25,080 questions
Access to local resources from Entra Joined devices
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 77%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERD%3C/text%3E%3C/svg%3E)
Raul D
0
Reputation points
A few months ago we started using Intune and I Entra Joined some devices. We have two DC onsite, one of them is the CA.
The problem that I'm finding is that if a user logs on using a PIN from Entra Joined device they're not able to access shared folder on the domain. "The System cannot contact a domain controller to service the authentication request".
I followed the Cloud Kerberos trust deployment guide
I also created new certificate template as per https://dirteam.com/sander/2022/09/14/todo-upgrade-the-certificates-for-your-windows-server-2016-based-domain-controllers-and-up-to-enable-windows-hello-for-business-hybrid-scenarios/
Errors I'm seeing include 0x14 KDC_ERR_TGT_REVOKED and "Trust Validation of the certificate for the Kerberos Distribution Center (KDC) CA.contoso.com failed"
I've also reviewed this guide to no avail:
I've spent tens of hours at this to no avail. Any input would be appreciated.
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 30%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator2024-11-04T09:39:58.56+00:00 Hello @Raul D ,
Thank you for reaching out Microsoft Q&A.
We are currently working on this and will update you shortly.
Regards,
Goutam Pratti. -
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-11-05T07:54:23.74+00:00 Hello @Raul D ;
Thank you for reaching Microsoft Q&A.
I understand you're encountering an issue where users logging in with a PIN from an Entra-joined device cannot access a shared folder on the domain.
Please verify that the OnPremTgt status is set to YES, as this enables connection to on-premises resources. To check this, open Command Prompt and enter the following command:
- dsregcmd /status
- Under the SSO State section, confirm that OnPremTgt is set to YES.
Hope this helps. Do let us know if you any further queries.
Regards,
Goutam Pratti -
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-11-06T05:18:16.18+00:00 Hi @Raul D ,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Goutam Pratti 6,170 Reputation points Microsoft External Staff Moderator
2024-11-07T01:24:47.7866667+00:00 Hi @Raul D ,
We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
-
Raul D 0 Reputation points
2024-11-25T18:21:06.85+00:00 @Goutam Pratti Sorry for the slow response.
OnPremTgt is Yes
Also "CloudTgt" is yes
Under "KerbTopLEvelNames" I see several domains like "Windows.net, azure.net" but not our domain.
Sign in to comment
Sign in to answer