Windows Hello for Business - Cloud Kerberos trust deployment - All users cannot access on-prem resources

Nicholas Wirth 0 Reputation points
2023-03-24T20:57:49.3366667+00:00

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust

I have followed the guide step-by-step to ensure that my identities can use a WHFB pin to access local resources between file shares and RDP logins, but we have the error that states:

We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your org's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

User's image

I have confirmed between my own computer and my test machine that they can connect to the domain controller with no issue, and in the doc where it states "To unblock the accounts, use Active Directory Users and Computers to modify the msDS-NeverRevealGroup property of the Azure AD Kerberos Computer object CN=AzureADKerberos,OU=Domain Controllers,." I have removed all the accounts and still are unable to complete this.

Intune has been configured as expected, but I am still stuck on what's going on. All assistance is appreciated.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,437 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,888 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,975 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,392 questions
{count} votes

2 answers

Sort by: Most helpful
  1. JamesTran-MSFT 36,596 Reputation points Microsoft Employee
    2023-03-29T19:03:55.39+00:00

    @Nicholas Wirth

    Thank you for your post and I apologize for the delayed response!

    Error Message:

    We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your org's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

    I understand that you're trying to implement Windows Hello for Business cloud Kerberos trust so your users can use WHFB to access local resources. However, when trying to login you're running into the error message above and when modifying the msDS-NeverRevealGroup property you're still unable to login.

    To gain a better understanding of your issue were you able to follow the Configure and provision Windows Hello for Business - cloud Kerberos trust documentation as well?

    • If you followed the documentation and configured the cloud Kerberos trust policy, can you make sure that the Use certificate for on-premises authentication policy is disabled? If the Use certificate for on-premises authentication policy is enabled, certificate trust will take precedence over cloud Kerberos trust. Ensure that the machines that you want to enable cloud Kerberos trust, have this policy not configured or disabled.

    I hope this helps!


    Additional Link:


    If you're still having issues and want to work closer with our support team, please let me know and I can enable a one-time free technical support request for your subscription to get this issue resolved.

    Thank you for your time and patience throughout this issue.


  2. JamesTran-MSFT 36,596 Reputation points Microsoft Employee
    2023-04-07T17:49:06.49+00:00

    @Nicholas Wirth Thank you for following up on this and I'm glad that you were able to resolve your issue!

    Thank you for also sharing your solution so that others experiencing the same thing can easily reference this. Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others", I'll repost your solution in case you'd like to accept the answer.

    Error Message: We can't sign you in with this credential because your domain isn't available. Make sure your device is connected to your org's network and try again. If you previously signed in on this device with another credential, you can sign in with that credential.

    Issue:

    You're implementing Windows Hello for Business cloud Kerberos trust so your users can use WHFB to access local resources. However, when trying to login you're running into the error message above and when modifying the msDS-NeverRevealGroup property you're still unable to login.

    Solution:

    The issue ended up being your 2012R2 server having all master roles. As soon as the roles were transferred to your 2022 server everything started working as expected.

    If I missed anything please let me know and I'd be happy to add it to my answer, or feel free to comment below with any additional information.

    I hope this helps!


    If you have any other questions, please let me know. Thank you again for your time and patience throughout this issue.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.