Windows Hello for Business CAA90063
Posted by emike9fcmc@reddit | sysadmin | View on Reddit | 19 comments
Hi all,
I'm testing out setting up Windows Hello for Business in our on-prem domain. Server 2019 domain with 2016 functional level. I've set up the necessary group policies and certificate authority (think I got that one right). On my test machine, I was able to set up a pin, and register a fingerprint. Then within a few hours, I noticed Hello logins weren't working anymore, and discovered the PIN was gone, like it was never set up, but Hello showed a fingerprint registered still.
When attempting to set up a pin again, I get the usual MFA auth, then an error that something went wrong, with an error code of CAA90063, message: "The server response is encryted, but the key in pipline." Yes, that's exactly how the server message is spelled and written. Google searches reveal nothing at all.
Any ideas here?
emike9fcmc@reddit (OP)
Alright guys, I finally figured it all out. There was one primary component missing all along - the Azure AD Kerberos domain controller computer object.
I simply followed this guide: How to set up Windows Authentication for Microsoft Entra ID with the incoming trust-based flow - Azure SQL Managed Instance | Microsoft Learn
All of my WHfB issues went away after following it step-by-step. The problem with the msDN-KeyCredentialLink synced right up and works properly.
Some other things you might want to check are the following:
-Make sure 'Use cloud trust for on-premise authentication' is enabled. Make sure the 'Use certificate for on-premise' is disabled or Not configured.
Make sure WHfB is enabled for both the Computer and User GPOs. - Run dsregcmd /status. You're looking for CloudTGT. This should be either True, Yes, or Enabled. If it's No or False, there's a problem with the Azure AD Kerberos domain controller object. Refer to the guide above.
Refer to the following guide for any permission issues: Azure AD Mailbag: Windows Hello for business - Microsoft Community Hub and also here: Permission-issue error 8344 in Synchronization Service Manager - Azure | Microsoft Learn
Step through the main setup guide here and make sure you didn't miss anything. Plan a Windows Hello for Business Deployment - Windows Security | Microsoft Learn
A good event viewer log for HelloForBusiness would like this:
Best of luck to everyone! I think I've gotten a decent grasp of WHfB now. Post a question if you're still having issues.
emike9fcmc@reddit (OP)
The worst part about all of this is the official WHfB setup guide "Plan a Windows Hello for Business Deployment", barely talks about the AzureADKerberos account and assumes that somehow it's automatically created. Their documentation procedure was very lacking here.
S1m0n321@reddit
I recently moved a client from the certificate based key trust to a cloud key trust that works a lot better if you're in a hybrid Entra ID scenario. No messy certificate authorities to consider and you create a kerberos AD "Domain Controller" object in your AD to handle the authentication part.
I'd maybe consider that option if you're able to. The errors I had weren't the same unfortunately, as theirs was purely because the CA was gone and deleted so it couldn't authenticate. Their AD objects retained the partial key in their attributes, but nothing to exchange to a full ticket from.
emike9fcmc@reddit (OP)
The Kerberos AD "Domain Controller" object was the issue. I had to create one. You had the answer all along, but I didn't know anything about that and my initial research into it led me astray. I just followed this guide and voila. How to set up Windows Authentication for Microsoft Entra ID with the incoming trust-based flow - Azure SQL Managed Instance | Microsoft Learn
S1m0n321@reddit
Glad to hear I helped at least a little haha
I got thrown in the deep end with WHfB as the customer were being aggressively off boarded by their incumbent, meaning I had to quickly get to grips with the different mechanisms of authentication for WHfB. Thankfully deploying the cloud key model is relatively painless, and it can technically exist alongside a certificate trust model GPO (at least according to documentation from Microsoft). The erroring I received was all related to partial tickets being assigned to the identity, which makes total sense considering it couldn't contact the certificate authority to complete that ticket and therefore authenticate the login. Just having that AD Kerebos DC was enough to get it rolling again, but does rely on there being a synchronised domain present that the computers are members of.
Anyway, good digging and diagnosis by the looks of things and definitely one to document on your chosen documentation platform!
emike9fcmc@reddit (OP)
Well it turns out it's less Windows Hello Based (still possibly related), and more MFA based. I just realized I can't sign into Teams on the test workstation. After authenticating via Duo, I get the same error post above, as well as a Microsoft error.
So it seems to be authentication related.
Spare-Trainer6559@reddit
Did you make any headway on this? I have a user that's experiencing the same issue, if I rename the computer and rejoin the domain it will work for a couple hours, then it will get blocked again.
emike9fcmc@reddit (OP)
Not yet, I just keep wrecking the system lol. But at least I have a test system to play with and I'm not messing up my primary workstation anymore. Same issues. But it's an active work in progress.
pgudg@reddit
Running into this same issue with an AVD deployment, local desktop work fine. If you figure it out, please post an update!
emike9fcmc@reddit (OP)
Update posted!
pgudg@reddit
Disabling Windows Hello via GPO resolved the issue for me.
emike9fcmc@reddit (OP)
Yep, fixed it, see my comment.
TheRufmeisterGeneral@reddit
To make this post easier to find, the exact error is:
The server response is encryted, but not key in pipeline.
Did you find a solution? Did you try with different machines, or different users?
I've found this error specifically in an environment, where there were no changes made to the overall setup, and this error appeared for just one user on one machine (we've not yet tried giving him a new machine, that is next on the list to try, but I hope we don't have to delete, and re-create his user account)
emike9fcmc@reddit (OP)
Finally found a resolution. See my comment.
emike9fcmc@reddit (OP)
Just another update. msds-keycredential attribute is particularly a problem. It should be populated, but is not set. I've been following this article, but still haven't found a resolution. It's a good read and worth going through: Azure AD Mailbag: Windows Hello for business - Microsoft Community Hub
emike9fcmc@reddit (OP)
Well, just wanted to make an update of my latest attempts and progress. I haven't gotten the "Something went wrong" prompts this time around. Still an issue, but it seems better. This time, after my latest failures, I removed the workstation from the domain to a workgroup, deleted my computer object from Entra ID, deleted the computer object from active directory. I removed the user configuration aspect of WHfB. I've seen mixed input on using an internal CA, but I have that set up, even though I'm not using any internal certificate GPOs for WHfB. I also cleared the TPM under Bitlocker, TPM Management, Clear TPM.
So far, I've gone over a day with it working just fine. Windows login, Edge logins, etc. We're hybrid with Entra ID and using Duo for MFA. I'll keep you posted, either when it fails, or within a week if it doesn't fail.
Here's my settings:
BTW, what was the point of changing from Azure AD to Entra ID? I hate MS sometimes a lot of times.
emike9fcmc@reddit (OP)
And I'm back to "That option is temporarily unavailable." when attempting to use a fingerprint.
Spare-Trainer6559@reddit
Did you open a ticket with Microsoft? I'm about to go that route. It looks like a intune device issue from what I can tell.
emike9fcmc@reddit (OP)