Hey fellow sysadmins! I'm currently running a test deployment of Windows Hello for Business (WHfB) for several users. The deployment was executed through Account Protection in Entra, and the users' accounts are synced from Active Directory (AD) to Entra with cloud authentication. Most users can log in just fine, but there's one user who can log in but can't map their on-prem network drives. When they try to access the server, they receive an error about not reaching a Domain Controller and are asked for their Hello credentials, which fail. If I log in using their password, they can access the shares routinely. Although the devices are cloud joined, the DNS allows insecure updates, and there's a DNS suffix set up. I can't figure out why this one user is having issues when everyone else is fine. Their account is similar to the others, but they used to be the IT Manager and have had their admin permissions removed. Any insights on this?
1 Answer
It sounds like you might need to set up the Kerberos Cloud Trust. It's pretty straightforward and will deploy an object in your on-prem AD domain controllers' OU. There are a few additional settings to check, but it shouldn't take more than five minutes to get it all sorted out. You can find more details in the Microsoft documentation.
Thanks for the tip! This was indeed the issue - originally, it was just one user, but the problem spread to my other test users as well. We had a cloud auth object in AD, but something wasn't quite right. I removed it and set it up again, and everything seems to be working now. Cheers!