Can't do Azure AD Hybrid Join - help needed

Brass Contributor

I am simply trying to get Azure AD Hybrid join to work so I can manage our laptops via Azure InTune.
We have an on-prem AD and we use Okta for our authentication of users to Azure/O365.
The lack of details and support form both vendors is astounding and only thing holding us back from giving people our money.

I ran the configuration in Azure AD Connect client to do device joining and the SCP page gave me 2 options: ourdomain.okta.com or Azure AD. I chose the Okta one. Nothing else stood out as odd in the wizard.

Thereafter I'm still not sure what to do. I check my computer's event logs and it gives me this error under Applications and Service Logs > Microsoft > Windows > User Device Registration > Admin:

> Automatic registration failed at authentication phase. Unable to acquire access token.
> Exit code: Unknown HResult Error code: 0x801c0515
> Tenant Name: ourdomain.com.com
> Tenant Type: Federated
> Server error:
> AdalMessage: ADALUseWindowsAuthenticationTenant failed, unable to preform integrated auth
> AdalErrorCode: 0x2ee6
> AdalCorrelationId: undefined
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: HRESULT: 0x2ee6
> AdalLog: AggregatedTokenRequest::GetAppliesTo: using resource ID "urn:federation:MicrosoftOnline" for authority "https://login.microsoftonline.com/common". ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
> AdalLog: HRESULT: 0x4aa90010
> AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
> AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
> AdalLog: Authority validation is completed ; HRESULT: 0x0
> AdalLog: Authority validation is enabled ; HRESULT: 0x0
> AdalLog: Token is not available in the cache ; HRESULT: 0x0

5 Replies
Hi John,

Do you have AD Connect configured in your environment? You need to sync your users/ PCs from AD Connect so you can have them Hybrid Joined.

I don’t use Okta, is there limitation that you can’t use AD Connect with Okta at the same time?

Hope this helps!
Moe

Hi @Moe_Kinani ,

Yes I've got the AD Connect in the environment. 

Problem is there's no direction from MS or Okta on what to choose for the SCP.

I believe that is why I see the error log in my original post. 

It gives me two options:

  • ourdomain.okta.com
  • Azure Active Directory

I wonder if I should choose "Azure Active Directory" instead of ourdomain.okta.com??

 

Jgq85_0-1593487349998.png

 

 

Check my response to your thread inAzure AD community-

Let me know if you have any questions!
Moe

https://techcommunity.microsoft.com/t5/azure-active-directory/hybrid-ad-join-with-okta-scp-possible-...
Just want to reply to this as the information provided below isn't accurate.

If Azure AD is federated into Okta you need to select Okta as the authentication service rather than AAD when doing the SCP in AAD Connect.

If there is no federation you need to select AAD.

I have a similar issue to you, did you manage to solve it in the end?

Any update on this? Did you managed to join them to Hybrid AAD? I am facing exactly the same issue.
Thanks.