Share via

Windows hello for business On-Premises deployment error MSIS9426 on windows server 2022

wg eco 5 Reputation points
2023-06-21T03:10:39.43+00:00

Hi

We deployed on-premise cert trust WHFB on windows server 2022 by following with MS guide https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust

But when we login with a AD user on client, the WHFB is not provisioned.

Then we found below error on server.

Note : we have already add the 'ugs' which mentioned in MS document.

  • $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
  • Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'

How to solve this issue please?



Encountered error during OAuth token request. 

Additional Data 

Exception details: 
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthJWTBearerException: MSIS9426: Received invalid OAuth JWT Bearer request. The JWT Bearer payload must contain 'scope'.
   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateJWTBearer()
   at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,726 questions
0 comments

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,711 Reputation points
    2023-06-21T12:34:21.6+00:00

    Hello,

    Thank you for your question and for reaching out with your question today.

    The error you're encountering indicates that the OAuth JWT Bearer request is missing the required 'scope' in the payload. This error typically occurs when there is a misconfiguration or missing configuration related to the 'scope' parameter.

    To solve this issue, you can try the following steps:

    1. Ensure that you have correctly configured the required 'scope' parameter for your application in the Active Directory Federation Services (AD FS) relying party trust settings.
    2. Verify that the 'scope' value specified in your AD FS relying party trust matches the 'scope' value expected by the client application. Make sure they are identical.
    3. Double-check the configuration of your on-premises certificate trust for Windows Hello for Business (WHFB) deployment. Follow the Microsoft guide (https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust) again carefully, ensuring that all the steps are correctly followed, including the configuration of permissions and scopes.
    4. If you've already followed the Microsoft guide but are still experiencing the issue, consider reviewing the permissions and scopes configured for the application in AD FS. Ensure that the 'scope' is properly defined and associated with the application.

    By following these steps and ensuring the correct configuration of 'scope' parameters and permissions, you should be able to resolve the error and successfully provision Windows Hello for Business (WHFB) when logging in with an AD user on the client.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    0 comments
  2. morrisosu 0 Reputation points
    2023-07-13T19:25:32.4566667+00:00

    @wg eco Any luck on this one? The posted response from Limitless Tech above is not helpful in this situation.

    0 comments
  3. C. Eckart 20 Reputation points
    2023-08-27T16:14:43.3766667+00:00

    Hello,

    there any info or solution for this? I am also struggling with this error.

    thanks

  4. Paessens, Daniel 0 Reputation points
    2023-09-01T11:25:12.1433333+00:00

    Hello,

    Having the same issue overhere, but still no solution. Did you have any update.

    Thx,

    Daniel

    0 comments
  5. Q.G. van der Meer 0 Reputation points
    2024-11-29T15:52:26.08+00:00

    We are experiencing the same error in which we want to onboard windows 11 clients to Microsoft Intune and while running the command dsregcmd /join and then dsregcmd /status we get "MSIS9701: Received invalid OAuth JWT Bearer request. Error occured while processing grant_type information from the JWT Bearer payload."

    The output of the prerequest looks fine:
    +----------------------------------------------------------------------+

    | Ngc Prerequisite Check |

    +----------------------------------------------------------------------+

            IsDeviceJoined : YES

         IsUserAzureAD : YES

         PolicyEnabled : YES

      PostLogonEnabled : NO

        DeviceEligible : YES

    SessionIsNotRemote : YES

        CertEnrollment : none

          PreReqResult : WillProvision
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.