Forum Discussion

StephanGee's avatar
StephanGee
Steel Contributor
Jun 16, 2026

Windows 11 24H2 Sec Baseline → Broken SSO to on‑prem (Root cause: PKINIT SHA‑1 baseline)

Hi all,

I ran into an issue with Entra-joined devices using Windows Hello for Business (Cloud Kerberos Trust) that might help others working with Windows 11 24H2 security baselines.

Scenario

  • Windows 11 25H2 devices
  • Entra-joined (not hybrid)
  • Intune-managed
  • Windows Hello for Business (WHfB) enabled
  • Cloud Kerberos Trust configured
  • On-prem AD (Windows Server 2019/2022 DCs)
  • Access to SMB shares / on-prem applications

Symptoms

  • SSO to on-prem resources fails
  • Users get credential/PIN prompt instead of SSO
  • Error message:
    “The system cannot contact a domain controller to service the authentication request”

Client-side observations:

klist → no tickets (initially)

After enabling Cloud Kerberos Trust:

klist get krbtgt → works klist get cifs/server.domain → fails

Error:

0xc000a100 / 0x3bc4 Hash generation for the specified version and hash type is not enabled on server

Root Cause

The issue was caused by a Windows 11 24H2 security baseline setting related to Kerberos/PKINIT.

The 24H2 baseline introduces a policy for configuring hash algorithms for certificate-based Kerberos authentication (PKINIT). This setting allows environments to disable SHA-1 and require SHA-2 algorithms. [applepie.se]

Important detail:

This configuration only works if the domain controllers fully support PKINIT with SHA-2, which effectively requires Windows Server 2025 domain controllers across the environment.

If SHA-1 is disabled while running:

  • Windows Server 2019 or 2022 DCs
  • Mixed environments

then PKINIT authentication fails, which directly impacts:

  • Windows Hello for Business
  • Cloud Kerberos Trust
  • Any passwordless Kerberos-based authentication

Why this is difficult to troubleshoot

  • Cloud Kerberos Trust appears correctly configured
  • AzureADKerberos object exists
  • PRT is valid
  • Network connectivity is fine

However:

  • Kerberos tickets are not issued correctly
  • Service tickets (CIFS, HTTP, etc.) fail
  • Errors are misleading and point to KDC/hash issues
  • No explicit warning is provided in baseline guidance that mixed environments will break

Resolution

Revert the baseline change and allow SHA-1 for PKINIT again.

Policy location:

Computer Configuration → System → Kerberos / KDC → Configure hash algorithms for certificate logon

Ensure:

  • SHA-1 is set to Allowed/Default

After reverting:

  • Kerberos ticket issuance works
  • SSO to on-prem resources is restored

Recommendation

Do not disable SHA-1 for PKINIT unless:

  • All domain controllers are Windows Server 2025, and
  • PKINIT SHA-2 support has been fully validated

Treat this setting as future hardening, not production-safe for mixed environments today.

Takeaway

If you experience:

  • WHfB + Cloud Kerberos Trust SSO failures
  • klist get errors with hash generation issues
  • Missing or failing Kerberos service tickets

check the PKINIT hash configuration from the 24H2 security baseline first.

security
security baseline
windows
No RepliesBe the first to reply