Trouble with WHfB Authentication and On-Prem Resources

By
Keven Krok
-
0
18
Asked By TechSavvy123456 On

I've been dealing with an issue related to Windows Hello for Business (WHfB) authentication in our setup. We've had it running for about six months now, integrated with Cloud Kerberos Trust. Users still have accounts in our on-prem Active Directory (AD), and we set their passwords to never expire and made them very complex, letting them log in using PINs instead. However, these users don't have computer objects in the domain and are joined via Entra.

We've previously had problems with users using cached credentials on their phones to access WiFi, resulting in AD account lockouts. When they tried to access on-prem resources like our domain-joined file server, they received errors about not being able to contact a Domain Controller (DC). We resolved that by unlocking their accounts and clearing cached credentials.

This morning, one user faced a similar issue, although their account was unlocked and they could log in with their PIN. Yet, whenever they attempted to access on-prem resources, they got the "can't connect to DC" error. I ended up resetting their on-prem AD password and configuring Credential Manager for them to keep working.

I checked using klist and found no entries. Logging in with their password allowed access, but logging in with the PIN failed. The CloudTGT and OnPremTGT both show as YES when I run dsregcmd. What could be going wrong?

4 Answers

Answered By OfficeGuru89 On

Have you tried running `certutil -deletehellocontainer` and then logging back in? This can help with re-enrollment into Hello for Business, especially if they don't have usable passwords.

Answered By NetworkWhiz42 On

It sounds like there might be an issue with the connection to your on-prem resources through Entra. Make sure your Entra Connect is up to date and check the sync logs for any issues. You might be running into some sync problems that are causing these authentication errors.

Answered By ConfusedSysAdmin On

I've run into a kind of similar situation, but only when I'm plugged into the on-prem network. It seems to affect just a few users though. In our case, it might be related to on-prem password issues, but I'm not entirely sure.

Answered By CostEffectiveTechie On

Honestly, I wonder why more people don't look into using DirectAccess or Always-On VPN for situations like this. It could simplify a lot of these connectivity problems, but I get that cost can be a concern.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.