我正在尝试为 Windows 10 设置自动 AAD 加入,如下所述:https://azure.microsoft.com/en-gb/documentation/articles/active-directory-conditional-access-automatic-device-registration-setup/
我们有两台内部 ADFS 3.0 服务器 (Server 2012R2)。它们使用 Azure AD Connect 配置,以便在四个 UPN 上与 Office 365 进行联合:
- ad.dom1.com - 这是森林名称,我们只有一个森林
- dom1.com - 大多数用户都存在于此域下
- dom2.com
- dom3.com
ADFS 服务器使用 TCP 级负载平衡器公开https://adfs.ad.dom1.dom,使用由公共 CA 签名的证书。ADFS 服务器未运行 DRS,因为我们打算使用 Azure AD 来执行此操作。
对于使用任何 UPN 后缀创建的用户,与 Office 365 的联合身份验证均可成功,但前提是必须按照中所述更改第三条规则https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-sso-to-office-365/
Azure 文章中的所有先决条件步骤均已执行:
- 设置服务连接点
- 已执行初始化-ADSyncDomainJoinedComputerSync
- 确保文章中的前三个联合规则存在(它们是由 Azure AD Connect 自动创建的)
- 确保身份验证方法声明规则存在并且执行设置 AdfsRelyingPartyTrust
- 创建组策略
此外,以下域名:
- enterpriseregistration.dom1.com
- enterpriseregistration.ad.dom1.com
- enterpriseregistration.dom2.com
- enterpriseregistration.dom3.com
是否所有 CNAME 都适用于 enterpriseregistration.windows.net
然而,虽然所有其他身份验证似乎都运行正常,但自动 AADJ 过程在所有现有的已加入 Windows 10 Enterprise 域的客户端计算机上均失败。以下错误出现在Microsoft/Windows/用户设备注册事件日志:
事件 ID 305
Automatic registration failed at authentication phase. Unable to acquire access token. Exit code: Unspecified error. Server error: AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: <uuid>
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
. Tenant Type: dom1.com
事件 ID 304
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0xcaa1000e. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: fed
tenantType: fed
tenantId: <uuid>
configLocation: undefined
errorPhase: auth
adalCorrelationId: <uuid>
adalLog: AdalLog: HRESULT: 0xcaa1000e
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
adalLog: AdalLog: HRESULT: 0xcaa1000e
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
adalResponseCode: 0xcaa1000e
.
注册表编辑器
如果我尝试从 SYSTEM 命令提示符运行 C:\windows\system32\dsregcmd.exe /debug,也会出现类似的错误:
dsregcmd::wmain logging initialized.DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:ad.dom1.com forest:ad.dom1.com domainController:\\ldndc01.ad.dom1.com isDcAvailable:true }
PreJoinChecks Complete.
preCheckResult: Join
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: YES
isSystem: YES
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 1
resultCode: 0x0
Automatic device join pre-check tasks completed.TenantInfo::Discover: tenant type detection, validating https://adfs.ad.dom1.com/adfs/ls/
TenantInfo::Discover: tenant type detection, checking match against https://login.microsoftonline.com
TenantInfo::Discover: tenant type detection, checking match against https://login.windows-ppe.net
TenantInfo::Discover: Join Info TenantType:Federated AutoJoinEnabled:1 TenandID:<uuid> TenantName:dom1.com
DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: HRESULT: 0xcaa20002
AdalLog: HRESULT: 0xcaa90006
AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: {39AEBF80-8679-4A5A-86D3-409CB1A8D8EF}
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: HRESULT: 0xcaa1000e
wmain: Unable to retrieve access token 0x80004005.
DSREGCMD_END_STATUS
AzureAdJoined : NO
EnterpriseJoined : NO
答案1
我理解您对此的沮丧。我刚刚花了大约 20 个小时来解决自动 AAD 加入的问题。我正在运行最新版本的 AD Connect,并在 Server 2016 上运行 ADFS 场。我没有让 AD Connect 配置我的 ADFS 服务器。
我遇到了完全相同的错误。问题是缺少 ImmutableID 声明。此链接被证明是设置 Azure AD 连接的最佳资源:https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup
那里列出了一个脚本,用于自动添加必要的声明规则。现在我几乎彻底了解了整个过程,我可以说该脚本确实有效并添加了正确的声明规则。
但是,如何配置脚本中的几个变量却容易让人产生误解。因此,我想根据我的学习来澄清一下,希望这能为大家节省一些时间。
$MultipleVerifiedDomainNames:描述和名称都是错误且具有误导性的。仅当您的 Office 365 租户中拥有多个联合域时才将其设置为 $TRUE。$immutableIDAlreadyIssuedforUsers:如果您的 AD Connect 同步的不可变 ID(源锚点)不使用 objectGUID,则将其设置为 $TRUE。$oneOfVerifiedDomainNames:如果将 $MultipleVerifiedDomainNames 设置为 $true,则将其设置为您希望设备注册到的 Office 365 验证域名。
不要更改脚本的任何其他组件,并确保只运行一次。如果需要再次运行,则需要从 RP 信任中手动删除添加的声明颁发规则,否则它们会重复。
在 Windows 10 上进行故障排除时,另一个非常有用的方法是使用 DSREGCMD。它必须以 SYSTEM 身份运行,因此您需要 PSEXEC 之类的东西。
psexec -i -s cmd.exe
dsregcmd /debug
这将强制立即注册到 Azure,并报告有关失败的详细信息。在我的测试中,Windows 7 运行良好,但 Windows 10 无法加入 AD。如果 ImmutableID 是问题所在,您会看到错误:AADSTS90019:在请求中或任何提供的凭据中均未找到租户识别信息。
如果您包含了不应该包含的已验证域,或者是错误的,您将看到:AADSTS50107:请求的联合领域对象your specified domain不存在。
答案2
首先,请注意,此过程称为自动 AAD 注册或自动工作场所加入,而不是自动 AAD 加入。AAD 加入与 AAD 注册不同,这是仅适用于 Win10(专业版或企业版)的功能。
我已经在实验室中对此进行了测试,并成功通过 MSI 包和 GPO 完成了 Server2012 R2 和 Win10 计算机到 AAD 的自动注册。在第一种情况下(通过 MSI 包),当通过已通过 AAD 连接同步到 AAD 的用户帐户登录时,将触发计划任务。任务完成后,您将发现设备已注册到 AAD 并与该用户关联。
在第二种通过 GPO 的场景中,事件日志显示自动注册已完成,并且我还可以在 Azure AD 门户中看到机器。
对于您的问题,我认为您可以尝试在 ADFS 服务器上重新添加声明规则($rule1~$rule3),尽管它们已经存在。另外,请确保您环境中的 ADFS 服务器已配置并正常运行。