Share via

Windows Hello - msDS-KeyCredentialLink - Problems with synchronizaton - This option is temporarily unavailable

  • Article

Question

Thursday, December 12, 2019 3:51 PM

Hi,

I have a problem with Windows Hello stop working at like a 2 months ago. I thought that this might be something to do with schema and msDS-KeyCredentialLink

What I have:

  • 4 Sites all but one running 1 RWDC in HQ we have 2 RWDC

HQDC1             - Windows Server 2019 Standard (HQ)
HQDC2             - Windows Server 2019 Standard (HQ)
L2DC1              - Windows Server 2019 Datacenter (IaaS in Azure)
L3DC1              - Windows Server 2016 Datacenter (IaaS in Azure)
L4DC1              - Windows Server 2019 Datacenter (IaaS in Azure)

  • Azure AD Connect synchronize to HQDC1 (HQ DC)
  • Schema is 88 (Windows Server 2019)
  • Forest and Domain Level is 2012 R2
  • Azure AD Connect replicate in first order to HQDC1 than HQDC2 and L2DC1
  • Azure AD Connect service account is member of Key Administrotros
  • msDS-KeyCredentialLink is existing and it is being populated form Azure AD connect but disappears after 10-15 min (probably due to replication)

What I did:

  • Previously I have two DC 2012R2 in HQ and I have introduce new ones and remove old
  • I have check the permissions on of service account
  • I have updated ad move Azure AD Connect to new server.
  • I have test machine and user in test OU with just blocked inheritance and just one GPO that Enrolls Device to AzureAD (hybrid join) and Intune as well as enables WHfB
  • I have try to reconfigure WHfB number of times (Certutil -deletehellocontainer) on test machine
  • I wrote a script to monitor the existence msDS-KeyCredentialLink and it shows that after delta sync attribute is being populated on HQDC1 and replicated to HQDC2 but after some times everything disappears.
  • There are not problems with replication that I see and this issue of disappearing attribute only applies to msDS-KeyCredentialLink and f.e. other Azure AD attribute mS-DS-ConsistencyGuid replicates just fine.
  • A have redeploy Windows hello.

What I think

  • This is I guess problem with disappearing msDC-KeyCredentailLink. But I don’t understand why this is happening
  • Also what is strange that even when this attribute is populated on both servers in site that test machine is it still get that option is temporarily unavailable.

This is something that is 2 moths and I’m not able to solve. I will be appreciated for any tips.

Thanks for any help.

All replies (5)

Wednesday, December 18, 2019 11:29 AM ✅Answered

DRAGON is SLAYED - in general the issue was that some other produciton that i was not aware of was using same ad sync service account to connect to other ad tenatns and removing msds-keycredentail link. So this issue was just missconfiguration / misscommunication. 

Friday, December 13, 2019 2:44 AM

Hi,

You can open up Azure AD Connect admin tool, select "Refresh directory schema" and go through the wizard. Let it sync and verify that the device writeback works, and that the msDS-KeyCredentialLink attribute is populated on the relevant msDS-Device in the RegisteredDevices folder. See: Hello for Business - How to with key based setup?

Hope can help you. Have a nice day~

Best Regards,

Kiki

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

Friday, December 13, 2019 9:27 AM

Hi Kiki,

Thanks for Reply, I have refreshed the schema so many times I can't count :) And attribute is being populated but for some reason it is being push off AD. 

 

Yet there is something I'm confuse in your answer. I was checking the attribute on User AD Object not on Device. Should it be on Device? As if it should my AD Connect dose not even trying to do so and I have Device writeback enabled. 

Also in the link you provided (I have seen it) but it is not my case local AD is aware of the attribute and Schema was updated.

 

So my thoughts:

  • As my devices are hybrid AD Join I added validation if msDS-KeyCredentialLink on Device and it is not.
  • And for some reason msDS-KeyCredentailLink although it is being push to UserObject after AD replication kick in is being push out.
  • But f.e. I have check other devices in RegisteredDevices container and on this devices msDS-KeyCredentail is populated.

 

 

So this is how it looks on my side. 

  1. Prior the Sync I'm missing msDS-KeyCredentialLink on both test User and Device

 

  1. Then After the delta Sync it looks like this

 

  1. And all of the sudden it is back to this, and few minutes later it will be cleared.

 

 

No my two issues

  1. Why msDS-KeyCredentialLink  is push out
  2. And why my hybrid Joined device have this attribute not populated.

Monday, December 16, 2019 1:54 AM

Hi,

It’s so sorry that due to that the source in forum is limited, we recommend that you can contact with the MS support about your question.

https://support.microsoft.com/en-gb/hub/4343728/support-for-business

Hope can help you. Have a nice day!

Best regards,

Kiki

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

Tuesday, December 17, 2019 8:45 PM

[STATUS UPDATE]

I'm Starting to cry :) so at this point im am sure of

1. WHfB is working as long as msDS-KeyCredentailLink is fill.

2. Something is removing this attribute form my AD in 5 min time span after AAD delta sync. Does anyone know a good system how to audit who/what is purging this attriute. As at this point id does not look like AAD Sync. And again this is only ture for this one attriubte everything else is replicating normally. at least to my knowlage. 

I DO NOT WANT TO SOUND DESPERATE BUT PLEASE HELP :)