Forum Discussion
PIN authentication error after hybrid join
I have just rolled out hybrid join to several older devices in my company, which worked pretty well at first and those devices also joined Intune right away.
However, for some reason only today, the WHFB policy set in and required every user to set up a PIN. But authentication with the PIN does not work after the users reboot. We either get the errors 0xc00000BB or 0xc000005E.
After several hours of googling, a pattern is starting to form that points to certificate errors. We currently don't have any Kerberos-KDC, SCPA, PKCS or PKI set up in our environment and I'm honestly a little overwhelmed by the sheer documentation size revolving around this issue.
Does hybrid Azure AD join only work with a sophisticated certificate authentication in place? If so, is there an easy way to implement this?
https://social.technet.microsoft.com/Forums/sharepoint/en-US/19759374-c928-450a-96a0-39a7a6003e74/kdc-event-id-29-the-kdc-cannot-find-a-suitable-certificate-to-use-for-smart-card-logons#:~:text=The%20Key%20Distribution%20Center%20%28KDC%29%20cannot%20find%20a,certutil.exe%20or%20enroll%20for%20a%20new%20KDC%20certificate.hannessyZv
Thank you for your efforts in working closely with us.
We were able to repro this event ourselves by taking a CA offline. We noticed that when starting the KDC service, an attempt to validate the DC cert is made and that attempt fails with KDC_ERR_KDC_NOT_TRUSTED since the revocation server was offline along with the CA.This is likely what is happening with you as well. To confirm the same, please create the following registry value on your Windows Server 2008 servers and restart the KDC to see if the warning event goes away.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\kdc]
"UseCachedCRLOnlyAndIgnoreRevocationUnknownErrors"=dword:00000001
After you set this DWORD value to 1, the Kerberos clients will ignore "Revocation unknown" errors that are caused by an expired CRL.
After you perform the test, please revert the registry value back and let us know the result:
1. Does the warning go away after you configure the above registry value?
2. Where do you put the CRL to?
Please feel free to let us know if anything is unclear.
