Forum Discussion
Azure AD Joined device and authenticate on-premise AD.
Hi, I'm working on a new Workplace configuration based on Windows 10, Azure AD and Intune. Users should be able to Join their Windows 10 device to Azure AD and auto-enrolled to Intune. So far so ...
If I had to guess it's due to the delay of the msDS-KeyCredentialLink to get wrote back to your onPrem AD.
I do have a question as well for you, are you using PIN login and still able to get access to resources? I know I cannot get the PIN to work, and have to force users to use Passwords for the on-prem ticket to match up. Also wondering if first time they log in they setup PIN in your instance, but 2nd time login with password? Which might be same issue here.
I do have a question as well for you, are you using PIN login and still able to get access to resources? I know I cannot get the PIN to work, and have to force users to use Passwords for the on-prem ticket to match up. Also wondering if first time they log in they setup PIN in your instance, but 2nd time login with password? Which might be same issue here.
Hi Chris,
PIN didn't worked at all. I also forced the users to use password. I think you should configure Hybrid Windows Hello before you can use PIN to authenticate with your local AD. This is only working with a Windows 2016 DC.
- Yeah, I found an article that is supposed to get it working but couldn't get it right in my Test domain, it's throwing different error than my prod so not sure if it's related, but I'm determined to support PIN, because passwordless etc. coming in the future is going to depend on that Windows Hello coming across.
I guess the first login issue could be related to that attribute not getting wrote to your AD originally. Not sure when that takes place, or if it happens right away etc. But just a hunch, because I know that only exists when Azure AD Joined with Intune and that's what it checks the token with.- Thanks. I'll check the msDS-KeyCredentialLink attribute.
- This article. Never could get it working yet, ran out of time, but plan to get it going at some point: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base
ChrisWebbTech we also had to spend some time to get it to work but we got it working now. There were some caveats that is not clearly mentioned in the articles. Are you trying to get it to work using key based or certificate based?
