passwordless security key sign-in

Question

passwordless security key sign-in

Abdelilah Ait Bendra 11

Hi,
i have enabled passwordless security key sign-in to on-premises resources by using Azure AD following instructions on this article :

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises

my device is hybrid Azure AD-joined Windows 10 devices

My problem:

i am working from home and i get access to entreprise local ressources trough vpn connection, but each time my computer is note connected to vpn i get this message error when trying to login to my session using the security key : Sorry, try that again. there was an issue with the server

mrs117 16 Reputation points

2022-11-16T18:11:28.783+00:00

We have been affected by this since September 2021! My solution was to convert all offsite machines to AAD-joined devices. Luckily, I only have 10 users who work from home. This was an absolute last resort... I spent months trying to get this working :(

I was originally able to get it limping along by tricking our domain controller into thinking users were changing their password. Here's the guide: https://specopssoft.com/blog/resetting-the-clock-on-active-directory-password-expiration/

However, I can say that we have not had issues with this since I moved these machines to AAD! (for better or worse...)

6 answers

Your answer

mrs117 16 Reputation points

2022-11-16T18:11:28.783+00:00

We have been affected by this since September 2021! My solution was to convert all offsite machines to AAD-joined devices. Luckily, I only have 10 users who work from home. This was an absolute last resort... I spent months trying to get this working :(

I was originally able to get it limping along by tricking our domain controller into thinking users were changing their password. Here's the guide: https://specopssoft.com/blog/resetting-the-clock-on-active-directory-password-expiration/

However, I can say that we have not had issues with this since I moved these machines to AAD! (for better or worse...)

Answer 1

Hi @Abdelilah Ait Bendra ,

Problem summary

Unable to log on remotely with security key and receiving the error, "Sorry, try that again. There was an issues with the server."

Cause

There is a known issue where FIDO2 cached credentials will fail after a period of time, and since you mention that this happens when you're not connected to the VPN, it sounds like this is the problem.

Troubleshooting

If you connect to the VPN (line of sight to a DC), then lock/unlock with FIDO2, does it work again?

For users without "line of sight" to a domain controller, there is an issue related to the cached credential such that sign-in will work for a while (12-48 hours or so) then fail with the error message "Sorry Try that Again. There was an issues with the server"

If you are connected to the VPN and have "line of sight" to a domain controller and FIDO2 still does not work, you can capture the authlogs data and analyze kerberos.etl to determine why that failure is occurring.

The issue is present in the latest Windows 11 builds and some Windows 10 builds.

The bug has been reported and the product team is actively working on a fix, but it is still pending. https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/how-to-password-less-fido2-security-key-sign-in-to-windows-10/ba-p/1434583/page/2#comments

-

If this answer helps resolve your question, please consider marking as answer so that others in the community with similar questions can more easily find a solution.

Anonymous

2025-03-04T15:27:26.3166667+00:00

Hey guys any update on this? We have the same issue. When on premise no issues with Ubikey. When offisite many are getting the cannot verify credentials. Only after they connect using VPN can they use the Ubikey.

Answer 2

Abdelilah Ait Bendra 11

Hi @Marilee Turscak-MSFT
I confirm that the authentication with the key works immediately once connected to vpn (line of sight to a DC)

Anonymous

2025-03-04T15:27:39.35+00:00

Hey guys any update on this? We have the same issue. When on premise no issues with Ubikey. When offisite many are getting the cannot verify credentials. Only after they connect using VPN can they use the Ubikey.

Answer 3

Nick Davidson 1

@Marilee Turscak-MSFT Any updates on this issue?

Answer 4

Klein, N (Niels) 1

@Marilee Turscak-MSFT Another small bump. Also suprised around the slow progress, or does it simply mean that the population using this solution is that minimal?

Jeff S 6 Reputation points

2022-05-19T17:57:50.697+00:00

I cannot believe MS has taken so long to address this--if this is their passwordless vision, you'd think they would perhaps give us the opportunity to adopt it!
Anonymous

2025-03-04T15:27:50.5866667+00:00

Hey guys any update on this? We have the same issue. When on premise no issues with Ubikey. When offisite many are getting the cannot verify credentials. Only after they connect using VPN can they use the Ubikey.

Answer 5

Akos Horvath 1

Any update on this?

Share via

passwordless security key sign-in

6 answers

Your answer