Hybrid Azure AD join authentication using Azure AD Kerberos (cloud Kerberos trust) Troubleshooting

Maximilian K 15 Reputation points

Hello all!
While reading through some testing on the WHFB deployment for Hybrid using Azure AD Kerberos.
I seem to be getting stuck at issues with the LSA.
After running through the setup document and deploying configs via Intune.
I can create pins and see the logs indicating registration in Azure AD.
Even now, I can attempt to sign in with a PIN on a PC, and I'll see the successful login in Azure AD.

But I can't unlock the pc(which is on the domain network) because the "credentials cannot be verified" error Something went wrong and your PIN isn't available (Status 0xc00000bb, substatus: 0x0) So I'm trying to figure out where its going wrong.
Domain is running two win 2016 servers.

Any suggestions are welcome!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,125 questions
0 comments No comments
{count} vote

2 answers

Sort by: Most helpful
  1. James Hamil 22,886 Reputation points Microsoft Employee

    Hi @Maximilian K , this might be related to a problem with the Local Security Authority (LSA) or other configuration issues.

    Try the following steps and let me know what you find:

    Check event logs: Examine the event logs on the affected device for any errors or warnings related to WHFB, Azure AD, or LSA. Look for logs in the following locations:

    • %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-AAD%40Operational.evtx
    • %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-WebAuthN%40Operational.evtx
    • %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%40Operational.evtx

    Verify network connectivity: Ensure that the device has proper network connectivity to required endpoints, such as https://login.microsoftonline.com.

    Check domain and federation settings: Make sure that the user's domain is added as a custom domain in Azure AD and that the on-premises identity provider supports WS-Trust.

    Review Azure AD Connect configuration: Ensure that Azure AD Connect is properly configured and syncing user accounts and attributes between on-premises Active Directory and Azure AD.

    Update and patch: Make sure that the device, Windows Server 2016 domain controllers, and other related components are up-to-date with the latest patches and updates.

    If none of these work let me know and I can look into your environment!

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,


  2. Michael Wilson 0 Reputation points

    I'm having similar issues, but I'm seeing Event ID 7001 on the client:

    A user failed to sign into the device with the following information:
    Username: SYSTEM
    User SID: SYSTEM
    Credential Type: Software Key
    Deployment Type: Cloud Trust
    Software Lockout Counter: 0
    Authentication Error Status: 0xC000006D
    Authentication Error Substatus: 0xC00002F9

    and I'm seeing event id 5520 on the domain controller:

    Device unlock policy is not configured on this device

    I can't figure out where to create a device unlock policy that only requires one method.

    0 comments No comments