SOLVED

Passwordless sign on to hybrid AAD joined computer not working

%3CLINGO-SUB%20id%3D%22lingo-sub-2182947%22%20slang%3D%22en-US%22%3EPasswordless%20sign%20on%20to%20hybrid%20AAD%20joined%20computer%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2182947%22%20slang%3D%22en-US%22%3E%3CP%3EI've%20been%20trying%20to%20set%20up%20passwordless%20authentication%20to%20log%20into%20hybrid%20AADJ%20computers%20using%20a%20security%20key.%26nbsp%3B%20I've%20followed%20the%20documentation%20on%20how%20to%20set%20it%20up%2C%20but%20can't%20seem%20to%20get%20it%20working.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CP%3EI%20have%20a%20security%20key%20set%20up%20successfully%20as%20an%20authentication%20type%20in%20AzureAD%2C%20and%20can%20sign%20into%20Azure%20AD%20joined%20devices%20without%20issue.%26nbsp%3B%20I%20just%20can't%20seem%20to%20get%20it%20to%20work%20for%20logging%20in%20to%20Hybrid%20AADJ%20computers.%26nbsp%3B%20When%20I%20try%20to%20log%20on%20with%20a%20security%20key%2C%20I%20get%20an%20error%3A%3CBR%20%2F%3EYour%20credentials%20couldn't%20be%20verified%20(code%3A%200xc000006d%2C0x0)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELooking%20up%20that%20error%20code%2C%20it%20means%20%22%3CSPAN%3EThe%20cause%20is%20either%20a%20bad%20username%20or%20authentication%20information%22%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20also%20looked%20in%20the%20event%20logs%20under%20webauthn%20logs%2C%20and%20I%20see%20the%20failed%20Ctap%20GetAssertion%20steps%2C%20with%20the%20error%20%220x52E%20The%20username%20or%20password%20is%20incorrect.%22%20which%20seems%20roughly%20equivilant%20to%20the%20error%20above.%26nbsp%3B%20I%20don't%20know%20where%20to%20go%20from%20here%20though%2C%20I%20haven't%20found%20any%20particularly%20in%20depth%20troubleshooting%20on%20the%20process.%26nbsp%3B%20Any%20suggestions%20would%20be%20welcome.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2182947%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20AD%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%20Management%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2190159%22%20slang%3D%22en-US%22%3ERe%3A%20Passwordless%20sign%20on%20to%20hybrid%20AAD%20joined%20computer%20not%20working%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2190159%22%20slang%3D%22en-US%22%3EHave%20you%20setup%20a%20Windows%20Hello%20for%20Business%20hybrid%20setup%3F%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-planning-guide%23hybrid%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-planning-guide%23hybrid%3C%2FA%3E%3C%2FLINGO-BODY%3E
Regular Contributor

I've been trying to set up passwordless authentication to log into hybrid AADJ computers using a security key.  I've followed the documentation on how to set it up, but can't seem to get it working.  

I have a security key set up successfully as an authentication type in AzureAD, and can sign into Azure AD joined devices without issue.  I just can't seem to get it to work for logging in to Hybrid AADJ computers.  When I try to log on with a security key, I get an error:
Your credentials couldn't be verified (code: 0xc000006d,0x0)

 

Looking up that error code, it means "The cause is either a bad username or authentication information" 

 

I've also looked in the event logs under webauthn logs, and I see the failed Ctap GetAssertion steps, with the error "0x52E The username or password is incorrect." which seems roughly equivilant to the error above.  I don't know where to go from here though, I haven't found any particularly in depth troubleshooting on the process.  Any suggestions would be welcome. 

 

Thanks!

2 Replies
best response confirmed by Steve Whitcher (Regular Contributor)
Solution
Circling back to share the solution - the account I was testing with was indirectly a member of a protected AD group. Members of protected groups are, by default, not allowed to use security key sign-on. After removing that membership, the security key sign-on works as expected.