Share via

No PRT with Certificate Based Authentication in Entra Hybrid Setup

Hari 0 Reputation points
2024-12-24T06:37:57.6166667+00:00

I have Entra Hybrid setup where on prem AD is connected to Azure AD using AzureAD Connect.

From a domain joined computer, if user logs in with username/password, PRT is available and user can open office portal without entering credentials.

But if user logs in with passwordless solution(certificate based authentication), PRT is not available and while opening office portal, user is asked to enter credentials.

dsregcmd /status output

  • AzureADPrt : NO Server Error Code : invalid_client Server Error Description : AADSTS50017 : Validation of given certificate for certificate based authentication failed.

I have uploaded CA certificate in Azure portal certificate authorities page and enabled CBA.

Event viewer AAD Operational log shows the same error AADSTS50017. Analytic log with event ID 1007 has AadCloudAPPlugin GetToken Stop Status: 0xC000006D

I have tried sample V2 credential provider with username/password and PRT is issued. So, third party CP may not be a problem for issuing PRT.

Thanks for the help.

Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Entra | Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Raja Pothuraju 23,715 Reputation points Microsoft External Staff Moderator
    2024-12-26T20:07:45.75+00:00

    Hello @Hari,

    Thank you for posting your query on Microsoft Q&A.

    From your description, it appears that when you attempt to sign in using Windows smart card with Microsoft Entra certificate-based authentication, the device does not receive a valid Primary Refresh Token (PRT). However, when you log in using your username and password, the device successfully receives a valid PRT.

    To better understand the situation, please check if Entra CBA works in the browser. If you're unsure, I recommend starting there to ensure that the browser sign-in functions correctly first, as this will make troubleshooting easier. Once that is confirmed, please check if the windows version of your device lies under Supported Windows platforms as per below document.

    User's image

    https://learn.microsoft.com/en-us/entra/identity/authentication/concept-certificate-based-authentication-smartcard#supported-windows-platforms

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.