Home

Azure federated users unable to login to Windows 10

%3CLINGO-SUB%20id%3D%22lingo-sub-86252%22%20slang%3D%22en-US%22%3EAzure%20federated%20users%20unable%20to%20login%20to%20Windows%2010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86252%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20setup%20our%20on-premise%20AD%20with%20ADFS%20to%20enable%20login%20for%20Active%20Directory%20users%20to%20Azure%20AD.%20This%20configuration%20is%20done%20like%20this%20articel%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fwww.ruudborst.nl%2Fmulti-tenant-azure-federation-without-dirsync-aadsync-aadconnect-fim%2F%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fwww.ruudborst.nl%2Fmulti-tenant-azure-federation-without-dirsync-aadsync-aadconnect-fim%2F%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20setup%20works%20for%20Passive%20and%20Active%20logons%2C%20the%20only%20problem%20is%20that%20users%20are%20not%20able%20to%20logon%20to%20Windows%2010%20computer%20with%20this%20configuration.%20If%20the%20type%20there%20username%20and%20password%20there%20password%20always%20seems%20to%20be%20wrong.%20(Checked%20multple%20times).%3CBR%20%2F%3ETrying%20to%20join%20the%20Windows%2010%20computer%20will%20fail%20for%20this%20users%20with%20the%20following%20message%20%22...This%20isn't%20an%20school%20or%20work%20account....%22%3CBR%20%2F%3EIs%20there%20something%20in%20Azure%20AD%20that%20we%20need%20to%20activate%20to%20get%20this%20working%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-86252%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-88837%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20federated%20users%20unable%20to%20login%20to%20Windows%2010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-88837%22%20slang%3D%22en-US%22%3E%3CP%3Ehave%20you%20enable%20in%20your%20ADFS%20on-prem%20a%20service%20endpoint%20%3F%3C%2FP%3E%3CP%3E%3CSTRONG%3Eadfs%2Fservices%2Ftrust%2F13%2Fwindowstransport%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eyour%20computer%20windows%2010%20is%20integrated%20as%20Azure%20AD%20join%20or%20in%20your%20domain%20on-prem%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDo%20you%20use%20a%20proxy%20in%20your%20enterprise%20for%20going%20out%20to%20microsoft%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-87116%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20federated%20users%20unable%20to%20login%20to%20Windows%2010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-87116%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F66683%22%20target%3D%22_blank%22%3E%40Jairo%20Cadena%3C%2FA%3E%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBoth%20the%20endpoints%20are%20enabled.%20even%20on%20the%20adfs%20proxies.%3CBR%20%2F%3E%3CBR%20%2F%3EI've%20did%20some%20network%20sniffing%20during%20Azure%20AD%20Join%2C%20and%20this%20is%20what's%20happening.%3CBR%20%2F%3E%3CBR%20%2F%3E1%20-%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Flogin.microsoftonline.com%3A443%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Flogin.microsoftonline.com%3A443%3C%2FA%3E%3CBR%20%2F%3E2%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fwebapp%2FUnifiedEnrollment%2F3%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fwebapp%2FUnifiedEnrollment%2F3%3C%2FA%3E%3CBR%20%2F%3E3%20-%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fsecure.aadcdn.microsoftonline-p.com%3A443%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fsecure.aadcdn.microsoftonline-p.com%3A443%3C%2FA%3E%3CBR%20%2F%3E4%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2FWebApp%2FCloudDomainJoin%2F8%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2FWebApp%2FCloudDomainJoin%2F8%3C%2FA%3E%3CBR%20%2F%3E5%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2F.well-known%2Fopenid-configuration%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2F.well-known%2Fopenid-configuration%3C%2FA%3E%3CBR%20%2F%3E6%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fauthorize%3Fclient_id%3D1b89ed98-a469-4536-ade2-f981bc1d605e%26amp%3Binstance_aware%3Dtrue%26amp%3Bmsafed%3D0%26amp%3Bnonce%3De3e9a3fb-f9ee-426c-b1ce-b6902302d21e%26amp%3Bprompt%3Dlogin%26amp%3Bredirect_uri%3Dms-aadj-redir%253A%252F%252Fauth%252Fdrs%26amp%3Bresource%3D01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9%26amp%3Bresponse_type%3Dcode%2520id_token%26amp%3Bscope%3Dopenid%2520sid%26amp%3Bwindows_api_version%3D2.1%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2Foauth2%2Fauthorize%3Fclient_id%3D1b89ed98-a469-4536-ade2-f981bc1d605e%26amp%3Binstance_aware%3Dtrue%26amp%3Bmsafed%3D0%26amp%3Bnonce%3De3e9a3fb-f9ee-426c-b1ce-b6902302d21e%26amp%3Bprompt%3Dlogin%26amp%3Bredirect_uri%3Dms-aadj-redir%253A%252F%252Fauth%252Fdrs%26amp%3Bresource%3D01cb2876-7ebd-4aa4-9cc9-d28bd4d359a9%26amp%3Bresponse_type%3Dcode%2520id_token%26amp%3Bscope%3Dopenid%2520sid%26amp%3Bwindows_api_version%3D2.1%3C%2FA%3E%3CBR%20%2F%3E7%20-%26nbsp%3B%3CA%20href%3D%22http%3A%2F%2Fsecure.aadcdn.microsoftonline-p.com%3A443%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttp%3A%2F%2Fsecure.aadcdn.microsoftonline-p.com%3A443%3C%2FA%3E%3CBR%20%2F%3E8%20-%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2FGetCredentialType%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Flogin.microsoftonline.com%2Fcommon%2FGetCredentialType%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAfter%20these%20step%20the%20following%20error%20is%20displayed.