Jump to content

Device registration can not be performed on Windows Hello for Business with on-premises only


Recommended Posts

Guest Masayuki.Ozawa
Posted

Hi.

 

We are verifying Windows Hello for Business in Windows Server 2016 (Windows Update executed) + Windows 10 1703 Enterprise Edition (Windows Update already executed) environment.

(Windows Server 2016 : AD + AD FS + AD CS)

 

We are implementing the procedure of Windows Hello for Business Deployment Guide.

Windows Hello for Business Deployment Guide - Microsoft 365 Security

 

Even if you execute the procedure in one step and execute the job of Automatic-Device-Join in Windows 10 1703, device registration via AD FS will result in an error.

 

The result of executing dsregcmd / debug with LOCAL SYSTEM is as follows.

 

dsregcmd::wmain logging initialized.

DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:domain.local forest:domain.local domainController:\\WHfB-AD.domain.local isDcAvailable:true }

PreJoinChecks Complete.

 

preCheckResult: Join

 

isPrivateKeyFound: undefined

 

isJoined: undefined

 

isDcAvailable: YES

 

isSystem: YES

 

keyProvider: undefined

 

keyContainer: undefined

 

dsrInstance: undefined

 

elapsedSeconds: 0

 

resultCode: 0x0

 

Automatic device join pre-check tasks completed.

 

TenantInfo::Discover: Join Info { TenantType = Federated; AutoJoinEnabled = 1; TenandID = 383a3889-5bc9-47a3-846c-2b70f0b7fe0e; TenantName = whfb-ad.domain.local }

DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ

GetComputerTokenForADRS: Get token for enterprise DRS

GetComputerTokenForADRS: Token request authority: "https://login.microsoftonline.com/common"

AdalLog: Token is not available in the cache ; HRESULT: 0x0

AdalLog: Authority validation is enabled ; HRESULT: 0x0

AdalLog: Authority validation is completed ; HRESULT: 0x0

AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0

AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0

AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0

AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuthEnterprise ; HRESULT: 0x0

AdalLog: HRESULT: 0x4aa90010

AdalLog: HRESULT: 0x4aa90010

AdalLog: HRESULT: 0xcaa9002c

AdalLog: HRESULT: 0xcaa9002c

AdalLog: HRESULT: 0xcaa9002c

AdalMessage: ADALUseWindowsAuthenticationNonHybrid failed, unable to preform integrated auth

AdalError: authentication_failed

AdalErrorCode: 0xcaa9002c

AdalCorrelationId: {C3F5EF0B-7922-4383-8FF3-057F2567EC9F}

AdalLog: HRESULT: 0xcaa9002c

AdalLog: HRESULT: 0xcaa9002c

AdalLog: HRESULT: 0xcaa9002c

AdalLog: HRESULT: 0x4aa90010

AdalLog: HRESULT: 0x4aa90010

AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuthEnterprise ; HRESULT: 0x0

AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0

AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0

AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0

AdalLog: Authority validation is completed ; HRESULT: 0x0

AdalLog: Authority validation is enabled ; HRESULT: 0x0

AdalLog: Token is not available in the cache ; HRESULT: 0x0

AdalLog: HRESULT: 0xcaa1000e

wmain: Unable to retrieve access token 0x80004005.

DSREGCMD_END_STATUS

AzureAdJoined : NO

EnterpriseJoined : NO

 

If this is the case, what kind of countermeasures should be taken?

 

 

Regards,

 

More...

  • Replies 0
  • Created
  • Last Reply

Popular Days

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...