This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
ADFS has been setup on Windows Server 2019 and Automatic Device Registration has been setup in our ADFS server.
The goal is to get 100% on-prem Windows Hello For Business working using Certificate Authentication to satisfy the MFA requirement.
Clients appear to be receiving certificates from the ADFS server:
Being issued from 'MS-Organization-Access'.
Note the order of OU,CN,DC,DC,DC appears to be incorrect. Our domain is OU CN AD REDACTED REDACTED not OU CN REDACTED REDACTED AD
Nonetheless clients do not appear to trust these certificates nor does WHFB provisioning allow us to set a pin:
MSIS7121: The request did not contain a valid client certificate that can be used for authentication. This occurs when there are no valid certificates on the client computer, for example if all certificates have expired or been revoked. Error Code: 0x490
Looking further into this, AD FS Event Logs show two back to back errors when the clients experience this issue:
Event ID 1021:
Encountered error during OAuth token request.
Additional Data
Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInteractionRequiredException: MSIS9452: Interaction is required by the token broker to resolve the issue. The request requires fresh authentication.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.HandleJWTBearerAccessTokenRequest(OAuthJWTBearerRequestContext jwtBearerContext, SessionSecurityToken ssoSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ProcessJWTBearerRequest(OAuthJWTBearerRequestContext jwtBearerContext)
Followed by Event ID 364:
Encountered error during federation passive request.
Additional Data
Protocol Name:
OAuthAuthorizationProtocolRelying Party:
urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515AException details:
Microsoft.IdentityServer.NoValidCertificateException: MSIS7121: The request did not contain a valid client certificate that can be used for authentication. This occurs when there are no valid certificates on the client computer, for example if all certificates have expired or been revoked.
Error Code: 0x490at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ThrowCertificateErrorException(Int32 errorCode)
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)
dsregcmd /status:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+AzureAdJoined : NO EnterpriseJoined : YES DomainJoined : YES DomainName : REDACTED Device Name : STATION-6.AD.REDACTED.REDACTED+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+DeviceId : 0af67b26-f33d-4e8d-922c-e8eae002251b Thumbprint : REDACTED_86DD9DeviceCertificateValidity : [ 2022-02-03 20:20:08.000 UTC -- 2032-02-01 20:30:08.000 UTC ]
KeyContainerId : 91e9a8c3-2e20-4165-a05c-9d67627597d5
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : FAILED. Error:80070047+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+TenantName : TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e Idp : login.windows.net AuthCodeUrl : https://fs.ad.REDACTED.REDACTED/adfs/oauth2/authorize AccessTokenUrl : https://fs.ad.REDACTED.REDACTED/adfs/oauth2/token MdmUrl : MdmTouUrl : MdmComplianceUrl : SettingsUrl : JoinSrvVersion : 1.0 JoinSrvUrl : https://fs.ad.REDACTED.REDACTED/EnrollmentServer/device/ JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A KeySrvVersion : 1.0 KeySrvUrl : https://fs.ad.REDACTED.REDACTED/EnrollmentServer/key/ KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A WebAuthNSrvVersion : 1.0 WebAuthNSrvUrl : https://fs.ad.REDACTED.REDACTED/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/ WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A DeviceManagementSrvVer : 1.0 DeviceManagementSrvUrl : https://fs.ad.REDACTED.REDACTED/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/ DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+NgcSet : NO WorkplaceJoined : NO WamDefaultSet : YES WamDefaultAuthority : organizations WamDefaultId : https://login.microsoft.com WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+AzureAdPrt : NO AzureAdPrtAuthority : EnterprisePrt : YESEnterprisePrtUpdateTime : 2022-02-04 14:44:32.000 UTC
EnterprisePrtExpiryTime : 2022-02-18 14:44:32.000 UTC
EnterprisePrtAuthority : https://fs.ad.REDACTED.REDACTED:443/adfs+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+AadRecoveryEnabled : NO Executing Account Name : REDACTED\REDACTED, REDACTED@AD.REDACTED.REDACTED KeySignTest : PASSED+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+Auto Detect Settings : YES Auto-Configuration URL : Proxy Server List : Proxy Bypass List :+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+Access Type : DIRECT+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+IsDeviceJoined : YES IsUserAzureAD : YES PolicyEnabled : YES PostLogonEnabled : YES DeviceEligible : YES SessionIsNotRemote : YES CertEnrollment : enrollment authority AdfsRefreshToken : YES AdfsRaIsReady : YES LogonCertTemplateReady : YES ( StateReady ) PreReqResult : WillProvision
I am not sure why this is happening, any help would be greatly appreciated, it's been quite the ordeal getting things setup to this point..
https://community.spiceworks.com/topic/2347157-whfb-adfs-user-device-registration-event-errors?from_forum=210
https://community.spiceworks.com/topic/2346957-2019-whfb-on-prem-certificate-trust-set-adfscertificateauthority-fails?from_forum=210
Interesting, why client certificate is installed in Local Machine store, not in Current User?
Hey @KKlouzal , did you enroll your user for a client authentication cert? WH4B requires the user to complete MFA before it will issue the user with a WHFB sign on cert.
Yes, this is where it's getting tripped up.
Primary method 'Windows Authentication'
Additional method 'Certificate Authentication'
These two are supposed to fulfill the MFA requirement. In my original post, the client passes 'Windows Authentication' and then appears to fail during 'Certificate Authentication' with error:
MSIS7121: The request did not contain a valid client certificate that can be used for authentication. This occurs when there are no valid certificates on the client computer, for example if all certificates have expired or been revoked. Error Code: 0x490
I don't know what certificate it's looking for during this step, whether it's looking for the WHFB client certificate that ADFS is supposed to provide the user or some other certificate. I will spend the day tomorrow hammering at this again, looking though event logs, and trying to piece together the steps and find where/why it's failing.
I will take a look at this: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-authentication-policies but I'm not sure thats leading me down the right path either.
Any insight otherwise would be appreciated.
It's looking for some other certificate - your user will need either a client auth cert or a smart card logon cert so that they can get through that 2nd factor. Alternatively you could use a third party auth provider such as Okta or Ping.
That was EXACTLY the issue. I'm able to get through WHFB provisioning now. There are a few little hiccups, a window briefly appears trying to display a webpage giving 404 error but goes away after a moment and then prompts the user to setup a pin-code.
Next step is figure out how to place this certificate on a Yubikey and not autoenroll clients.
And here it is: YubiKey Smart Card Deployment Guide !
Mr. Tom Houston,
I seem to be experiencing the same user as KKlouzal but I do have a smart card logon with the authorization, email, and ID certs.
I have ensured I have all the needed install root 5.5 certs from normal updates. Can't seem to get the certification selection and pin input to be prompt for the user.
Any other possible solutions for this kind of problem? Thanks.
I checked Current User and there are no personal certificates. I attempted to manually enroll the user with WHFB Authentication template but it failed:
I also went back through the ADFS WHFB Deployment Guide to make sure the Certificate Templates were setup properly, and they are..
I believe the certificate that showed up inside the Local Machine store is the AD FS Device Registration certificate which would make sense that it gets placed in Local Machine.
Wanted to bump this, have some spare time, and looking to get this set up.
Have made no further progress.
Can anyone else chime in?
Anyone else solve this? We get similar results in Chrome and Edge in iOS but surprisingly Safari on iOS works. Doing debugging we can see that ADFS complains about getting a device certificate but wants a user certificate. We don't issue device certificates so it appears that ADFS is thinking the cert is a device for some reason.
Sign in to comment