Hi,
Sorry for the double posting, the original thread had a kind of different question to start with. So, I'm trying to deploy Windows Hello for Business Certificate Trust on-premises in my work place. I've followed the guide for deploying the Key trust authentication,
but later changed it to Certificate trust (I'm not sure I've cleaned all of the Key trust settings, since most of them are the same for both Key and Certificate. However, it seems I have a problem with the AD FS device registration. I seems the devices don't
get registered, and I can't think of what I've done wrong for this to happen. I've managed to get to the point where I get "This sign-in option is only available when connected to your organization's network". And here's what "dsregcmd
/status" and "dsregcmd /debug"gives me as results:
+----------------------------------------------------------------------+
| Device State |+----------------------------------------------------------------------+
AzureAdJoined : NO
EnterpriseJoined : YES
DomainJoined : YES
DomainName : <domain name>+----------------------------------------------------------------------+
| Device Details |+----------------------------------------------------------------------+
DeviceId : f7c113b3-18d2-4da8-baa7-45fd45431096
Thumbprint : 756CDDBC67B7FA994A05F766F81E3A5429DACDC7
DeviceCertificateValidity : [ 2019-12-17 10:50:34.000 UTC -- 2029-12-14 11:00:34.000 UTC ]
KeyContainerId : 5303e1fb-1d9b-4993-a58e-b15720fdc4be
KeyProvider : Microsoft Platform Crypto Provider
TpmProtected : YES
+----------------------------------------------------------------------+
| Tenant Details |+----------------------------------------------------------------------+
TenantName :
TenantId : 383a3889-5bc9-47a3-846c-2b70f0b7fe0e
Idp : login.windows.net
AuthCodeUrl : https://fs.<domain name>.org/adfs/oauth2/authorize
AccessTokenUrl : https://fs.<domain name>.org/adfs/oauth2/token
MdmUrl :
MdmTouUrl :
MdmComplianceUrl :
SettingsUrl :
JoinSrvVersion : 1.0
JoinSrvUrl : https://fs.<domain name>.org/EnrollmentServer/device/
JoinSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
KeySrvVersion : 1.0
KeySrvUrl : https://fs.<domain name>.org/EnrollmentServer/key/
KeySrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
WebAuthNSrvVersion : 1.0
WebAuthNSrvUrl : https://fs.<domain name>.org/webauthn/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
WebAuthNSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A
DeviceManagementSrvVer : 1.0
DeviceManagementSrvUrl : https://fs.<domain name>.org/manage/383a3889-5bc9-47a3-846c-2b70f0b7fe0e/
DeviceManagementSrvId : urn:ms-drs:434DF4A9-3CF2-4C1D-917E-2CD2B72F515A+----------------------------------------------------------------------+
| User State |+----------------------------------------------------------------------+
NgcSet : NO
WorkplaceJoined : NO
WamDefaultSet : NO
+----------------------------------------------------------------------+
| SSO State |+----------------------------------------------------------------------+
AzureAdPrt : NO
AzureAdPrtAuthority :
EnterprisePrt : NO
EnterprisePrtAuthority :
+----------------------------------------------------------------------+
| Diagnostic Data |+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
KeySignTest : PASSED
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : NO
PolicyEnabled : YES
PostLogonEnabled : YES
DeviceEligible : YES
SessionIsNotRemote : YES
CertEnrollment : enrollment authority
AdfsRefreshToken : NO
AdfsRaIsReady : NO
LogonCertTemplateReady : UNKNOWN
PreReqResult : WillNotProvision
dsregcmd::wmain logging initialized.
DsrCmdJoinHelper::Join: ClientRequestId: f3eb70f9-aed9-441e-8607-eb22a2dae9f8PreJoinChecks Complete.
preCheckResult: DoNotJoin
deviceKeysHealthy: undefined
isJoined: undefined
isDcAvailable: undefined
isSystem: NO
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 0
resultCode: 0x1
The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.
If you have any suggestions, what should I do, cause the Docs are good, but at certain point get a bit "for more information, check ******" again and again, and suddenly I'm with 20 tabs, can't follow where I was, and where's I'm going.
Thanks in advance.
//Edit
When I restart the device, supposed to be registered, I get the following Error log on the AD FS server "AD FS -> Admin" Event logs:
Encountered error during OAuth token request. Additional Data Exception details: Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore()
At the machine "Aplication and services logs -> Microsoft -> Windows -> AAD -> Operational" 4 logs appear after rebooting the PC:
Http request status: 400. Method: POST Endpoint Uri: https://fs.<domain name>.org/adfs/oauth2/token Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2
OAuth response error: unauthorized_client Error description: MSIS9605: The client is not allowed to access the requested resource. CorrelationID:
Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2
Logon failure. Status: 0xC000006D Correlation ID: 7A2A19EB-8888-4DC8-9957-408092271DC2Any help will be appreciated. Thanks in advance.