Event banner
Event details
I have Kerberos Cloud Trust deployed to AADJ devices, but my test environment is still getting prompts for to sign in with a password instead of Windows Hello. I've followed the deployment guides for Passwordless single sign on, a prerequisite, and for Kerberos Cloud Trust. I've confirmed the user and computer objects exist in my on-prem Active Directory. I have a case open with Microsoft Support, but I thought I would ask here as well.
- Jason_Sandys
Microsoft
Hi shin0933, When you say getting prompts, when are you getting them? What are you doing and/or trying to access when you get them? Is Entra Connect properly set up and is the Entra ID account that you are logged in with properly synced to the on-prem AD domain?
The prompts are something to the effect "Windows requires the user to lock the pc and sign in with their password instead of Windows Hello" when the user tries to access an on-prem resource like a network share. This only happens when an AADJ device is connected to a network that has DNS managed by a domain controller. We do have AzureADConnect 2.3.6.0 set up correctly and is syncing the AD-sourced user account to Entra. We are in the process of planning the upgrade to the latest version of Entra Connect as well.
- Jason_Sandys
This only happens when an AADJ device is connected to a network that has DNS managed by a domain controller.
So, if you configure an alternate DNS server, the prompt does not appear?
Does the device have connectivity to an on-prem domain controller?
Do the on-prem domain controllers have a proper certificate as described in the documentation?
