Forum Discussion
Windows Hello for Business: Internet Requirement for On-Premises Login Using Cloud Kerberos Trust
Hi, using cloud Kerberos trust with hybrid join requires internet connectivity for on-premises logins. Essentially, the on-premises Domain Controller can issue the final TGT only after receiving a valid Partial TGT from Microsoft Entra ID. If the device is blocked from reaching the internet (for instance, by a firewall), the Windows Hello for Business sign-in will fail, as evidenced by the "PIN isn't available: 0xc000005e 0x0" error.
Hi, using cloud Kerberos trust with hybrid join requires internet connectivity for on-premises logins. Essentially, the on-premises Domain Controller can issue the final TGT only after receiving a valid Partial TGT from Microsoft Entra ID. If the device is blocked from reaching the internet (for instance, by a firewall), the Windows Hello for Business sign-in will fail, as evidenced by the "PIN isn't available: 0xc000005e 0x0" error.
Just to clarify, it is not sufficient to have "internet connectivity". The device requires line of sight to a Domain Controller. This is hinted at in the "Unsupported Scenarios" section at Windows Hello for Business cloud Kerberos trust deployment guide | Microsoft Learn, but the language used is unclear.
There is a more direct explanation buried in Windows Hello for Business Frequently Asked Questions (FAQ) | Microsoft Learn under the heading "Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?"
But of course, none of the documentation explains what will happen if a user attempts to sign in to their workstation using WHfB for the first time without LoS to a DC, or how they can get around the issue, so I will include that below. Hopefully this shows up in a Bing search for the next poor soul who gets stuck supporting their users after having had this done to them.
The error messages they will see are:
Windows could not sign you in
Your credentials could not be verified
Something went wrong and your PIN isn't available (status: 0xc000005e, substatus: 0x0). Click to set up your PIN again.
To get around the issue, have the user click on the link that says Sign-in options, then click on the icon that looks like a key. At that point, they should be able to sign in using their password.
