Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, December 11, 2019 7:21 AM
Hi all
I am currently in the process of deploying Windows Hello For Business for our companys Windows 10 users but i am currently stuck.
I've been using the following deployment guide for my setup (http*s://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust)
I have done the following steps:
1. Domain Controllers are Windows Server 2019 with a DFL of 2016
2. Updated Azure AD Connect to the latest version and performed a directory schema refresh
3. Configured device syncronization to Azure AD
4. Issued a new Domain Controller certificate based of the Kereberos Authentication template as pointed out in the deployment guide and removed old domain certificates. (CA is deployed on a Windows Server 2012 machine)
5. Created a group policy that enables Windows Hello For Business for select users
I've deployed Win10 on a new device and synced the device to AAD then configured a PIN code for the user upon login and everything looks good in the User Device Registration log.
But when i try to log in using the newly created PIN code i get the error in style with "your credentials could not be verified" and if i look into the event log on the Domain Controller i get a 4768 Audit Failure event.
On subsequent logins after the first one i get another error in style with "An error occured and your Pin is not available (status: 0xc00000bb)" and in the event log on the Domain Controller i get a 4771 Audit Failure Event (Kerberos pre-authentication failed)
Looking at the CAPI2-log to catch any certificate problems i get the following event:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2019-12-06T07:54:17.476176000Z" />
<EventRecordID>585</EventRecordID>
<Correlation />
<Execution ProcessID="624" ThreadID="3156" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>xxxxx</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <CertGetCertificateChain>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
- <AdditionalStore>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
</AdditionalStore>
<ExtendedKeyUsage />
<Flags value="40000000" CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT="true" />
<ChainEngineInfo context="machine" />
- <CertificateChain chainRef="{93D155EE-CFAD-410C-87B2-E7F3E83FC34F}">
- <TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
- <ChainElement>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
- <TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
- <ApplicationUsage>
<Usage oid="1.3.6.1.4.1.311.20.2.2" name="Smart Card Logon" />
</ApplicationUsage>
<IssuanceUsage any="true" />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="lsass.exe" />
<CorrelationAuxInfo TaskId="{CDA0C2CE-6DC3-440E-983C-DEA9A3FFA0C9}" SeqNumber="3" />
<Result value="800B0109">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
My suspicion was that there was something wrong with my domain certificate but the serialnumber on the certificate in the log file does not corespond with any certificate on the DC. Looking at the information from the CAPI-log it looks like it is a certificate problem with the microsoft single sign-on site .. 278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05 in the log above seems to be part of the url i normally use to sign on eg: http*s://login.microsoftonline.com/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/login
I don't know why i'm receiving this certificate error and can't find any information about it, does anyone know what i need to change to make this work?
Best Regards
All replies (3)
Thursday, March 19, 2020 6:12 AM ✅Answered
Hi all
We managed to get it fixed, it turned out that the fault was our internal IPK, there was an issue with the revocation URL not functioning properly as i understood it, we got help from our IT Partner to solve it.
Thanks for all your suggestions
Best Regards
Thursday, December 12, 2019 7:25 AM
Hi,
The error message cause seems to be as:
If the client tries to use a Windows 2019 domain controller (rather than Windows 2016) then WHfB authentication fails.
Found this feature request too, which what lead me to force it to the 2016 server.
Also see this similar case
Windows Hello for business login fail
I suggest to open a consult ticket with Microsoft for deep research
https://support.microsoft.com/en-gb/hub/4343728/support-for-business
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 6, 2020 12:38 AM
Check that your Server 2019 DC has the latest patches. There was a patch in 2019 that fixed issues.
https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044
Addresses an issue that causes the Windows Hello for Business Hybrid Key Trust deployment sign-in to fail if Windows 2019 Server domain controllers (DC) are used for authentication. The error is, "That option is temporarily unavailable. For now, please use a different method to sign in”. If Active Directory (AD) activity tracing is enabled, a Local Security Authority Subsystem Service (LSASS) exception may occur in the Windows 2019 DC when processing a user’s sign in.