Windows Hello for Business with ADFS - Certificate - Hybrid Joined - Device Provisioning is failing

Brian Moebius 1 Reputation point
2021-10-15T12:18:42.447+00:00

User Device Registration

Event ID 360

Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Machine is governed by enrollment authority policy.
Cloud trust for on premise auth policy is enabled: No
User account has Cloud TGT: Not Tested
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Event ID 362

Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Enterprise user logon certificate enrollment endpoint is ready: Yes
Enterprise user logon certificate template is : Yes
User has successfully authenticated to the enterprise STS: No
Certificate enrollment method: enrollment authority
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

AAD Errors

*Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895418359 (0xcaa10009), Description: The value specified for 'clientId' must be non-empty.
Logged at WebAccountProcessor.cpp, line: 652, method: AAD::Core::WebAccountProcessor::ReportOperationError.

Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: 12D0E4F1-7F17-4087-B7D4-026E58338C8E

OAuth response error: invalid_grant
Error description: MSIS9682: Received invalid OAuth JWT Bearer request. The certificate used to sign JWT Bearer request is not from a registered device with a Transport key.
CorrelationID:

Http request status: 400. Method: POST Endpoint Uri: https://fs.xxxx.xxx/adfs/oauth2/token/ Correlation ID: 12D0E4F1-7F17-4087-B7D4-026E58338C8E*

dsregcmd

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

         AzureAdJoined : YES
      EnterpriseJoined : NO
          DomainJoined : YES
            DomainName : xxxxx
           Device Name : MyPC.xxxx.com

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

      DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                NgcSet : NO
       WorkplaceJoined : NO
         WamDefaultSet : YES
   WamDefaultAuthority : organizations
          WamDefaultId : https://login.microsoft.com
        WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

            AzureAdPrt : YES
  AzureAdPrtUpdateTime : 2021-10-15 11:54:04.000 UTC
  AzureAdPrtExpiryTime : 2021-10-29 11:54:03.000 UTC
   AzureAdPrtAuthority : https://login.microsoftonline.com/baaf30d9-bdd3-4de1-815f-59e774096377
         EnterprisePrt : NO
EnterprisePrtAuthority : https://fs.xxxx.xxx:443/adfs

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

    AadRecoveryEnabled : NO
Executing Account Name : ***\*******
           KeySignTest : PASSED

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

        IsDeviceJoined : YES
         IsUserAzureAD : YES
         PolicyEnabled : YES
      PostLogonEnabled : YES
        DeviceEligible : YES
    SessionIsNotRemote : YES
        CertEnrollment : enrollment authority
      AdfsRefreshToken : NO
         AdfsRaIsReady : YES
LogonCertTemplateReady : YES ( StateReady )
          PreReqResult : WillNotProvision

It have run through every article I can think of and I am stuck at this point.

My device is writing back to AD and is in Azure AD. I have re-registered, confirmed the 'ugs' entry in ADFS and so on. I just don't know where to go from here. I have run back and forth so many times I am starting to lose track of my changes. Any help would be great.

I have read that I may need an NDES Server to allow for SSO but I am not sure I need to go this route at the moment. I would like to get this working first.

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
954 questions
No comments
{count} votes