Blog Post

Microsoft Entra Blog
2 MIN READ

Public preview of Azure AD support for FIDO2 security keys in hybrid environments

Alex_Simons's avatar
Alex_Simons
Icon for Microsoft rankMicrosoft
Feb 24, 2020
I’m excited to announce the public preview of Azure AD support for FIDO2 security keys in hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows...
Updated Aug 19, 2021
Version 6.0
Alex_Simons's avatar
Icon for Microsoft rankMicrosoft
Joined May 01, 2017
View Profile
Microsoft Entra Blog
Stay informed on how to secure access for employees, customers, and non-human identities, from anywhere, to multicloud and on-premises resources, with comprehensive identity and network access solutions powered by AI.
Michele Ferrari's avatar
Michele Ferrari
Former Employee
Jun 25, 2020

AttaBoyLuther DanTheManSWE ilsensa7 Davidz_ 

0xC000006D (The attempted logon is invalid) it's legit and it means that the user account you are using is member of any of the groups specified in the ms-DS-Never-Reveal-Group/Denial group defined into the RODC AzureADKerberos object => credential will be rejected.
If you collect a network trace you would also see a TGS-REQ for sname-string krbtgt and a response from your Domain Controller  error-code: eRR-TGT-REVOKED confirming this behavior.
 

ms-DS-Reveal-OnDemand-Group attribute

Used with RODCs to define which users, computers, and groups are allowed to have their passwords cached on an RODC.

ms-DS-Never-Reveal-Group/Denial group

Used with RODCs to define which users, computers, and groups are not allowed to have their passwords cached on an RODC.

By default Domain admins, account operators, enterprise admins

 

Try with a standard Domain User and you will get this working obtaining a TGT.
A quick way to test this it's lock/unlock the client with the FIDO2 and then in cmd klist get host/%computername%
Then, with klist TGT you will see the TGT. 

 

Michele Ferrari

Sr. Premier Field Engineer - Azure