Issue with FIDO2 Security Key Sign-in on Hybrid AD Joined Machine

Question

Hello Team,

I am encountering an issue with a Hybrid AD joined machine where I am unable to log in using FIDO2 security keys for Windows Hello for Business. Below are the details of the setup:

System Details:

    __A. Hybrid AD Joined PC__:
```-   Operating System: Windows 11 version 23H2 (OS build 22631.3296)

 __B. On-premises AD and AD Connect Server__:

-   Operating System: Windows Server 2016 version 1607 (OS build 14393.6796)

__Status of Hybrid Joined Client PC:__

1. AzureAdJoined: Yes

1. DomainJoined: Yes

1. Successfully registered in Microsoft Entra ID portal with join type as "Microsoft Entra hybrid joined"

__Error Message Received on Hybrid Joined Client PC:__

- Error: "Your credentials couldn't be verified" Code: 0xc000005f, 0x0

Please help me out to fix the above mentioned error.  
PFA screen shots for your reference.  
[Hybrid-cl-status-ok-01.jpg](/api/attachments/c0b34fac-1501-4f92-812a-52281cc22bb2?platform=QnA)

[Hybrid-01.jpg](/api/attachments/809db5fa-b313-43d9-9c8d-b34703d8f04e?platform=QnA)  
[HybridJoinedClientPC-Error.jpeg](/api/attachments/1eca72f3-b5e1-45e9-bd95-768cd6e09da4?platform=QnA)

Answer

@Deepu K

Worked offline, while investigating the issue noticed the users who were unable to authenticate using FIDO having sync errors during the Sync cycle on the Entra Connect server.

Below is the summary of the troubleshooting which we performed:

Issue: Getting "duplicate attribute error in AD connect".

Solution:

We found that you were getting error messages in AD connect regarding "duplicate attribute" for proxy address.

This means on-premises object which is trying to sync to Azure with specific proxy address value is already stamped on to another object in Azure AD.

To fix this issue, we had to match the on-premises object with Azure AD object.

Follow below steps to fix the issue,

Open Windows PowerShell as administrator in any machine.
Run command "Connect-Msolservice" (Enter global admin credentials)
Now run command "Set-MsolDirSyncEnabled -EnableDirSync $false"
Now run command "Set-MsolUser -UserPrincipalName -ImmutableId "$null""
You can try below script to set null value for bulk users,

Remove Immutable ID of all the bulks users need to be cloud

$Filepath = $env:userprofile\desktop\file.csv

$csv = Import-Csv -Path $filepath

$immutableID=$null

Foreach($user in $csv)

{

Set-MsolUser -UserPrincipalName $user.UserPrincipalName -ImmutableID $immutableID

}

NOTE: Try above script in lab environment and then try it in your production environment.

Now once you set the Immutable ID value as Null, in On-premises DC you will have to move the user accounts to non-sync OU (OU's which are not syncing to Azure AD using AD connect)
Now this will delete the user entry from AD connect.
Once this is done, login to Azure AD portal and make sure you remove any roles which are assigned to users in Azure AD. As per below document AD connect will not link the on-premise account with Azure AD account if there is any admin role assigned to user account in Azure AD. https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/tshoot-connect-sync-errors#existing-admin-role-conflict
Now enable sync in Azure AD tenant using command ""Set-MsolDirSyncEnabled -EnableDirSync $true""
Now move the use account to sync scope OU in On-premise DC.
Initiate a delta sync in AD connect server by running command in AD connect server as, Start-ADSYncSyncCycle -PolicyType Delta
This will link your on-premise accounts with Azure AD accounts and you will not see the error anymore.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution. Worked offline, while investigating the issue noticed the users who were unable to authenticate using FIDO having sync errors during the Sync cycle on the Entra Connect server.