This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 31%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEB%3C/text%3E%3C/svg%3E)
We are currently migrating our proprietary smart-card logon system to Entra ID in combination with Entra CBA. Our machines are (successfully) Hybrid Joined. We have the single sign-on system working for password-based logons on the PC. The user gets a PRT and dsregcmd /status shows a working configuration.
This is not the case when a user signs in with his smart-card. The user get access to the machine, but for some reason the retrieval of the PRT fails with an error that I cannot find anywhere online:
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
AcquirePrtDiagnostics : PRESENT
Previous Prt Attempt : 2024-11-21 10:41:42.574 UTC
Attempt Status : 0xc0090027
User Identity : ******@my-domain.tld
Credential Type : Certificate
Correlation ID : <GUID>
Endpoint URI : https://login.microsoftonline.com/<GUID>/oauth2/token
HTTP Method :
HTTP Error : 0x80090027
HTTP status : 0
Server Error Code :
Server Error Description :
EnterprisePrt : NO
EnterprisePrtAuthority :
I cannot find anything related for both the attempt status and HTTP error codes. They are also not mentioned in the Troubleshooting page on https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#step-3-troubleshoot-further-based-on-the-found-error-code
The user identity correctly shows the UPN of my account (which is the same in Entra ID). I've removed the Correlation ID, but it shows a GUID. When I compare the output of the status command between a password-login and a smart-card login, the only difference is in this block. All other blocks are exactly the same.
When I try a interactive login via the browser and supply my certificate as the first-factor, I can succesfully login to the Entra account with my smart-card certificate, so the CBA system seems to work correctly.
I've been digging in the AAD logs in Event Viewer, both the Operation and Analytic logs. But I can't find anything verbose enough to determine the issue.
How can I debug this issue, as this is the only thing holding back a successfull deployment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 78%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESG%3C/text%3E%3C/svg%3E)
Thank you for posting this in Microsoft Q&A.
I am looking into this issue and will get back to you post my research.
Great, if a correlation-ID is helpful I can supply it.
Please share the correlation ID in private message as it is PII information
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 33%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERL%3C/text%3E%3C/svg%3E)
Did this get resolved? We have the same issue.
Yes, we resolved it by reverting back to RSA certificates. According to the techs, at the moment ECDSA is not supported for SSO via Smartcard certificates.
We resolved it with the help of the Microsoft techs. According to the techs, at the moment ECDSA is not supported for SSO via Smartcard certificates. After we migrated back to an RSA key-pair on the Yubikeys, the SSO started working.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 17%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESL%3C/text%3E%3C/svg%3E)
Wow, thank you for the update and telling us :)
Hi and sorry for barging in.
Good luck finding a solution for this. Our dsregcmd /status output looks exactly as yours.
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
AcquirePrtDiagnostics : PRESENT
Previous Prt Attempt : 2024-12-13 17:09:54.629 UTC
Attempt Status : 0xc0090027
User Identity : ******@domain.tld
Credential Type : Certificate
Correlation ID : ...
Endpoint URI : https://login.microsoftonline.com/.../oauth2/token
HTTP Method :
HTTP Error : 0x80090027
HTTP status : 0
Server Error Code :
Server Error Description :
EnterprisePrt : NO
EnterprisePrtAuthority :
We already opened a ticket, but were passed from one authentication engineer to another, always requiring a new log capture and upload. After 10 engineers I gave up :)
Browser-Login works with CBA, Windows-Login works with Smartcard, but no PRT so far - only with a successful username/password-login. Seems like anything is missing between the Smartcard-Login on the device and EntraID, that is issuing the PRT.
We're using a ECDSA certs from our CA with Yubikeys, also in a Hybrid Environment.
We are seeing the same issue, also ECDSA certs on a yubikey. Browser login works, system login works but no PRT.