Hey everyone! We've been using Windows Hello for Business (WHfB) for about six months with Cloud Kerberos Trust. Our users still exist in the on-premises Active Directory (AD), but we've set their passwords to never expire and made them complex. They're signing in using PINs, and their computer accounts are only Azure AD joined, not on-prem.
In the past, we had issues where users with cached credentials on their phones for WiFi were causing their AD accounts to lock out. When trying to access on-prem resources, like our file server, they would get an error indicating they couldn't contact a domain controller (DC) for login, which required unlocking their accounts and removing those cached credentials.
But today, one user faced the same "can't connect to DC" error despite their account being fine—unlocked and able to log in with a PIN. When they tried accessing on-prem resources, it failed. I ended up resetting their on-prem AD password and configuring the resources in Credential Manager to get them back to work.
When I ran klist, there were no entries. Logging in with their password worked fine, but after logging out and back in with the PIN, it failed again, necessitating stored credentials. Both the CloudTGT and OnPremTGT check out as YES when I ran dsregcmd.
Any ideas on what's going wrong?
1 Answer
It sounds like your user is connected to the right VLAN and can ping the DC, so that’s a good sign. I’d suggest trying to run `certutil -deletehellocontainer` and then have them log back in. This should allow for re-enrollment into Hello. Just keep in mind they might need a TAP if their passwords aren’t usable.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures