Azure AD Domain Services and Azure VPN Client from a Joined Desktop

Question

Azure AD Domain Services and Azure VPN Client from a Joined Desktop

Mike DiMartino 0

After joining a remote device to Azure AD Domain Services and signing in as a domain user or global admin, & attempts to connect with Azure VPN Client fails with: ‘Failure while accessing vault. Cannot open vault. Please check whether credential manager service is running... Error code 0x80090345. The computer must be trusted for delegation...’ Credential Manager cannot be opened and throws the same error. How is this resolved.

I opened ticket with my paid Azure support account ($100 p/m) but as with all my Azure support tickets they go unanswered.

Doaa Ali Hamdan AL-Jarwani 340 Reputation points

2025-06-15T19:23:58.01+00:00
The error 0x80090345 happens because the device is not trusted for delegation, which is not supported in Azure AD Domain Services.

🔹 Credential Manager and Azure VPN Client rely on delegation to access certificates.

🔹 Azure AD DS doesn’t allow setting devices as “trusted for delegation”.

Fix:

Use Azure AD authentication (username/password) for VPN instead of certificates.

Or use a Hybrid or classic AD-joined device.

Avoid relying on Credential Manager in Azure AD DS-only environments.
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-06-17T11:42:48.58+00:00

Hello Mike DiMartino

I have initiated a private message to you. Please share the required details for further investigation in private chat.
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-06-19T05:03:51.4233333+00:00
@Mike DiMartino

This error is most commonly caused by Credential Manager failing due to delegation restrictions, especially on Azure AD Domain Services–joined devices. The error code 0x80090345 indicates that the system isn't trusted for delegation.

Try to Set the ProtectionPolicy registry value correctly by navigating Registry Editor (regedit). HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System> Look for ProtectionPolicy > set the Value data as 1 > Click the OK button > then close all windows and restart your PC.

If still same issue, you can follow the below approach.

Open Local Group Policy Editor

Navigate to: Computer Configuration > Administrative Templates > System > Credentials Delegation

Enable the following policies:

Allow delegating saved credentials Allow delegating saved credentials with NTLM-only server authentication In both policies, add the value: TERMSRV/*

Run gpupdate /force in a command prompt

Reboot the machine

After the reboot, try connecting with the Azure VPN Client again — the issue should be resolved.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

1 answer

Your answer

Doaa Ali Hamdan AL-Jarwani 340 Reputation points

2025-06-15T19:23:58.01+00:00

The error 0x80090345 happens because the device is not trusted for delegation, which is not supported in Azure AD Domain Services.

🔹 Credential Manager and Azure VPN Client rely on delegation to access certificates.

🔹 Azure AD DS doesn’t allow setting devices as “trusted for delegation”.

Fix:

Use Azure AD authentication (username/password) for VPN instead of certificates.

Or use a Hybrid or classic AD-joined device.

Avoid relying on Credential Manager in Azure AD DS-only environments.
Ganesh Patapati 6,915 Reputation points Microsoft External Staff Moderator

2025-06-17T11:42:48.58+00:00

Hello Mike DiMartino

I have initiated a private message to you. Please share the required details for further investigation in private chat.
Venkat V 2,545 Reputation points Microsoft External Staff Moderator

2025-06-19T05:03:51.4233333+00:00

@Mike DiMartino

This error is most commonly caused by Credential Manager failing due to delegation restrictions, especially on Azure AD Domain Services–joined devices. The error code 0x80090345 indicates that the system isn't trusted for delegation.

Try to Set the ProtectionPolicy registry value correctly by navigating Registry Editor (regedit). HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System> Look for ProtectionPolicy > set the Value data as 1 > Click the OK button > then close all windows and restart your PC.

If still same issue, you can follow the below approach.

Open Local Group Policy Editor

Navigate to: Computer Configuration > Administrative Templates > System > Credentials Delegation

Enable the following policies:

Allow delegating saved credentials Allow delegating saved credentials with NTLM-only server authentication In both policies, add the value: TERMSRV/*

Run gpupdate /force in a command prompt

Reboot the machine

After the reboot, try connecting with the Azure VPN Client again — the issue should be resolved.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

Answer 1

Mike hi, firstly thx thanks for posting this at Q&A,

lets make sure the device is properly trusting azure ad domain services. the error screams delegation issues, right? go to group policy management on ur domain controller and check 'computer configuration > policies > windows settings > security settings > local policies > user rights assignment'. look for 'trust this computer for delegation to any service' and add the computer object there. microsoft explains this delegation stuff pretty clear here https://learn.microsoft.com/en-us/windows-server/security/kerberos/kerberos-constrained-delegation-overview. also, restart the credential manager service after making these changes. sometimes it just needs a kick to behave ))

credential manager acting up? classic moment lol try running 'services.msc' and make sure 'credential manager' service is running. if its stuck, set it to automatic and give it a fresh start. this might help in other tools too when u see vault errors. worth looking into whether ur windows is fully updated - some older builds get cranky with modern auth stuff. the basic credential manager troubleshooting applies to most windows auth issues...

and about that azure support ticket... yep, been there. while waiting, u could also check if ur device's time sync is perfect. time drift messes with kerberos tickets like crazy. quick 'w32tm /resync' in cmd as admin might save u hours of pain )) microsoft's vpn gateway docs mention network level auth requirements here https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant. give that a peek too.

if u get it working, come back and tell us what clicked, thx..

rgds,

Alex

Share via

Azure AD Domain Services and Azure VPN Client from a Joined Desktop

1 answer

Your answer