Share via

Windows Hello for Business - Failed to locate a certificate registration authority

  • Article

Question

Wednesday, September 19, 2018 6:15 PM

Hello,

I have a problem with Windows Hello for business in the Hybrid Azure AD joined Certificate Trust Deployment scenario.

I've configured the product following this guide step by step: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust

Environment:

- Windows 10 1803

- All Domain controllers in Windows Server 2016

- ADFS 2016

- AD CS in Windows Server 2012 R2

When i try to register WHFB on a user, nothing happens after the sign-in process.

Here are the errors in the event viewer :

- In the event log "User Device Registration"

- In the event log "Hello for Business"

Here is the result of the "dsregcmd /status" command

dsregcmd /status

 

++

| Device State                                                         |

++

 

             AzureAdJoined : YES

          EnterpriseJoined : NO

                  DeviceId : c9d2b3d6-a8f2-426d-9e4f-87e2a9f4f877

                Thumbprint : 3605684CA60FF5391A1E9C1AD30235A98ECF4D50

            KeyContainerId : 5cab4849-6513-4d23-a4da-5080c6488cfc

               KeyProvider : Microsoft Platform Crypto Provider

              TpmProtected : YES

             KeySignTest: : MUST Run elevated to test.

                       Idp : login.windows.net

                  TenantId : bd6aafaf-3263-40f5-a795-6f94d617839e

                TenantName : CompanyName

               AuthCodeUrl : https://login.microsoftonline.com/bd6aafaf-3263-40f5-a795-6f94d617839e/oauth4/authorize

            AccessTokenUrl : https://login.microsoftonline.com/bd6aafaf-3263-40f5-a795-6f94d617839e/oauth4/token

                    MdmUrl :

                 MdmTouUrl :

          MdmComplianceUrl :

               SettingsUrl :

            JoinSrvVersion : 1.0

                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/

                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net

             KeySrvVersion : 1.0

                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/

                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net

        WebAuthNSrvVersion : 1.0

            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/bd6aafaf-3263-40f5-a795-6f94d617839e/

             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net

DeviceManagementSrvVersion : 1.0

    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/bd6aafaf-3263-40f5-a795-6f94d617839e/

     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

              DomainJoined : YES

                DomainName : RES

 

++

| User State                                                           |

++

 

                    NgcSet : NO

           WorkplaceJoined : NO

             WamDefaultSet : YES

       WamDefaultAuthority : organizations

              WamDefaultId : https://login.microsoft.com

            WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

                AzureAdPrt : YES

       AzureAdPrtAuthority : https://login.microsoftonline.com/bd6aafaf-3263-40f5-a795-6f94d617839e

             EnterprisePrt : YES

    EnterprisePrtAuthority : https://sts.companyname.eu:443/adfs

 

++

| Ngc Prerequisite Check                                               |

++

 

             IsUserAzureAD : YES

             PolicyEnabled : YES

          PostLogonEnabled : YES

            DeviceEligible : YES

        SessionIsNotRemote : YES

            CertEnrollment : enrollment authority

          AdfsRefreshToken : YES

             AdfsRaIsReady : NO

    LogonCertTemplateReady : UNKNOWN ( StateReady )

         AadRecoveryNeeded : NO

              PreReqResult : WillNotProvision

The auto-enrolled certificate on the user is not automatically deployed. When i try to do it manually, i get the following error.

"Certificate enrollment for user failed to enroll for a WHFBAuthentication certificate with request ID N/A from N/A (Failed to enroll for an NGC cert because there is NO Enterprise SSO. 0x801c03f6 (DSREG: 1014 DSREG_E_NGC_CERT_NO_ENTSSO))."

It seems related to ADFS Registration Authority but this part has been configured as recommended by MS, and i didn't notice any errors during the configuration.

Do you have any clues or feedback about these errors ?

Thanks a lot,

Kevin JAGIELLA

All replies (6)

Friday, October 5, 2018 7:25 AM ✅Answered

Hi

FYI, i've opened a Microsoft case and they found a solution.You will find below their answer:

Resolution: 

Executeing the command DSREGCMD /STATUS we can see that “AdfsRaIsReady: NO”,

That means ADFS server is not advertising as a Registration Authority.

To verify this, access the openID endpoint “.well-known/openid-configuration” using the browser, for example https://STS.contoso.com/adfs/.well-known/openid-configuration

Look for "capabilities": ["winhello_cert", "winhello_cert_kr"], If these are missing then AD FS server is not advertising as a Registration Authority 

To fix this need to perform the following steps (this is a work around for now will be fixed later, No ETA)

Launch ADFS management console

Browse to “Services > Authentication Methods”

Under Multi-Factor Authentication Methods click Edit

Select One of the MFA providers (Any)

Save the settings.

Note: The above steps will not trigger MFA for any user unless MFA is enabled on the replying party. Enabling MFA on the relying party “Microsoft Office 365 Identity Platform” will break device registration and Windows Hello for Business.

Thursday, September 20, 2018 10:33 AM

Hi,
As mentioned in Microsoft documentation, the AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of KB4088889 (14393.2155). Please check this.
Also, you can try the following steps to see if it helps:
Open the AAD Connect tool, choose "Refresh Schema" - pop in the various credentials it requests and then let it run a full sync.
Wait for a while to replicate, then see if the problem is solved.

Hope it could be helpful.

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].

Thursday, September 20, 2018 12:13 PM

Hi,

Thanks for your reply.

I forgot to mention, the KB4088889 is already installed on the ADFS farm.

I've also refreshed the schema several times but the problem is still present.

Tuesday, September 25, 2018 5:02 PM

Hi,

Any others suggestions ? 

Thanks

Thursday, October 25, 2018 5:19 AM

I'm currently facing the same problem and unfortunately this solution didn't work for me. I opened a ticket with Microsoft and they confirmed this is the workaround they are currently applying for this issue, but for some reason, after enabling one of the MFA options and restarting the ADFS service, the capabilities":[]," still show up empty.

Microsoft is currently trying to figure out what's wrong on my environment but so far, they have no clue

Olivier

Thursday, November 1, 2018 6:26 PM

Even though I'm still having problems with Windows Hello, I was able to solve this specific issue. 

After checking the output of Get-AdfsCertificateAuthority I noticed that the parameter WindowsHelloCertificateProxyEnabled was set to False.

I ran the command Set-AdfsCertificateAuthority once again, this time specifying the parameter -WindowsHelloCertificateProxyEnabled $true and now I can see the winhello_cert and winhello_cert_kr capabilities in the openid-configuration page:

This means that apparently, ADFS was indeed advertising as a registration authority, but it was only doing it internally and not through the proxy servers.

Olivier