question

BrianMoebius-6698 avatar image
0 Votes"
BrianMoebius-6698 asked

Windows Hello for Business with ADFS - Certificate - Hybrid Joined - Device Provisioning is failing

User Device Registration

Event ID 360

Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Machine is governed by enrollment authority policy.
Cloud trust for on premise auth policy is enabled: No
User account has Cloud TGT: Not Tested
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Event ID 362

Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Enterprise user logon certificate enrollment endpoint is ready: Yes
Enterprise user logon certificate template is : Yes
User has successfully authenticated to the enterprise STS: No
Certificate enrollment method: enrollment authority
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.


AAD Errors

*Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895418359 (0xcaa10009), Description: The value specified for 'clientId' must be non-empty.
Logged at WebAccountProcessor.cpp, line: 652, method: AAD::Core::WebAccountProcessor::ReportOperationError.

Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: 12D0E4F1-7F17-4087-B7D4-026E58338C8E

OAuth response error: invalid_grant
Error description: MSIS9682: Received invalid OAuth JWT Bearer request. The certificate used to sign JWT Bearer request is not from a registered device with a Transport key.
CorrelationID:

Http request status: 400. Method: POST Endpoint Uri: https://fs.xxxx.xxx/adfs/oauth2/token/ Correlation ID: 12D0E4F1-7F17-4087-B7D4-026E58338C8E*


dsregcmd


+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

          AzureAdJoined : YES
       EnterpriseJoined : NO
           DomainJoined : YES
             DomainName : xxxxx
            Device Name : MyPC.xxxx.com

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

       DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                 NgcSet : NO
        WorkplaceJoined : NO
          WamDefaultSet : YES
    WamDefaultAuthority : organizations
           WamDefaultId : https://login.microsoft.com
         WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

             AzureAdPrt : YES
   AzureAdPrtUpdateTime : 2021-10-15 11:54:04.000 UTC
   AzureAdPrtExpiryTime : 2021-10-29 11:54:03.000 UTC
    AzureAdPrtAuthority : https://login.microsoftonline.com/baaf30d9-bdd3-4de1-815f-59e774096377
          EnterprisePrt : NO
 EnterprisePrtAuthority : https://fs.xxxx.xxx:443/adfs

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

     AadRecoveryEnabled : NO
 Executing Account Name : ***\*******
            KeySignTest : PASSED

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

         IsDeviceJoined : YES
          IsUserAzureAD : YES
          PolicyEnabled : YES
       PostLogonEnabled : YES
         DeviceEligible : YES
     SessionIsNotRemote : YES
         CertEnrollment : enrollment authority
       AdfsRefreshToken : NO
          AdfsRaIsReady : YES
 LogonCertTemplateReady : YES ( StateReady )
           PreReqResult : WillNotProvision


It have run through every article I can think of and I am stuck at this point.

My device is writing back to AD and is in Azure AD. I have re-registered, confirmed the 'ugs' entry in ADFS and so on. I just don't know where to go from here. I have run back and forth so many times I am starting to lose track of my changes. Any help would be great.

I have read that I may need an NDES Server to allow for SSO but I am not sure I need to go this route at the moment. I would like to get this working first.


adfs
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

0 Answers