Hey everyone! I'm in the process of setting up devices with Azure AD Join (AADJ) and I'm trying to enable access to on-premises resources like SMB shares. I've encountered a problem:
When a user logs into an AADJ PC using their email and password, everything works perfectly, and the desktop loads with the mapped drives. However, if they log in with a PIN, the mapped drives appear disconnected, and clicking on them prompts an authentication error stating, "The system cannot contact a domain controller to service the authentication request."
Domain-joined PCs work fine whether logging in with a PIN or a password, which indicates that basic authentication is functional. It seems like there's an issue with the interaction between Windows Hello for Business (WHfB) and Active Directory.
I've followed Microsoft's guides on setting up cloud trust, but I'm still stuck. One workaround I found is making the user log in with their email/password to cache credentials for the mapped drive, but this is not ideal as we'd need to repeat this for each drive. I've also seen mentions of importing a domain certificate, but I'm unsure if that's a long-term solution. Has anyone successfully set this up? Any special configurations or steps I might be missing? Thanks in advance!
3 Answers
If the user had WHfB enrolled before you set up everything, try using the command `certutil /deletehellocontainer` to reenroll them. Also, ensure you’re using a normal test user, as domain/enterprise admins are exempt from cloud Kerberos. Remember, a hybrid identity is a must—you can’t use a cloud-only account for this.
I had a similar experience setting this up. Make sure you’ve enabled the group policy or Intune configuration for "Use Cloud Trust For On Prem Auth" and that "Use Windows Hello For Business" is set to true. We missed the Intune config at first and fixing it was crucial. Also, if you enabled the policy after the user set up Windows Hello, you might need to reset the Windows Hello containers to get things working again.
I followed their steps and still had issues unfortunately.
Don’t forget about the Kerberos cloud trust setup! It's essential for WHfB to work with on-prem resources. Check Microsoft's documentation on hybrid cloud Kerberos trust if you haven’t already. Make sure you have that policy configured to retrieve a Kerberos ticket at logon.
I've already set that policy up, but still no luck. It's frustrating!
I'm using my regular user account for testing, which was created on-prem and synced to 365.