Forum Discussion
Windows Hello for Business: Internet Requirement for On-Premises Login Using Cloud Kerberos Trust
Hello everyone,
I've recently begun testing Windows Hello for Business in our environment, where we utilise Microsoft Entra hybrid join authentication with cloud Kerberos trust. I suspect that our on-premises physical firewall may be contributing to several issues we're experiencing, and I would like to clarify my understanding of hybrid join authentication using cloud Kerberos trust.
To access the internet, we use SSO with our firewall, meaning that after validating local AD credentials, the user gains access to the public network. My question is: Is internet access required for on-premises logins when using Windows Hello for Business?
From my research on Microsoft's https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/how-it-works-authentication#microsoft-entra-hybrid-join-authentication-using-cloud-kerberos-trust, it appears that if you're using cloud Kerberos trust and the PC is blocked from the internet, the Windows Hello for Business sign-in will fail. Essentially, the on-premises Domain Controller can only issue the final Ticket Granting Ticket (TGT) after receiving a valid Partial TGT from Microsoft Entra ID. This would imply that if the machine cannot reach Microsoft Entra ID due to firewall restrictions, the user will be unable to log in.
In our case, the user successfully enrolled the device on-premises, but the next morning they encountered the error "PIN isn't available: 0xc000005e 0x0."
Could anyone confirm whether my understanding is correct?
Thank you for your assistance!
Hi, using cloud Kerberos trust with hybrid join requires internet connectivity for on-premises logins. Essentially, the on-premises Domain Controller can issue the final TGT only after receiving a valid Partial TGT from Microsoft Entra ID. If the device is blocked from reaching the internet (for instance, by a firewall), the Windows Hello for Business sign-in will fail, as evidenced by the "PIN isn't available: 0xc000005e 0x0" error.
2 Replies
Hi, using cloud Kerberos trust with hybrid join requires internet connectivity for on-premises logins. Essentially, the on-premises Domain Controller can issue the final TGT only after receiving a valid Partial TGT from Microsoft Entra ID. If the device is blocked from reaching the internet (for instance, by a firewall), the Windows Hello for Business sign-in will fail, as evidenced by the "PIN isn't available: 0xc000005e 0x0" error.
Just to clarify, it is not sufficient to have "internet connectivity". The device requires line of sight to a Domain Controller. This is hinted at in the "Unsupported Scenarios" section at Windows Hello for Business cloud Kerberos trust deployment guide | Microsoft Learn, but the language used is unclear.
There is a more direct explanation buried in Windows Hello for Business Frequently Asked Questions (FAQ) | Microsoft Learn under the heading "Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?"
But of course, none of the documentation explains what will happen if a user attempts to sign in to their workstation using WHfB for the first time without LoS to a DC, or how they can get around the issue, so I will include that below. Hopefully this shows up in a Bing search for the next poor soul who gets stuck supporting their users after having had this done to them.
The error messages they will see are:
Windows could not sign you in
Your credentials could not be verified
Something went wrong and your PIN isn't available (status: 0xc000005e, substatus: 0x0). Click to set up your PIN again.
To get around the issue, have the user click on the link that says Sign-in options, then click on the icon that looks like a key. At that point, they should be able to sign in using their password.
