The Implementation is not capable of performing the request

William 0 Reputation points
2024-11-21T15:57:23.07+00:00

My current issue is to have Hybrid Microsoft Entra ID Join enabled in the environment. I have .net 4.8 and the latest version of Entra Connect Sync. Federation is being leveraged by Okta. AD Schema is 2016. The account has Hybrid Identity Administrator roles in Entra. When I go to configure Hybrid Microsoft Entra ID join - We are using Windows 10 or later domain joined devices and these are including in domain and ou filtering for synchronization. SCP configuration shows correct forest and using the domain as the authentication service. I input creds for enterprise admin level account. The containers in AD for Device Registration have the correct permissions for full control for that account. But I get the following:

[09:30:20.449] [ 7] [INFO ] Authenticate-MSAL: successfully acquired an access token. TenantID=#^&@^&$@-$&^#$@&&$@-$^%^#$&&#-$%&^%&#$*, ExpiresUTC=11/21/2024 4:33:07 PM +00:00, UserInfo=williamt@blah.com, IdentityProvider=login.windows.net.

[09:30:20.449] [ 7] [INFO ] Successfully aquired graph token.

[09:30:20.532] [ 7] [INFO ] DeviceHybridScpPage: Azure AD has 1 federated domains.

[09:30:20.534] [ 7] [INFO ] MsolDomainExtensions: Getting federation name for domain blah.com

[09:30:20.621] [ 7] [INFO ] MsolDomainExtensions: Federation name is blah.okta.com

[09:30:20.623] [ 7] [INFO ] DeviceHybridScpPage: GetConfiguredForests()

[09:30:20.623] [ 7] [INFO ] DeviceHybridScpPage: Checking device configuration for forest - blah.blahblah.com

[09:30:20.626] [ 7] [INFO ] ADDeviceConfigurationProvider: Checking device configuration for forest - blah.blahblah.com

[09:30:20.747] [ 7] [INFO ] ADDeviceConfigurationProvider: Getting configurationNamingContext from DC - SIADPC02.blah.blahblah.com

[09:30:20.757] [ 7] [INFO ] ADDeviceConfigurationProvider: Checking servicesContainerPath - LDAP://SIADPC02.blah.blahblah.com/CN=Services,CN=Configuration,DC=scc,DC=aaic,DC=com

[09:30:20.757] [ 7] [INFO ] ADDeviceConfigurationProvider: Checking drsContainerPath - LDAP://SIADPC02.blah.blahblah.com/CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=scc,DC=aaic,DC=com

[09:30:20.765] [ 7] [INFO ] ADDeviceConfigurationProvider: Checking scpObjectPath - LDAP://SIADPC02.blah.blahblah.com/CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=scc,DC=aaic,DC=com

[09:30:20.773] [ 7] [INFO ] ADDeviceConfigurationProvider: Checking scpObject keywords attribute

[09:30:20.837] [ 7] [INFO ] ADDeviceConfigurationProvider: Returning keywords with property values

[09:30:20.837] [ 7] [INFO ] DeviceHybridScpPage: Forest has device configuration with 2 keywords

[09:30:20.837] [ 7] [INFO ] DeviceHybridScpPage: Checking keyword = azureADId:

[09:30:20.837] [ 7] [INFO ] DeviceHybridScpPage: Checking keyword = azureADName:blah.onmicrosoft.com

[09:30:20.837] [ 7] [INFO ] DeviceHybridScpPage: Forest does not have valid configuration - blah.blahblah.com

[09:30:20.838] [ 7] [INFO ] DeviceHybridScpPage: CreateScpScript()

[09:30:20.839] [ 7] [INFO ] DeviceHybridScpPage: Creating script at - C:\ProgramData\AADConnect\ConfigureSCP.ps1

[09:37:59.386] [ 1] [INFO ] DeviceHybridScpPage: PromptForCredentials()

[09:37:59.386] [ 1] [INFO ] DeviceHybridScpPage: Get credentials for selected forest: blah.blahblah.com

[09:38:25.724] [ 1] [ERROR] A terminating unhandled exception occurred.

Exception Data (Raw): System.ComponentModel.Win32Exception (0x80004005): The implementation is not capable of performing the request

at Microsoft.Online.Deployment.Framework.UI.Dialogs.CredentialsDialog.ShowDialog(IWin32Window owner)

at Microsoft.Online.Deployment.Framework.UI.Dialogs.CredentialsDialog.Show()

at Microsoft.Online.Deployment.OneADWizard.UI.WizardPages.DeviceHybridScpPageViewModel.PromptForCredentials(Object obj)

at MS.Internal.Commands.CommandHelpers.CriticalExecuteCommandSource(ICommandSource commandSource, Boolean userInitiated)

at System.Windows.Controls.Primitives.ButtonBase.OnClick()

at System.Windows.Controls.Button.OnClick()

at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)

at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)

at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)

at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)

at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent)

at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e)

at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)

at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)

at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)

at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args)

at System.Windows.UIElement.RaiseTrustedEvent(RoutedEventArgs args)

at System.Windows.Input.InputManager.ProcessStagingArea()

at System.Windows.Input.InputManager.ProcessInput(InputEventArgs input)

at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport)

at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel)

at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled)

at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)

at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)

at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o)

at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)

at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)

[09:38:25.746] [ 1] [INFO ] Page transition from "SCP" [DeviceHybridScpPageViewModel] to "Error" [ErrorPageViewModel]

[09:38:25.748] [ 1] [INFO ] DeviceHybridScpPage.OnUnload: Selected forest - blah.blahblah.com

[09:38:25.748] [ 1] [INFO ] DeviceHybridScpPage.OnUnload: Selected provider - aaic.okta.com

[09:38:25.748] [ 1] [INFO ] DeviceHybridScpPage.OnUnload: AzureADName - blah.com

[09:38:25.748] [ 1] [INFO ] DeviceHybridScpPage.OnUnload: AzureADId - 913fbd77-c6ce-445c-ac55-0256bc3a3e1e

[09:38:25.748] [ 1] [INFO ] DeviceHybridScpPage.OnUnload: IsDeviceAuthFederated - True

[09:41:45.277] [ 1] [INFO ] Opened log file at path C:\ProgramData\AADConnect\trace-20241121-092815.log

Any ideas to resolve this would be greatly appreciated. I have run through every troubleshooting step I can find.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,544 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Raja Pothuraju 9,460 Reputation points Microsoft Vendor
    2024-11-25T02:59:44.17+00:00

    Hello @William,

    Thank you for posting your query on Microsoft Q&A.

    From your description, it seems you are trying to join a domain-joined device to Microsoft Entra ID with the join type set to "Microsoft Entra Hybrid Join." However, the process is failing with error code '0x80004005.' This error indicates that the device could not retrieve the required authentication token from your federation service (OKTA).

    During the device registration process for federated domains, the WS-Trust protocol is used to authenticate Microsoft Entra hybrid-joined devices with Microsoft Entra ID. In a federated Microsoft Entra configuration, devices depend on OKTA (or another Microsoft partner federation service) to authenticate and obtain an access token for registering with the Microsoft Entra Device Registration Service (Azure DRS).

    Please ensure that your OKTA federation service supports the WS-Trust protocol and is configured to issue the necessary claims as outlined in the following documentation: Set up issuance of claims.

    I hope this information is helpful. Please feel free to reach out if you have any further questions.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Thanks,
    Raja Pothuraju.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.