Why is cloud trust for onpremises auth policy set to No

Question

Why is cloud trust for onpremises auth policy set to No

Acedan 50

I have enable Cloud Key Trust and set the configuration policy for on premise auth policy.

Looking at the User Device Registration logs, it appears that the policy is not applying and the browsing of OnPrem shares is not working.

Event Log 358

Windows Hello for Business provisioning will be launched.

Device is AAD joined ( AADJ or DJ++ ): Yes

User has logged on with AAD credentials: Yes

Windows Hello for Business policy is enabled: Yes

Windows Hello for Business post-logon provisioning is enabled: Yes

Local computer meets Windows hello for business hardware requirements: Yes

User is not connected to the machine via Remote Desktop: Yes

User certificate for on premise auth policy is enabled: No

Machine is governed by none policy.

Cloud trust for on premise auth policy is enabled: No

User account has Cloud TGT: Not Tested

1.) dregcmd - NGCSet = Yes

2.) Re-registered hello for business - certutil - DeleteHelloContainer

3.) Azure Ad Joined

User's image

Any advice on what I may be missing or troubleshooting steps?

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-05-31T06:58:32.9266667+00:00
@Acedan Apologies for the delayed response, reviewed the above mentioned issue just wanted to check does the issue still persist ? if yes please help me with the below information to isolate the issue further.

was this working before ? new setup if yes similar issue noticed on other device as well.

domain controllers info ?

do you have convenience PIN enabled via GPO ? if yes pls disable it and repro the issue.

https://learn.microsoft.com/en-us/troubleshoot/windows-client/user-profiles-and-logon/cannot-configure-a-convenience-pin

Let me know if the above suggestions doesnt help to isolate the issue, i can help you in creating a free support where you can work with our support team on the same.
Acedan 50 Reputation points

2023-06-05T10:55:14.34+00:00

Good Morning Givary,

Checked your list.

Has not worked yet.

Alll DC's are windows 2016 (14393-5921) or Windows 2019 (17763-379)

Convenience PPIN is disabled.

Accepted answer

2 additional answers

Your answer

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-05-31T06:58:32.9266667+00:00

@Acedan Apologies for the delayed response, reviewed the above mentioned issue just wanted to check does the issue still persist ? if yes please help me with the below information to isolate the issue further.

was this working before ? new setup if yes similar issue noticed on other device as well.

domain controllers info ?

do you have convenience PIN enabled via GPO ? if yes pls disable it and repro the issue.

https://learn.microsoft.com/en-us/troubleshoot/windows-client/user-profiles-and-logon/cannot-configure-a-convenience-pin

Let me know if the above suggestions doesnt help to isolate the issue, i can help you in creating a free support where you can work with our support team on the same.
Acedan 50 Reputation points

2023-06-05T10:55:14.34+00:00

Good Morning Givary,

Checked your list.

Has not worked yet.

Alll DC's are windows 2016 (14393-5921) or Windows 2019 (17763-379)

Convenience PPIN is disabled.

Answer 1

Nagappan Veerappan 651 Microsoft Employee

@Acedan - I am not sure, you have completed Step 1 below. Please check and let me know.

Cloud trust enabled with two steps for on-prem access

first at your AD -create Kerberos server keys to issue TGT from cloud and to be accepted at you AD. (don't test with user account AD protected group. Normal user in AD without any AD privilege groups works)
https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module
Enable policy for end clients (GPO for HAADJ or Intune policy for AADJ/HAADJ) to trigger Cloud trust.

PS: Users are already in "Key trust" would automatically migrate to "Cloud trust" once enabled. if you have had certificate trust , you need to delete and re-provision for cloud trust

Acedan 50 Reputation points

2023-06-02T12:57:24.1266667+00:00

Cheers Naga. Checked your suggestions. Still no love.

AzureAdKerberos object is created

Confirmed user is not a member of any groups list in msds-neverrevealgroups

It appears that the user also has the partial TGT.

User Device Registration log still reporting cloudtrust for onprem is NO
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Acedan 50 Reputation points

2023-06-05T10:37:48.3366667+00:00

Good Morning Naga.

Confirmed the AzureAdKerberos server is configured, RDOC object is created and user I'm testing with is not a member of any of the groups defined in the RODC object msds-neverrevealgroup attribute (AzureADKerberos)

My thoughts were on the settings in Windows Hello for Business trust models also.

My understanding was that the OMI-URI CSP setting in PassportForWork was the only Azure profile required.

