Issue with FIDO2 Security Key Sign-in on Hybrid AD Joined Machine

Mallesh Prabhu 20 Reputation points

Hello Team,

I am encountering an issue with a Hybrid AD joined machine where I am unable to log in using FIDO2 security keys for Windows Hello for Business. Below are the details of the setup:

System Details:

  • Hybrid AD Joined PC: Operating System: Windows 11 pro
    • On-premises AD and AD Connect Server: Operating System: Windows Server 2019

Status of Hybrid Joined Client PC:

  • AzureAdJoined: Yes
  • DomainJoined: Yes
  • Successfully registered in Microsoft Entra ID portal with join type as "Microsoft Entra hybrid joined"

Error Message Received:

  • Error: "Your credentials couldn't be verified" Code: 0xc000005f, 0x0

Please help me out to fix the above mentioned error.

Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,802 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,541 questions
0 comments No comments
{count} votes

Accepted answer
  1. Raja Pothuraju 1,605 Reputation points Microsoft Vendor

    Hello @Mallesh Prabhu,

    Thank you for posting your query on Microsoft Q&A.

    Based on your description, I understand that the user is encountering difficulty when attempting to log on to a Windows device using FIDO2 security key Passwordless authentication. An error message is displayed, stating: “Your credentials couldn't be verified. (code: 0xc000005f, 0x0).”

    This issue can occur when the user falls under unsupported scenarios mentioned in the following documentation:

    Unsupported Scenarios for FIDO2 Security Keys

    I would like to highlight one unsupported scenario that I have encountered before in a similar case. Please refer the below screenshot.

    User's image

    Please ensure that the FIDO2 security key does not have multiple credentials stored. If it does, try configuring it with only one credential and then check the behavior while logging into the Windows device.

    If the issue persists, try running dsregcmd /status on the client machine and check if OnPremTgt and CloudTgt show YES in the SSO state.

    Additionally, check the event viewer logs under Applications and Services >> Microsoft >> Windows >> WebAuthN >> Operational and share the information shown in the event viewer log.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    Please Accept the answer if the information helped you. This will help us and others in the community as well.

    Raja Pothuraju.

1 additional answer

Sort by: Most helpful
  1. Xenia-MSFT 950 Reputation points Microsoft Vendor

    @Mallesh Prabhu Thanks for posting in our Q&A.

    For this error message, based on my research, this issue may occur because the issuing Certificate Authority (CA) certificate is missing in the NTAuth store of the domain controller and client machine. Please try the steps in following article:

    Hope it will help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.