How to properly configure SSO using WHFB Hybrid Key Trust?

Hamato Yoshi 5 Reputation points

I am trying to configure SSO to on-premise resources using Windows Hello For Business Hybrid Key Trust from AADJ devices with LOS from either being in the office or using a VPN.

I have updated my DC certificate template, revoked existing and reissued new DC Certs as per the documentation here. I've also included an http CDP in the CA and confirmed this is reachable from my client. The root CA cert has been deployed to AADJ devices from Intune.

I did have some issues obtaining the PRT from ADFS but after some extinsive troubleshooting, I can now rundsregcmd /status to confirm I have both the AzureAD and Enterprise PRT (full output with sanitized name and domain below).

When I try to access an on-premise resource (unc path to SYSVOL in explorer) I am prompted for my WHFB PIN and also get the pop-up 'Windows needs your current credentials'. At this point I see Event 11 from Security-Kerberos with the message 'The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer. Contact your system administrator.' I did read up on this and found some advice to include the fully distinguished name in the subject of my KDC cert (which I have done) - what's confusing me is that this error seems to point to an issue with a client side certificate ?

Also not sure if relevant but I do consistently see Event 40960 from LSA with the text 'The Security System detected an authentication error for the server cifs/ The failure code from authentication protocol Kerberos was "The request is not supported. (0xc00000bb)"' whenever I replicate the issue.

Hoping someone here can help me or at least point me in the right direction. I am considering abandoning this and pursuing Cloud Kerberos Trust instead.

PS C:\Users\myname> dsregcmd /status

| Device State                                                         |

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : NO
           Virtual Desktop : NOT SET
               Device Name : soit-62YCVV3

| Device Details                                                       |

                  DeviceId : 0c6ce691-01de-4efe-b55a-b920a94ed136
                Thumbprint : 6532E8F9AC349634012CCAA6CFD899B488600FA6
 DeviceCertificateValidity : [ 2023-05-11 07:49:45.000 UTC -- 2033-05-11 08:19:45.000 UTC ]
            KeyContainerId : 40cb21b1-22e3-4da9-826b-07034f7f9aac
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES
          DeviceAuthStatus : SUCCESS

| Tenant Details                                                       |

                TenantName : Smartodds
                  TenantId : 5668021c-34de-4215-a3e7-7791e4b6d504
               AuthCodeUrl :
            AccessTokenUrl :
                    MdmUrl :
                 MdmTouUrl :
          MdmComplianceUrl :
               SettingsUrl :
            JoinSrvVersion : 2.0
                JoinSrvUrl :
                 JoinSrvId :
             KeySrvVersion : 1.0
                 KeySrvUrl :
                  KeySrvId :
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl :
             WebAuthNSrvId :
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl :
     DeviceManagementSrvId :

| User State                                                           |

                    NgcSet : YES
                  NgcKeyId : {91130D91-CCF4-473C-A063-0A6100841E66}
                  CanReset : DestructiveOnly
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId :
            WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

| SSO State                                                            |

                AzureAdPrt : YES
      AzureAdPrtUpdateTime : 2023-05-30 14:22:39.000 UTC
      AzureAdPrtExpiryTime : 2023-06-13 14:22:38.000 UTC
       AzureAdPrtAuthority :
             EnterprisePrt : YES
   EnterprisePrtUpdateTime : 2023-05-30 14:22:40.000 UTC
   EnterprisePrtExpiryTime : 2023-06-13 14:22:40.000 UTC
    EnterprisePrtAuthority :
                 OnPremTgt : NO
                  CloudTgt : YES
         KerbTopLevelNames :,,,,,

| Diagnostic Data                                                      |

        AadRecoveryEnabled : NO
    Executing Account Name : mydomain\myname,
               KeySignTest : PASSED

        DisplayNameUpdated : Managed by MDM
          OsVersionUpdated : Managed by MDM
           HostNameUpdated : YES

      Last HostName Update : NONE

| IE Proxy Config for Current User                                     |

      Auto Detect Settings : YES
    Auto-Configuration URL :
         Proxy Server List :
         Proxy Bypass List :

| WinHttp Default Proxy Config                                         |

               Access Type : DIRECT

For more information, please visit
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,223 questions
Windows Autopilot
Windows Autopilot
A collection of Microsoft technologies used to set up and pre-configure new devices and to reset, repurpose, and recover devices.
441 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,734 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,579 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee

    @Hamato Yoshi

    When it comes to access on-prem resource from AADJ machine. client has no way to trust your domain name to query unless it is explicitly specified on the KDC certificate of Domain controller. it's derived from cert template of "Domain Controller". if subject don't have Distinguish Name (DN) , then at least Subject Alternative Names (SAN) mentioned with domains fqdn works.

    You won't face this problem on any hybrid domain joined machines.

    This is already documented on known issue. most commonly happens with third party CA issued cert for DCs. which tend to miss the on-premise domain name on the certs.

    Hope this helps


    Nagappan V

    0 comments No comments