Share via

SSO is not working on Windows Hello for Business

HK G 516 Reputation points
2023-07-13T23:57:11.93+00:00

We configured Windows Hello for Business in our tenant using Intune policy and the cloud trust model (Kerberos). The PIN\Biometric login is working fine, however, SSO to Microsoft 365 resource is not working as expected. After logging into the device using WHfB, I am still prompted for authentication (credential and MFA) for accessing office.com using the Edge browser. My understanding is Azure AD will issue a PRT (primary refresh token) once you login successfully and can perform SSO for Microsoft application. But that didn't seem to happen. We use ADFS for on-premise\cloud application and device registration service is not enabled on the ADFS servers. I don't think this is related but I could be wrong. I would like some insight on this if possible.

Thanks

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Intune | Other

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 35,626 Reputation points Microsoft Employee Moderator
    2023-07-14T07:56:24.67+00:00

    @HK G Thank you for reaching out to us, to troubleshoot the SSO issue after configuring WHFB via Intune (Cloud trust model), would start investigating by capturing the dsregcmd /status output - https://learn.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-device-dsregcmd detailed information is provided here on how to debug the output.

    Do check the following -

    dsregcmd.exe /status and verify OnPremTgt and CloudTgt are both YES.

    In Kerberos authentication, a Ticket Granting Ticket (TGT) is a user authentication token issued by the Key Distribution Center (KDC) that is used to request access tokens from the Ticket Granting Service (TGS) for specific resources/systems joined to the domain.

    Let me know if you have any further questions, feel free to post back, if you want to connect offline send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" and link to this post.

  2. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2023-07-17T01:10:41.2466667+00:00

    @HK G

    you are right, to start with check dsregcmd /status has PRT and if it first time user, make sure. if the Edge set to auto sign-in with your work account. or manually sign-in for one time. future it would start work on PRT. if you still need a help. feel free to reach out to Microsoft support.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.