Hello,
we have a hybrid environment with AAD and On-Premises active directory.
we also have a working setup of windows hello for business, where users can logon on their pc using pin,fingerprint,etc.
a few days ago we replaced one 2008 domain controller with a new 2019 DC.
Windows hello for business stopped working on the workstations of the sites where the new DC is installed.
When users try to logon with hello they receive error: "that option is temporarily unavailable. For now please use a different method to sign in."
The issue is only regarding pc authenticating on the new 2019 DC. pc of other sites, that autenticates on 2016 DC are correctly working.
In the event viewer of both the client PC and the DC we can see the following error:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Microsoft-Windows-Security-Kerberos" Guid="{98E6CFCB-EE0A-41E0-A57B-622D4E1B30B1}" EventSourceName="Kerberos" /> <EventID Qualifiers="32768">3</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-01-09T18:20:17.615079500Z" /> <EventRecordID>2610</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>DESKTOP-U38MM2P.mycompany.local</Computer> <Security /> </System>
- <EventData><Data Name="LogonSession">mycompany\myuser</Data> <Data Name="ClientTime" /> <Data Name="ServerTime">18:20:17.0000 1/9/2020 Z</Data> <Data Name="ErrorCode">0x4b</Data> <Data Name="ErrorMessage">Unknown Error</Data> <Data Name="ExtendedError" /> <Data Name="ClientRealm" /> <Data Name="ClientName" /> <Data Name="ServerRealm">mycompany</Data> <Data Name="ServerName">krbtgt/mycompany</Data> <Data Name="TargetName">krbtgt/mycompany@mycompany</Data> <Data Name="ErrorText" /> <Data Name="File">onecore\ds\security\protocols\kerberos\client2\logonapi.cxx</Data> <Data Name="Line">e35</Data> <Binary /> </EventData></Event>We checked on the DC and an appropriate certificate for kerberos authenication is present and supplied with the same template of the others DC and on the client a smart card authenication certificate is present.
addictionally in the DC we occasionally see that error:
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System><Provider Name="Microsoft-Windows-Kerberos-Key-Distribution-Center" Guid="{3FD9DA1A-5A54-46C5-9A26-9BD7C0685056}" EventSourceName="KDC" /> <EventID Qualifiers="32768">21</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2020-01-09T14:50:06.483775300Z" /> <EventRecordID>2639</EventRecordID> <Correlation /> <Execution ProcessID="0" ThreadID="0" /> <Channel>System</Channel> <Computer>srv-dc02.mydomain.local</Computer> <Security /> </System>
- <EventData><Data Name="Domain">mydomain</Data> <Data Name="Username">myuser</Data> <Data Name="Status">The operation completed successfully.</Data> <Binary>00000000000000000000000000000000</Binary> </EventData></Event>does anyone have hello working on 2019 server? are we missing some configuration?
Thanks
Lorenzo
P.s. dsregcmd /status show the device as correctly hybrid joned:
+----------------------------------------------------------------------+| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName : mydomain
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
KeySignTest : PASSED