFO ] ConfigureSyncEngineStage.StartADSyncConfiguration: AADConnectResult.Status=Failed

    Even though this happened, accounts and passwords were indeed synchronizing to Azure AD as expected.  The only way I could get around the issue so we could actually launch AD Connect at a later time and make changes to its configuration was by completely uninstalling AD Connect and then re-installing without selecting the single sign-on option.Has anyone else run into this issue?  When I did testing on a dummy domain a couple of months ago, I had no issues with the single sign-on functionality working as expected or with Azure AD Connect in general.