%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F17186iD417EB6124B25E6F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%222017-07-13_16-05-24.png%22%20title%3D%222017-07-13_16-05-24.png%22%20%2F%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86742%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20federated%20users%20unable%20to%20login%20to%20Windows%2010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86742%22%20slang%3D%22en-US%22%3E%3CP%3EBoth%20managed%20and%20federated%20configurations%20should%20be%20able%20to%20authenticate%20to%20both%20cloud%20and%20on-prem%20upon%20signing%20to%20Windows%2C%20both%20domain%20joined%20(registered%20with%20Azure%20AD)%20and%20Azure%20AD%20joined%20devices.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESigning%20in%20to%20Windows%2010%20devices%20require%20one%20of%20the%20WS-trust%20username%2Fmixed%20(13%20or%202005)%20end-points%20in%20AD%20FS%20to%20be%20enabled.%20Can%20you%20check%20whether%20one%20of%20these%26nbsp%3Bend-points%20are%20enabled%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86509%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20federated%20users%20unable%20to%20login%20to%20Windows%2010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86509%22%20slang%3D%22en-US%22%3E%3CP%3EOk%2C%20if%20is%20a%20business%20requirement%20I%20cannot%20see%20the%20solution%2C%20maybe%20in%20future%20that%20will%20be%20possible.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3C!--%20%20%20%5Bif%20lt%20IE%209%5D%26amp%3Bgt%3B%0A%20%20%26amp%3Bamp%3Blt%3Bscript%20src%3D%26amp%3Bquot%3Bhttps%3A%2F%2Fajax.aspnetcdn.com%2Fajax%2FjQuery%2Fjquery-1.12.4.min.js%26amp%3Bquot%3B%26amp%3Bgt%3B%26amp%3Bamp%3Blt%3B%2Fscript%26amp%3Bamp%3Bgt%3B%0A%20%20%26amp%3Bamp%3Blt%3Bscript%20src%3D%26amp%3Bquot%3B%2F_themes%2Fdocs.theme%2Fmaster%2Fen-us%2F_themes%2Fglobal%2Fjs%2Fpolyfills%2Fall.js%26amp%3Bquot%3B%26amp%3Bgt%3B%26amp%3Bamp%3Blt%3B%2Fscript%26amp%3Bamp%3Bgt%3B%0A%26amp%3Bamp%3Blt%3Bscript%20src%3D%26amp%3Bquot%3B%2F_themes%2Fdocs.theme%2Fmaster%2Fen-us%2F_themes%2Fglobal%2Fjs%2FazureHeader%2Frespond_and_ie8Setup_combine.js%26amp%3Bquot%3B%26amp%3Bgt%3B%26amp%3Bamp%3Blt%3B%2Fscript%26amp%3Bamp%3Bgt%3B%20%26amp%3Blt%3B!%5Bendif%5D%20%20--%3E%3C%2FP%3E%3CDIV%20class%3D%22container%20mainContainer%22%3E%3CDIV%3E%3CDIV%3E%3CDIV%20class%3D%22content%22%3E%3CP%20class%3D%22lf-text-block%20lf-block%22%3EAfter%20you%20set%20up%20Azure%20AD%20Join%20for%20your%20users%2C%20they%20can%20connect%20to%20Azure%20AD%20through%20their%20corporate%20or%20personal%20devices.%3CSPAN%20class%3D%22lf-thread-btn%22%3E%3CA%20target%3D%22_blank%22%3E%2B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%20class%3D%22lf-text-block%20lf-block%22%3EFollowing%20are%20the%20three%20scenarios%20you%20can%20use%20to%20enable%20your%20users%20to%20set%20up%20Azure%20AD%20Join%3A%3CSPAN%20class%3D%22lf-thread-btn%22%3E%3CA%20target%3D%22_blank%22%3E%2B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CUL%3E%3CLI%3EUsers%20join%20a%20company-owned%20device%20directly%20to%20Azure%20AD.%3C%2FLI%3E%3CLI%3EUsers%20domain-join%20a%20company-owned%20device%20to%20the%20on-premises%20Active%20Directory%20and%20then%20extend%20the%20device%20to%20Azure%20AD.%3C%2FLI%3E%3CLI%3EUsers%20add%20work%20or%20school%20accounts%20to%20Windows%20on%20a%20personal%20device%3C%2FLI%3E%3C%2FUL%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86270%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20federated%20users%20unable%20to%20login%20to%20Windows%2010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86270%22%20slang%3D%22en-US%22%3E%3CP%3ENuno%2C%3CBR%20%2F%3E%3CBR%20%2F%3EAzure%20AD%20join%20is%20setup%2C%20in%20fact%20when%20the%20domain%20is%20set%20to%20managed%20instead%20of%20federated%2C%20users%20are%20able%20to%20join%20there%20device%20and%20logon.%20But%20for%20bussiness%20requirements%20it's%20necesarry%20to%20put%20the%20domain%20in%20federated.%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-86254%22%20slang%3D%22en-US%22%3ERe%3A%20Azure%20federated%20users%20unable%20to%20login%20to%20Windows%2010%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-86254%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Bjorn%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHave%20you%20setup%20Azure%20AD%20Join%20%3F%20Here%20How%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azureadjoin-setup%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azureadjoin-setup%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Bjorn Mereboer
New Contributor

