Hello!
Deployed the Windows Hello Hybrid Azure AD infrastructure joined with Key Trust.
Any user in the on-premises enterprise AD environment sets a PIN code, generates a key that is recorded in Azure AD, after 30 minutes, Azure AD Connect synchronizes the data and adds a new key to the attribute msDS-KeyCredentialLink user account. As it turned out, the msDS-KeyCredentialLink attribute is an array ... In the course of normal work, for unknown reasons, the user when trying to unlock the computer can not log in (about a month has passed), because the message on the screen "That option is temporarily unavailable". It turns out that the client program generated a new key (the user did not change the PIN code), passed it to Azure AD, and only after the next synchronization of Azure AD Connect, the user will be able to log in! And synchronization can be at least 30 minutes! I.e. the work is paralyzed for up to 30 minutes! And the msDS-KeyCredentialLink attribute in the local AD does not replace the key with a new one, but adds a new one to the array!
Question: why does automatic key generation occur (without the user's knowledge)? why store old keys in the msDS-KeyCredentialLink attribute? How can I avoid downtime if the minimum threshold for Azure AD Connect synchronization can only be set to 30 minutes? When using the Certificate Trust model, the key will not be stored in the msDS-KeyCredentialLink attribute, and this problem can be avoided?
Some details:
PIN-code was established relatively long ago (about a month ago), the computer is running Outlook and Teams, in the morning as usual the user entered PIN-code in the process (today 22.12.2020) it was noticed that Outlook asks to enter an additional password (usually this is not normally a problem with authentication), an attempt was made to lock the computer at 12:15 and discovered this feature described in the question.
but! After 3 hours, history repeats itself! There is no suspicious activity in the Windows security log! Where can I track activity? Is there a problem on the Azure AD Connect side?
More additional information
17:07 the entrance!
The msDS-KeyCredentialLink attribute of the user in local AD contains 4 keys - successful login!
The msDS-KeyCredentialLink attribute contains 3 keys. Access to network resources is not possible, login to the computer is not possible by pin-code.
17:24 appeared 4 the certificate! synchronization took place at 17: 22: 39!
Access to network resources works! I can enter by pin-code.
The msDS-KeyCredentialLink attribute again contains 3 keys ... no one except MSOL_4d60xxx has accessed the attribute! Replica not working correctly between the local domains?!
using-whfbtools-powershell-module-for-cleaning-up-orphaned-windows-hel Got a list of keys from Azure AD, they were all created in November ... it is strange that something started to fail ...
UPDATE
It was the second day of analysis ...
23.12.2020 the second user had a similar problem! look carefully at it!
The user in November created 2 keys (20-11-26 and 20-11-19), in AAD his profile has 2 keys. In AD, the msDS-KeyCredentialLink attribute has an array of 2 keys.
In a domain, for example, 10 domain controllers, the user "LOGONSERVER" is set to #1.
Today, the connector only made the following changes with the user:
When What
23.12.2020 15:41 User 'ivanov.ivan' was modified by 'mydomain\MSOL_xxx' Modified Properties : msDS-KeyCredentialLink, Values : B:854:<Binary>
23.12.2020 15:11 User 'ivanov.ivan' was modified by 'mydomain\MSOL_xxx' Modified Properties : msDS-KeyCredentialLink, Values : B:854:<Binary>
23.12.2020 14:03 User 'ivanov.ivan' was modified by 'mydomain\MSOL_xxx' Modified Properties : msDS-KeyCredentialLink, Values : B:854:<Binary>
23.12.2020 13:33 User 'ivanov.ivan' was modified by 'mydomain\MSOL_xxx' Modified Properties : msDS-KeyCredentialLink, Values : B:854:<Binary>
23.12.2020 10:32 User 'ivanov.ivan' was modified by 'mydomain\MSOL_xxx' Modified Properties : msDS-KeyCredentialLink, Values : B:854:<Binary>,B:856:<Binary>
23.12.2020 10:02 User 'ivanov.ivan' was modified by 'mydomain\MSOL_xxx' Modified Properties : msExchSafeSendersHash
Next, an interesting story turns out!
General state:
AAD, AD: msDS-KeyCredentialLink 2 keys installed (AD on all controllers the same value)
Computer: turned on, logged in, locked
Azure AD Connect: syncing was successful 10 minutes ago
Actions:
1_ The User successfully login using the Windows Hello for Business PIN-code
2_ Instantly, on domain controller #1 "LOGONSERVER" the msDS-KeyCredentialLink attribute becomes a value with 1 key (why???)!
$arrDC = Get-ADDomainController -Filter * -Server mydomain
$arrDC | ForEach-Object -parallel {$value = Get-ADUser -Server $_ -Identity ivanov.ivan -Properties msDS-KeyCredentialLink; write-output "$($value.'msDS-KeyCredentialLink'.count) $($_.HostName) $($value.'msDS-KeyCredentialLink')"}
3_ On local AD controllers, the replica starts and the value is set to 1 key (i.e. there is no correct key) on all controllers. The user begins to have errors with authentication in Outlook and with access to network drives.
4_ If we wait 20 minutes, Azure AD Connect brings msDS-KeyCredentialLink to the correct state (AD replicas update this), but if the user login again, the value will be corrupted again.
My thoughts: as if AD controller #1 "LOGONSERVER" after successful Kerberos authentication (client allows login) decides to delete this key from the user profile!
New Question: why is this happening (something is wrong with the key)? who does this (local controller)? how to predict it or how to get rid of it?
p.s. for the first user, the problem 23.12.2020 itself was eliminated, the attribute is no longer overwritten, the pin-code entry Windows Hello for Business works normally