./Device/Vendor/MSFT/PassportForWork/MyTenantID/Policies/UseCloudTrustForOnPremAuth

The assumption was that the trust model configuration for Windows Hello for Business did not require configuration.
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-06-05T19:36:02.9233333+00:00
@Acedan Could you please provide just a "Klist" output as well on the user context. if you have line of sight to DC. we would see the kerberos ticket
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-06-05T19:41:39.6466667+00:00
@Acedan -Are we mixing up WHFB deployment with GPO and Intune.
If you do, isolate policy deployment only via Intune for a test on AADJ.
its up to you. if you are on HAADJ and want to use GPO. use all settings from GPO way to deploy.

Acedan 50

klist is empty but debug_cloud appears to tell me the partial TGT is available.

C:\Users\acedan>klist
  Current LogonId is 0:0xa6125
  Cached Tickets: (0)

C:\Users\acedan>klist cloud_debug
  Current LogonId is 0:0xa6125
  Cloud Kerberos Debug info:
  Cloud Kerberos enabled by policy: 0
  AS_REP callback received: 1
  AS_REP callback used: 0
  Cloud Referral TGT present in cache: 0
  SPN oracle configured: 0
  KDC proxy present in cache: 0
  Public Key Credential Present: 1
  Password-derived Keys Present: 0
  Plaintext Password Present: 0
  AS_REP Credential Type: 2
  Cloud Primary (Hybrid logon) TGT available: 1

There is line of sight to the DC as a kerberos ticket is generate if I use a password to gain access to a share. nltest dclocator queries also work correctly.

Acedan 50 Reputation points

2023-06-05T20:28:23.7166667+00:00

No hybrid here, device are Azure AD joined. WHfB deployment (Account protection - Endpoint Security) and CloudTrust (Config profile) configuration via InTune.
Acedan 50 Reputation points

2023-06-05T20:39:34.6866667+00:00

I think the heart of the issue is I'm not getting a Kerberos ticket from the DC because the flag Cloud Trust for onpremise auth policy is enable : No

The custom OMI-URI config policy appears correct and Intune has asays it's successfully applied.

./Device/Vendor/MSFT/PassportForWork/2176ac99-8f15-1212-12e3-7e01b2c3ad45/Policies/UseCloudTrustForOnPremAuth
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-06-12T15:06:30.97+00:00

@acedan

Alright, now we need to find, why Intune policy doesn't apply to the client machines.
You might have already looked. but want to confirm. Did you see registry key created by Intune policy successfully?

for device based policy, Intune uses the following registry keys: **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\<Tenant-ID>\Device\Policies

Also validate with our Intune setup doc, just make sure, we don't miss any
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust-provision?tabs=intune

Looking forward to hear from you**
Acedan 50 Reputation points

2023-06-13T02:02:18.1566667+00:00

Good Evening Naga!

I spent sometime reviewing Kerberos and the Domain controllers and have found the culprit. Your check "klist" pointed me in the right direction.

The domain controllers in the site have both been renamed. I found an attribute on the domain controllers AD object called msDS-AdditionalDnsHostName that had several entries. With some testing I found that these entries are added when you perform a rename of the server using the netdom computername add function.

Once I cleared all the values from the attributea kerberos ticket was issued immediately, no logouts or reboots requred.

I noticed that when a value appears in the msDS-AdditionalDnsHostName attribute it also registers a corresponding Kerberos SPN in AD. Once it was gone all was happy.

So in the end it really had nothing to do with the Cloud Trust configuration, it was poor AD object maintenance

Marking as Solved! Thanks for all your efforts!
Nagappan Veerappan 651 Reputation points Microsoft Employee

2023-07-03T09:57:27.4533333+00:00

@Acedan - Thank you for sharing. Good to note and it helps future customers.

Answer 2

Patchfox 4,176

Hi Acedan, I want to help you with these questions.

Did you already check out this video?

https://www.youtube.com/watch?v=66I2P6XjTyY&ab_channel=CloudManagement.Community

I might guess that you solve your problem with it.
Check all the steps with your config.
Maybe you forgot something little in the AD part.
Also, verify that the tenant ID and the rest of the OMI URI is correct.

If the reply was helpful, please don’t forget to upvote or accept it as an answer, thank you.

Answer 3

Acedan 50

Thanks for checking in Givary.

I confirmed that the convenience PIN policy is Not Configured.

Domain Contollers are mix of 2016 and 2019 with latest patches

I see the same issue with another machine with the same configuration.

This is a POC and hasn't worked ... yet.

Issue still persists.

More than happy to work with the support team.

Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator

2023-06-06T11:14:53.06+00:00

@Acedan Did a repro in my lab (using Azure AD Joined scenario) and below is the screenshot of OMA-URI Settings & OMA-URI value, validate this in your tenant.

After this still doesn't work, lets connect offline to troubleshoot the same.

Share via

Why is cloud trust for onpremises auth policy set to No

2 additional answers

Your answer