This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 19%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Hello Team,
I am encountering an issue with a Hybrid AD joined machine where I am unable to log in using FIDO2 security keys for Windows Hello for Business. Below are the details of the setup:
System Details:
Status of Hybrid Joined Client PC:
Error Message Received:
Please help me out to fix the above mentioned error.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Hello @Mallesh Prabhu,
Thank you for posting your query on Microsoft Q&A.
Based on your description, I understand that the user is encountering difficulty when attempting to log on to a Windows device using FIDO2 security key Passwordless authentication. An error message is displayed, stating: “Your credentials couldn't be verified. (code: 0xc000005f, 0x0).”
This issue can occur when the user falls under unsupported scenarios mentioned in the following documentation:
Unsupported Scenarios for FIDO2 Security Keys
I would like to highlight one unsupported scenario that I have encountered before in a similar case. Please refer the below screenshot.
Please ensure that the FIDO2 security key does not have multiple credentials stored. If it does, try configuring it with only one credential and then check the behavior while logging into the Windows device.
If the issue persists, try running dsregcmd /status on the client machine and check if OnPremTgt and CloudTgt show YES in the SSO state.
Additionally, check the event viewer logs under Applications and Services >> Microsoft >> Windows >> WebAuthN >> Operational and share the information shown in the event viewer log.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
Please Accept the answer if the information helped you. This will help us and others in the community as well.
Thanks,
Raja Pothuraju.
Hello @Mallesh Prabhu,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hello @Mallesh Prabhu,
Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Hi @Raja Pothuraju We have decided to manually join the device to Entra after wiping.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@Mallesh Prabhu Thanks for posting in our Q&A.
For this error message, based on my research, this issue may occur because the issuing Certificate Authority (CA) certificate is missing in the NTAuth store of the domain controller and client machine. Please try the steps in following article:
Hope it will help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi @Xenia The certificate is already in the DC and client's NTAuth stores, but I am unable to login using the FIDO security key, but I can login using my fingerprint without issue.
@Mallesh Prabhu Thanks for your update. Based on my research, I find someone has such similar issue. Here is the post.
@Xenia I have already tried these steps but still its throwing the same error not sure what exactly the problem.
@Mallesh Prabhu There is no helpful information I can share with you about this error message. It is needed to check more logs based on your environment. With Q&A limitation, it is suggested to open a support request in Microsoft Entra ID to get more help. Here is the support link:
https://learn.microsoft.com/en-us/entra/fundamentals/how-to-get-support
Hope everything goes well with you.