Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Passwordless sign on to hybrid AAD joined computer not working

Bronze Contributor

I've been trying to set up passwordless authentication to log into hybrid AADJ computers using a security key.  I've followed the documentation on how to set it up, but can't seem to get it working.  

I have a security key set up successfully as an authentication type in AzureAD, and can sign into Azure AD joined devices without issue.  I just can't seem to get it to work for logging in to Hybrid AADJ computers.  When I try to log on with a security key, I get an error:
Your credentials couldn't be verified (code: 0xc000006d,0x0)

 

Looking up that error code, it means "The cause is either a bad username or authentication information" 

 

I've also looked in the event logs under webauthn logs, and I see the failed Ctap GetAssertion steps, with the error "0x52E The username or password is incorrect." which seems roughly equivilant to the error above.  I don't know where to go from here though, I haven't found any particularly in depth troubleshooting on the process.  Any suggestions would be welcome. 

 

Thanks!

4 Replies
best response confirmed by Steve Whitcher (Bronze Contributor)
Solution
Circling back to share the solution - the account I was testing with was indirectly a member of a protected AD group. Members of protected groups are, by default, not allowed to use security key sign-on. After removing that membership, the security key sign-on works as expected.
I was going down a hole trying to figure this out too! There was nothing in the event logs either. Thank you, I can confirm this is what was causing my issue with this error under my account. I was being lazy and not using a test account/general user and made more work for myself in the end :-).
You saved my day!
Thanks!
1 best response

Accepted Solutions
best response confirmed by Steve Whitcher (Bronze Contributor)
Solution
Circling back to share the solution - the account I was testing with was indirectly a member of a protected AD group. Members of protected groups are, by default, not allowed to use security key sign-on. After removing that membership, the security key sign-on works as expected.

View solution in original post