Forum Discussion

EricBBB's avatar
EricBBB
Copper Contributor
Mar 13, 2025
Solved

Windows Hello for Business: Internet Requirement for On-Premises Login Using Cloud Kerberos Trust

Hello everyone, I've recently begun testing Windows Hello for Business in our environment, where we utilise Microsoft Entra hybrid join authentication with cloud Kerberos trust. I suspect that our o...
Active Directory
Authentication
microsoft entra
passwordless
  • micheleariis's avatar
    micheleariis
    Mar 20, 2025

    Hi, using cloud Kerberos trust with hybrid join requires internet connectivity for on-premises logins. Essentially, the on-premises Domain Controller can issue the final TGT only after receiving a valid Partial TGT from Microsoft Entra ID. If the device is blocked from reaching the internet (for instance, by a firewall), the Windows Hello for Business sign-in will fail, as evidenced by the "PIN isn't available: 0xc000005e 0x0" error.

micheleariis's avatar
micheleariis
MCT
Mar 20, 2025

Hi, using cloud Kerberos trust with hybrid join requires internet connectivity for on-premises logins. Essentially, the on-premises Domain Controller can issue the final TGT only after receiving a valid Partial TGT from Microsoft Entra ID. If the device is blocked from reaching the internet (for instance, by a firewall), the Windows Hello for Business sign-in will fail, as evidenced by the "PIN isn't available: 0xc000005e 0x0" error.

Resources