Guest Masayuki.Ozawa Posted December 12, 2019 Posted December 12, 2019 Hi. We are verifying Windows Hello for Business in Windows Server 2016 (Windows Update executed) + Windows 10 1703 Enterprise Edition (Windows Update already executed) environment. (Windows Server 2016 : AD + AD FS + AD CS) We are implementing the procedure of Windows Hello for Business Deployment Guide. Windows Hello for Business Deployment Guide - Microsoft 365 Security Even if you execute the procedure in one step and execute the job of Automatic-Device-Join in Windows 10 1703, device registration via AD FS will result in an error. The result of executing dsregcmd / debug with LOCAL SYSTEM is as follows. dsregcmd::wmain logging initialized. DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:domain.local forest:domain.local domainController:\\WHfB-AD.domain.local isDcAvailable:true } PreJoinChecks Complete. preCheckResult: Join isPrivateKeyFound: undefined isJoined: undefined isDcAvailable: YES isSystem: YES keyProvider: undefined keyContainer: undefined dsrInstance: undefined elapsedSeconds: 0 resultCode: 0x0 Automatic device join pre-check tasks completed. TenantInfo::Discover: Join Info { TenantType = Federated; AutoJoinEnabled = 1; TenandID = 383a3889-5bc9-47a3-846c-2b70f0b7fe0e; TenantName = whfb-ad.domain.local } DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ GetComputerTokenForADRS: Get token for enterprise DRS GetComputerTokenForADRS: Token request authority: "https://login.microsoftonline.com/common" AdalLog: Token is not available in the cache ; HRESULT: 0x0 AdalLog: Authority validation is enabled ; HRESULT: 0x0 AdalLog: Authority validation is completed ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuthEnterprise ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: HRESULT: 0x4aa90010 AdalLog: HRESULT: 0xcaa9002c AdalLog: HRESULT: 0xcaa9002c AdalLog: HRESULT: 0xcaa9002c AdalMessage: ADALUseWindowsAuthenticationNonHybrid failed, unable to preform integrated auth AdalError: authentication_failed AdalErrorCode: 0xcaa9002c AdalCorrelationId: {C3F5EF0B-7922-4383-8FF3-057F2567EC9F} AdalLog: HRESULT: 0xcaa9002c AdalLog: HRESULT: 0xcaa9002c AdalLog: HRESULT: 0xcaa9002c AdalLog: HRESULT: 0x4aa90010 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuthEnterprise ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0 AdalLog: Authority validation is completed ; HRESULT: 0x0 AdalLog: Authority validation is enabled ; HRESULT: 0x0 AdalLog: Token is not available in the cache ; HRESULT: 0x0 AdalLog: HRESULT: 0xcaa1000e wmain: Unable to retrieve access token 0x80004005. DSREGCMD_END_STATUS AzureAdJoined : NO EnterpriseJoined : NO If this is the case, what kind of countermeasures should be taken? Regards, More... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.