Forum Discussion
Passwordless sign on to hybrid AAD joined computer not working
I've been trying to set up passwordless authentication to log into hybrid AADJ computers using a security key. I've followed the documentation on how to set it up, but can't seem to get it working.
I have a security key set up successfully as an authentication type in AzureAD, and can sign into Azure AD joined devices without issue. I just can't seem to get it to work for logging in to Hybrid AADJ computers. When I try to log on with a security key, I get an error:
Your credentials couldn't be verified (code: 0xc000006d,0x0)
Looking up that error code, it means "The cause is either a bad username or authentication information"
I've also looked in the event logs under webauthn logs, and I see the failed Ctap GetAssertion steps, with the error "0x52E The username or password is incorrect." which seems roughly equivilant to the error above. I don't know where to go from here though, I haven't found any particularly in depth troubleshooting on the process. Any suggestions would be welcome.
Thanks!
- Circling back to share the solution - the account I was testing with was indirectly a member of a protected AD group. Members of protected groups are, by default, not allowed to use security key sign-on. After removing that membership, the security key sign-on works as expected.
- Steve WhitcherBronze ContributorCircling back to share the solution - the account I was testing with was indirectly a member of a protected AD group. Members of protected groups are, by default, not allowed to use security key sign-on. After removing that membership, the security key sign-on works as expected.
- MassiveLoopsCopper ContributorI was going down a hole trying to figure this out too! There was nothing in the event logs either. Thank you, I can confirm this is what was causing my issue with this error under my account. I was being lazy and not using a test account/general user and made more work for myself in the end :-).
- QuentinDLCopper ContributorYou saved my day!
Thanks!
- Thijs LecomteBronze ContributorHave you setup a Windows Hello for Business hybrid setup?
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide#hybrid