VDI Hybrid AD PRT token refresh request failing periodically 0xCAA90056 Renew token by the primary refresh token failed and 0xCAA5001C Token broker operation failed!

Dave Baker 1 Reputation point
2021-05-13T12:53:33.72+00:00

We are running instant clone Win 10 1909 environment with hybrid AD joined devices and have begun to see periodic instances where a given device fails to authenticate with AAD/AD FS, but when the user signs into a different VM, it works fine. The O365 components of the desktop fail to activate (unable to aquire a license and activate) . The event log shows that hybrid AD join is successful and the user PRT is issued, the problem seems to lie when the application requests an access or refresh token frrom the PRT. The logs in AAD > Operational show:

Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895025142 (0xcaa7000a), Description: The Internet connection has timed out.
Logged at webaccountprocessor.cpp, line: 593, method: AAD::Core::WebAccountProcessor::ReportOperationError.

Error: 0xCAA7000A The Internet connection has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 171, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa90051 Sending OAuth request failed.
Logged at oauthtokenrequestbase.cpp, line: 237, method: OAuthTokenRequestBase::SendRequest.

Error: 0xCAA7000A The Internet connection has timed out.
Code: authentication_failed
Description: The Internet connection has timed out.
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at oauthtokenrequestbase.cpp, line: 237, method: OAuthTokenRequestBase::SendRequest.

The internet connection appears to be fine - we use zScaler with ADFS to authenticate and a .pac file on the desktop. Note - during Startup we perform dsregcmd /join - so the internet connection is required there and when the user logs in the second /join takes place and this is succesful, so something is causing the oAuth mechanism for the 365 apps to fail -any ideas how we troubleshoot this or what else to try and make this work?

Again, this only happens on some VM's - it's not consistent on the device name either, it can be any random VM and any random user.

Dave

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

1 answer

Sort by: Most helpful
  1. JimmySalian-2011 42,511 Reputation points
    2022-08-17T07:42:50.667+00:00

    Hi,

    The error code and symptoms seems to me like some sort of network connectivity, do you have a proxy server? Packet shaper device that throttles bandwidth or Firewall that inspects each packet and filters out?

    I would suggest you carry out the checks following this link as this points at each settings for troubleshooting the O365 actvitation.

    There was a change in the authentication package recently and here is the detailed information please check the version - connection-issue-when-sign-in-office-2016

    I would also check that all the relevant ports are open just to double check and it is known that the issue is sporadic but worth checking with the networks. Link for ports urls-and-ip-address-ranges

    0xcaa70007-and-0xcaa80000

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.