SOLVED

Windows Hello for business PIN and Kerberos

%3CLINGO-SUB%20id%3D%22lingo-sub-3129301%22%20slang%3D%22en-US%22%3EWindows%20Hello%20for%20business%20PIN%20and%20Kerberos%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3129301%22%20slang%3D%22en-US%22%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20get%20some%20help%20to%20troubleshoot%20WHfB%20PIN%20authentication%20and%20Kerberos.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20deployed%20WHfB%20with%20Key%20trust%20model%20in%20our%20environment.%26nbsp%3B%20It%20is%20working%20as%20supposed%20and%20I%20have%20configured%20two%20Windows%2010%20machines%20with%20WHfb%20PIN%3A%3C%2FP%3E%3CP%3Emachine%201%3A%26nbsp%3B%20Windows%2010%20enterprise%20(2004)%20laptop%20%2C%20Hybrid%20joined.%3C%2FP%3E%3CP%3Emachine%202%3A%20a%20virtual%20machine%20running%20on%20machine1%2C%20Windows%2010%20enterprise%20(20H2)%20with%20bridged%20network%2C%20AAD%20joined.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20login%20into%20both%20machine%20with%20PIN%2C%20in%20office%20and%20in%20home.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EProblem%3A%20when%20I%20am%20in%20office%20and%20connected%20to%20on-premises%20network%20with%20wire%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Emachine%201%3A%20I%20can%20login%20with%20my%20AD%20credential%20or%20the%20PIN%2C%20after%20login%2C%20I%20can%20see%20shared%20disks.%26nbsp%3B%3C%2FP%3E%3CP%3Eklist%20shows%20Kerberos%20tickets.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMachine%202%3A%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20login%20with%20AD%20credential%20(%20UPN%20and%20password)%2C%20klist%20shows%20one%20ticket%20after%20login%2C%20and%20I%20can%20access%20shares.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20login%20with%20PIN%2C%20klist%20show%200%20ticket%2C%20and%20I%20can't%20access%20share%20(%20when%20I%20tried%2C%20it%20popup%20login%20window%20and%20ask%20to%20login%20with%20pin%2C%20then%20it%20failed%20again%20and%20claim%20I%20don't%20have%20permission%20).%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Enltest%20%2Fsc_query%3Amycompany.local%3CBR%20%2F%3EI_NetLogonControl%20failed%3A%20Status%20%3D%201722%200x6ba%20RPC_S_SERVER_UNAVAILABLE%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20think%20PIN%20should%20also%20grant%20me%20access%20to%20Kerberos%20for%20AAD%20joined%20machines%2C%20not%20sure%20where%20to%20start%20look%20at.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eour%20DC%20environment%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2%20old%20Windows%202012R2%20DC.%3C%2FP%3E%3CP%3E2%20new%20Windows%202019%20DC.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eklist%3C%2FP%3E%3CP%3ECurrent%20LogonId%20is%200%3A0x1ceb8a%3C%2FP%3E%3CP%3ECached%20Tickets%3A%20(0)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Enltest%20%2Fsc_query%3Amycompany.local%3CBR%20%2F%3EI_NetLogonControl%20failed%3A%20Status%20%3D%201722%200x6ba%20RPC_S_SERVER_UNAVAILABLE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3129301%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EPasswordless%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESSO%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3130082%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%20Hello%20for%20business%20PIN%20and%20Kerberos%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3130082%22%20slang%3D%22en-US%22%3Efollowed%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-deployment-issues%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fidentity-protection%2Fhello-for-business%2Fhello-deployment-issues%3C%2FA%3E%20and%20enabled%3CBR%20%2F%3E%3CBR%20%2F%3EApplication%20and%20Services%2FMicrosoft%2FWindows%2FSecurity-Kerberos%2FOperational.%3CBR%20%2F%3E%3CBR%20%2F%3Esaw%20event%20102%20in%20log%3A%3CBR%20%2F%3ETrust%20validation%20of%20the%20certificate%20for%20the%20Kerberos%20Key%20Distribution%20Center%20(KDC)%20SEN-DC01.mycompany.local%20failed%3A%200x800B010A.%20Use%20the%20CAPI2%20diagnostic%20traces%20to%20identify%20the%20reason%20for%20the%20validation%20failure.%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

 

I would like to get some help to troubleshoot WHfB PIN authentication and Kerberos.

 

I have deployed WHfB with Key trust model in our environment.  It is working as supposed and I have configured two Windows 10 machines with WHfb PIN:

machine 1:  Windows 10 enterprise (2004) laptop , Hybrid joined.

machine 2: a virtual machine running on machine1, Windows 10 enterprise (20H2) with bridged network, AAD joined. 

 

I can login into both machine with PIN, in office and in home.

 

Problem: when I am in office and connected to on-premises network with wire,

 

machine 1: I can login with my AD credential or the PIN, after login, I can see shared disks. 

klist shows Kerberos tickets.

 

Machine 2: 

If I login with AD credential ( UPN and password), klist shows one ticket after login, and I can access shares.

 

If I login with PIN, klist show 0 ticket, and I can't access share ( when I tried, it popup login window and ask to login with pin, then it failed again and claim I don't have permission ).

 

nltest /sc_query:mycompany.local
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

 

I think PIN should also grant me access to Kerberos for AAD joined machines, not sure where to start look at.

 

our DC environment:

 

2 old Windows 2012R2 DC.

2 new Windows 2019 DC.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

klist

Current LogonId is 0:0x1ceb8a

Cached Tickets: (0)

 

 

nltest /sc_query:mycompany.local
I_NetLogonControl failed: Status = 1722 0x6ba RPC_S_SERVER_UNAVAILABLE

3 Replies

followed https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deplo... and enabled

Application and Services/Microsoft/Windows/Security-Kerberos/Operational.

saw event 102 in log:
Trust validation of the certificate for the Kerberos Key Distribution Center (KDC) DC01.mycompany.local failed: 0x800B010A. Use the CAPI2 diagnostic traces to identify the reason for the validation failure.

Looks like the issue is related with our DC's certificate. We got 0x800B010A 80092013 error and they are related with Certificate chain. I tuned on CAPI2 and found

Jack_Chen1780_0-1644335393478.png

 

So we have a offline root CA and a issuing CA, the issuing CA 's CRL setting is configured properly and it passed pkiview test for CRL list.   The issue seems to be the Issuing CA's certificate, it is signed by the offline Root CA and it doesn't have valid http CRL. Not sure if I can regenerate the issuing CA's certificate without breaking all the certificate it signed. Maybe it can be done by renew issuing CA's certificate with existing keypair ?

 

 

 

best response confirmed by Jack_Chen1780 (Occasional Contributor)
Solution
OK fixed it. first fix AIA and CDL from the offline Root CA, then issue a new sub CA to the issuing CA server with existing key ( so all existing certificates don't need to be regenerated ). Setup a new Intune profile to deploy the new intermediate sub CA to Windows devices, then it worked!