We have setup our on-premise AD with ADFS to enable login for Active Directory users to Azure AD. This configuration is done like this articel http://www.ruudborst.nl/multi-tenant-azure-federation-without-dirsync-aadsync-aadconnect-fim/ 

This setup works for Passive and Active logons, the only problem is that users are not able to logon to Windows 10 computer with this configuration. If the type there username and password there password always seems to be wrong. (Checked multple times).
Trying to join the Windows 10 computer will fail for this users with the following message "...This isn't an school or work account...."
Is there something in Azure AD that we need to activate to get this working?

6 Replies

Nuno,

Azure AD join is setup, in fact when the domain is set to managed instead of federated, users are able to join there device and logon. But for bussiness requirements it's necesarry to put the domain in federated.

Ok, if is a business requirement I cannot see the solution, maybe in future that will be possible.

 

After you set up Azure AD Join for your users, they can connect to Azure AD through their corporate or personal devices.+

Following are the three scenarios you can use to enable your users to set up Azure AD Join:+

  • Users join a company-owned device directly to Azure AD.
  • Users domain-join a company-owned device to the on-premises Active Directory and then extend the device to Azure AD.
  • Users add work or school accounts to Windows on a personal device

Both managed and federated configurations should be able to authenticate to both cloud and on-prem upon signing to Windows, both domain joined (registered with Azure AD) and Azure AD joined devices.

 

Signing in to Windows 10 devices require one of the WS-trust username/mixed (13 or 2005) end-points in AD FS to be enabled. Can you check whether one of these end-points are enabled?

have you enable in your ADFS on-prem a service endpoint ?

adfs/services/trust/13/windowstransport

 

your computer windows 10 is integrated as Azure AD join or in your domain on-prem ?

 

Do you use a proxy in your enterprise for going out to microsoft ?

Related Conversations
Extentions Synchronization
Deleted in Discussions on
3 Replies
Tabs and Dark Mode
cjc2112 in Discussions on
36 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies