Intune 802.1x error 0x90090304

LEFEBVRE Francois 5 Reputation points
2024-04-08T14:12:54.8833333+00:00

Hello,

We deploy from intune SCEP device certificates.

On my test computer ( win11 23h2 ), all is OK.

But on prod computers ( win11 23h2 ) : wired authentication failed... see picture attached.

Error code : 0x90090304

Reason : 0x50005

In our radius : only 7 bytes are sent for the certificate.

The config seems OK, same check, fields....

Thank you for your help

Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
5,085 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. LEFEBVRE Francois 5 Reputation points
    2024-04-09T11:56:35.8033333+00:00

    Hello,

    You are right, it's not a intune problem.

    I found what's wrong : I had to remove things in regedit :

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010003

    Delete the following values:

    RSAE-PSS/SHA256 RSAE-PSS/SHA384 RSAE-PSS/SHA512

    Now it's working, so I had to understand why is the problem :)

    1 person found this answer helpful.

  2. Crystal-MSFT 48,766 Reputation points Microsoft Vendor
    2024-04-09T01:59:41.1666667+00:00

    @LEFEBVRE Francois, Thanks for posting in Q&A. From your description, I know the SCEP certificate deployed to test computer is working but on pro computers with the same windows version are not working. It seems the certificates can be deployed to the devices successfully. So the issue is not on Intune side I think.

    After researching, I find someone talking about some windows 11 updates may break the authentication with radius. You can check the updates installed on the working and not working devices to confirm.

    For the error code, after researching, I don't find the reason for this. I suggest you can contact Radius support to look into the reason for this error code.

    https://support.microsoft.com/en-us/topic/global-customer-service-phone-numbers-c0389ade-5640-e588-8b0e-28de8afeb3f2

    Hope the above information can give you some help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

  3. Crystal-MSFT 48,766 Reputation points Microsoft Vendor
    2024-04-10T02:01:37.67+00:00

    @LEFEBVRE Francois, Thanks for the update. I am glad the issue is resolved. For the registry key you modify, based on my researching, I find the value of the registry key affects TLS 1.2 The data in the Functions value refer to the signature/hash combinations that are supported on TLS 1.2 certificate chains (excluding the root) as well as the signature/hash combinations that can be used when signing TLS 1.2 messages such as the ServerKeyExchange message and the CertificateVerify message.

    https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/more-speaking-in-ciphers-and-other-enigmatic-tongues-with-a/ba-p/4047491

    Based on my understanding, it can be that the above signature/hash combinations is not supported in your radius authentication with TLS. So when you remove them it works. As this is this one aspect I am not familiar with. If you want to know this in deep, I think you may contact windows or radius support to get more information.

    Meanwhile, to help others who have the same issue to find the solution quickly, please let me write a summary for this issue.

    Issue:

    Prod computers ( win11 23h2 ) : wired authentication failed with radius server using SCEP certificate deployed via Intune.

    Error code : 0x90090304

    Reason : 0x50005

    Resolution:

    User's image

    Thanks for your time and have a nice day!


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.