WHFB ADFS 2019 Certificate Authentication Fails MSIS7121 No Valid Certificate

KKlouzal 26 Reputation points
2022-02-03T00:13:32.827+00:00

ADFS has been setup on Windows Server 2019 and Automatic Device Registration has been setup in our ADFS server.
The goal is to get 100% on-prem Windows Hello For Business working using Certificate Authentication to satisfy the MFA requirement.

Clients appear to be receiving certificates from the ADFS server:
170697-image.png
170698-image.png
Being issued from 'MS-Organization-Access'.
Note the order of OU,CN,DC,DC,DC appears to be incorrect. Our domain is OU CN AD REDACTED REDACTED not OU CN REDACTED REDACTED AD

Nonetheless clients do not appear to trust these certificates nor does WHFB provisioning allow us to set a pin:
170736-image.png

MSIS7121: The request did not contain a valid client certificate that can be used for authentication. This occurs when there are no valid certificates on the client computer, for example if all certificates have expired or been revoked. Error Code: 0x490

Looking further into this, AD FS Event Logs show two back to back errors when the clients experience this issue:

Event ID 1021:

Encountered error during OAuth token request.

Additional Data

Exception details:
Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthInteractionRequiredException: MSIS9452: Interaction is required by the token broker to resolve the issue. The request requires fresh authentication.
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.HandleJWTBearerAccessTokenRequest(OAuthJWTBearerRequestContext jwtBearerContext, SessionSecurityToken ssoSecurityToken)
at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthTokenProtocolHandler.ProcessJWTBearerRequest(OAuthJWTBearerRequestContext jwtBearerContext)

Followed by Event ID 364:

Encountered error during federation passive request.

Additional Data

Protocol Name:
OAuthAuthorizationProtocol

Relying Party:
urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A

Exception details:
Microsoft.IdentityServer.NoValidCertificateException: MSIS7121: The request did not contain a valid client certificate that can be used for authentication. This occurs when there are no valid certificates on the client computer, for example if all certificates have expired or been revoked.
Error Code: 0x490

at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ThrowCertificateErrorException(Int32 errorCode)
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.ProcessIntranetRequest(ProtocolContext context, WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.Authentication.TlsClientAuthenticationHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)
at Microsoft.IdentityServer.Web.PassiveProtocolTlsClientListener.OnGetContext(WrappedHttpListenerContext context)

dsregcmd /status:

+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+

         AzureAdJoined : NO  
      EnterpriseJoined : YES  
          DomainJoined : YES  
            DomainName : REDACTED  
           Device Name : STATION-6.AD.REDACTED.REDACTED  

+----------------------------------------------------------------------+
| Device Details |
+----------------------------------------------------------------------+

              DeviceId : 0af67b26-f33d-4e8d-922c-e8eae002251b  
            Thumbprint : REDACTED_86DD9  

DeviceCertificateValidity : [ 2022-02-03 20:20:08.000 UTC -- 2032-02-01 20:30:08.000 UTC ]
KeyContainerId : 91e9a8c3-2e20-4165-a05c-9d67627597d5
KeyProvider : Microsoft Software Key Storage Provider
TpmProtected : NO
DeviceAuthStatus : FAILED. Error:80070047

+----------------------------------------------------------------------+
| Tenant Details |
+----------------------------------------------------------------------+

            TenantName :  
              TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e  
                   Idp : login.windows.net  
           AuthCodeUrl : https://fs.ad.REDACTED.REDACTED/adfs/oauth2/authorize  
        AccessTokenUrl : https://fs.ad.REDACTED.REDACTED/adfs/oauth2/token  
                MdmUrl :  
             MdmTouUrl :  
      MdmComplianceUrl :  
           SettingsUrl :  
        JoinSrvVersion : 1.0  
            JoinSrvUrl : https://fs.ad.REDACTED.REDACTED/EnrollmentServer/device/  
             JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A  
         KeySrvVersion : 1.0  
             KeySrvUrl : https://fs.ad.REDACTED.REDACTED/EnrollmentServer/key/  
              KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A  
    WebAuthNSrvVersion : 1.0  
        WebAuthNSrvUrl : https://fs.ad.REDACTED.REDACTED/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/  
         WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A  
DeviceManagementSrvVer : 1.0  
DeviceManagementSrvUrl : https://fs.ad.REDACTED.REDACTED/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/  
 DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A  

+----------------------------------------------------------------------+
| User State |
+----------------------------------------------------------------------+

                NgcSet : NO  
       WorkplaceJoined : NO  
         WamDefaultSet : YES  
   WamDefaultAuthority : organizations  
          WamDefaultId : https://login.microsoft.com  
        WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)  

+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+

            AzureAdPrt : NO  
   AzureAdPrtAuthority :  
         EnterprisePrt : YES  

EnterprisePrtUpdateTime : 2022-02-04 14:44:32.000 UTC
EnterprisePrtExpiryTime : 2022-02-18 14:44:32.000 UTC
EnterprisePrtAuthority : https://fs.ad.REDACTED.REDACTED:443/adfs

+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+

    AadRecoveryEnabled : NO  
Executing Account Name : REDACTED\REDACTED, REDACTED@AD.REDACTED.REDACTED  
           KeySignTest : PASSED  

+----------------------------------------------------------------------+
| IE Proxy Config for Current User |
+----------------------------------------------------------------------+

  Auto Detect Settings : YES  
Auto-Configuration URL :  
     Proxy Server List :  
     Proxy Bypass List :  

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config |
+----------------------------------------------------------------------+

           Access Type : DIRECT  

+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+

        IsDeviceJoined : YES  
         IsUserAzureAD : YES  
         PolicyEnabled : YES  
      PostLogonEnabled : YES  
        DeviceEligible : YES  
    SessionIsNotRemote : YES  
        CertEnrollment : enrollment authority  
      AdfsRefreshToken : YES  
         AdfsRaIsReady : YES  
LogonCertTemplateReady : YES ( StateReady )  
          PreReqResult : WillProvision  

I am not sure why this is happening, any help would be greatly appreciated, it's been quite the ordeal getting things setup to this point..
https://community.spiceworks.com/topic/2347157-whfb-adfs-user-device-registration-event-errors?from_forum=210
https://community.spiceworks.com/topic/2346957-2019-whfb-on-prem-certificate-trust-set-adfscertificateauthority-fails?from_forum=210

Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,299 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,902 questions
{count} votes

Accepted answer
  1. Tom Houston 176 Reputation points
    2022-12-21T22:23:44.45+00:00

    Hey @KKlouzal , did you enroll your user for a client authentication cert? WH4B requires the user to complete MFA before it will issue the user with a WHFB sign on cert.

    3 people found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.