AADSTS501201: Unexpected claim(s) in JWT: client_id,redirect_uri.

Nabil Hamdi 46 Reputation points
2023-07-12T14:52:46.6566667+00:00

Hello,

I have an authentication issue on a Hybrid joined Windows 11 computer.

This a Citrix VDI where users are automatically signed in Office apps and Edge.

But when authenticating to Office365 from Edge, they get that outstanding issue right before being prompted for password or anything:User's image

The error code is not referenced at Microsoft.

Also I have no sign-in logs at all in Azure.

Does someone has an idea on where I should start to troubleshoot this?

Thanks in advance.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,066 questions
{count} votes

Accepted answer
  1. Andrew Sauder 120 Reputation points
    2023-07-13T13:01:36.25+00:00

    We're having the same issue on a few machines. On the computers experiencing the issue, I can confirm:

    • an incognito/private browser window lets the user sign in successfully
    • uninstalling KB5028185 fixes it

    However, at present, not every computer with KB5028185 installed appears to be affected.

    9 people found this answer helpful.

6 additional answers

Sort by: Most helpful
  1. Jonny Sharp 10 Reputation points
    2023-07-13T09:17:20.7833333+00:00

    I had the same and managed to resolve it.

    I could log in ok with Edge InPrivate but not in my normal user Edge profile, so figured the issue was with the session.

    1. Signed out of Edge browser (icon top right)
    2. Browse to an MS site and login. I used https://myapplications.microsoft.com/#
    3. Then back to the profile icon in Edge and clicked 'signin to sync'

    Its all good after that.

    If you have the issue with multiple users, a forced sign out of everything might help to resolve.

    2 people found this answer helpful.

  2. Maarten van Ravenstein 5 Reputation points
    2023-07-13T10:41:43.2+00:00

    I tried signing out and logging in. Then enable the sync again. Works for a while but got the same message at some point. Uninstalling KB5028185 fixes it for me.

    1 person found this answer helpful.
    0 comments No comments

  3. UnexpectedReboot 0 Reputation points
    2023-07-19T17:29:22.92+00:00

    We have been able to remedy this after some extensive troubleshooting. We are in a Hybrid environment. We saw a correlation between devices with KB5028185 and also stuck in "Pending" registration in AAD. That led us to the Azure PRT not being able to renew. To remedy this, we unregister the device, delete the device in AAD, sync from our on-prem AD.

    1. We unregister the device in command prompt dsregcmd /leave
    2. Delete the device in AAD
    3. Sync from our on-prem AD
    4. Wait until the device appears in AAD with the status of pending
    5. Restart the device
    6. Sign into our APP/VPN, (SSO)
    7. If the device does not become registered run the "Automatic Device Join" scheduled task under Microsoft>Windows>Workplace Join
    8. Verify the device has registered
    9. Run dsregcmd /status and check the AzureAdPRT for validity under SSO State.

    After completing these steps, we had no issues with KB5028185 being installed.

    References we used:

    https://learn.microsoft.com/en-us/answers/questions/1161747/hybrid-azure-ad-joined-device-registration-pending

    https://samilamppu.com/2020/01/16/azure-ad-hybrid-device-join-hdj-status-pending/

    https://ulyssesneves.com/2022/06/02/device-registration-investigating-error-message-deviceauthstatus-failed-device-is-either-disabled-or-deleted/

    0 comments No comments

  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.


    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.