在混合 Azure AD 加入证书信任部署场景中设置 Windows Hello for Business 后,配置失败后,我在测试客户端计算机中出现了以下事件。
我检查了我的设置,但肯定是遗漏了什么。任何帮助都将不胜感激。
##############################
Microsoft-Windows-AAD/Operational
TimeCreated : 13/05/2020 11:57:04
Id : 1082
Message : Key error: DecodingProtectedCredentialKeyFatalFailure
Error description: AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 834deec1-21d8-48c2-bae5-7f795e312f00
Correlation ID: 88bc2dda-ba2a-42dc-a9da-7b9f362f7d7a
Timestamp: 2020-05-13 22:57:04Z
CorrelationID: 88bc2dda-ba2a-42dc-a9da-7b9f362f7d7a
TimeCreated : 13/05/2020 11:57:03
Id : 1118
Message : Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: FE6DBC4F-69BB-426B-933B-0BADB38A1361
TimeCreated : 13/05/2020 11:57:03
Id : 1081
Message : OAuth response error: invalid_grant
Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
CorrelationID:
TimeCreated : 13/05/2020 11:57:03
Id : 1025
Message : Http request status: 400. Method: POST Endpoint Uri: https://adfs.domain.com/adfs/oauth2/token/ Correlation ID: FE6DBC4F-69BB-426B-933B-0BADB38A1361
TimeCreated : 13/05/2020 11:56:01
Id : 1082
Message : Key error: DecodingProtectedCredentialKeyFatalFailure
Error description: AADSTS9002313: Invalid request. Request is malformed or invalid.
Trace ID: 4a2197fa-c85f-4ea0-af79-1a830e1d2d00
Correlation ID: f6141ebb-116c-4701-9118-80124017b6d1
Timestamp: 2020-05-13 22:56:02Z
CorrelationID: f6141ebb-116c-4701-9118-80124017b6d1
TimeCreated : 13/05/2020 11:56:01
Id : 1118
Message : Enterprise STS Logon failure. Status: 0xC000006D Correlation ID: E5C246DD-9FFF-4E07-92A5-61389B08C64A
TimeCreated : 13/05/2020 11:56:01
Id : 1081
Message : OAuth response error: invalid_grant
Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
CorrelationID:
TimeCreated : 13/05/2020 11:56:01
Id : 1025
Message : Http request status: 400. Method: POST Endpoint Uri: https://adfs.domain.com/adfs/oauth2/token/ Correlation ID: E5C246DD-9FFF-4E07-92A5-61389B08C64A
#######################################
Microsoft-Windows-HelloForBusiness/Operational
TimeCreated : 13/05/2020 11:57:00
Id : 5520
Message : Device unlock policy is not configured on this device.
TimeCreated : 13/05/2020 11:56:03
Id : 7054
Message : Windows Hello for Business prerequisites check failed.
Error: 0x1
TimeCreated : 13/05/2020 11:56:03
Id : 8205
Message : Windows Hello for Business successfully located a usable sign-on certificate template.
TimeCreated : 13/05/2020 11:56:03
Id : 8206
Message : Windows Hello for Business successfully located a certificate registration authority.
TimeCreated : 13/05/2020 11:56:03
Id : 7211
Message : The Secondary Account Primary Refresh Token prerequisite check failed.
TimeCreated : 13/05/2020 11:56:03
Id : 8202
Message : The device meets Windows Hello for Business hardware requirements.
TimeCreated : 13/05/2020 11:56:03
Id : 8204
Message : Windows Hello for Business post-logon provisioning is enabled.
TimeCreated : 13/05/2020 11:56:03
Id : 8203
Message : Windows Hello for Business is enabled.
TimeCreated : 13/05/2020 11:56:03
Id : 5204
Message : Windows Hello for Business certificate enrollment configurations:
Certificate Enrollment Method: RA
Certificate Required for On-Premise Auth: true
TimeCreated : 13/05/2020 11:56:03
Id : 8200
Message : The device registration prerequisite check completed successfully.
TimeCreated : 13/05/2020 11:56:03
Id : 8201
Message : The Primary Account Primary Refresh Token prerequisite check completed successfully.
TimeCreated : 13/05/2020 11:56:03
Id : 8210
Message : Windows Hello for Business successfully completed the remote desktop prerequisite check.
TimeCreated : 13/05/2020 11:56:03
Id : 3054
Message : Windows Hello for Business prerequisites check started.
TimeCreated : 13/05/2020 11:56:00
Id : 8025
Message : The Microsoft Passport Container service started successfully.
TimeCreated : 13/05/2020 11:56:00
Id : 8025
Message : The Microsoft Passport service started successfully.
TimeCreated : 13/05/2020 11:55:07
Id : 5520
Message : Device unlock policy is not configured on this device.
#######################################
Microsoft-Windows-User Device Registration/Admin
TimeCreated : 13/05/2020 11:56:59
Id : 331
Message : Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
deviceKeysHealthy: YES
isJoined: YES
isDcAvailable: YES
isSystem: YES
keyProvider: Microsoft Platform Crypto Provider
keyContainer: c9bc09fb-e9bd-4de7-b06a-f8798e6f377c
dsrInstance: AzureDrs
elapsedSeconds: 0
resultCode: 0x1
TimeCreated : 13/05/2020 11:56:59
Id : 335
Message : Automatic device join pre-check tasks completed. The device is already joined.
TimeCreated : 13/05/2020 11:56:03
Id : 360
Message : Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Machine is governed by enrollment authority policy.
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
TimeCreated : 13/05/2020 11:56:03
Id : 362
Message : Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Yes
Enterprise user logon certificate enrollment endpoint is ready: Yes
Enterprise user logon certificate template is : Yes
User has successfully authenticated to the enterprise STS: No
Certificate enrollment method: enrollment authority
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.
TimeCreated : 13/05/2020 11:55:09
Id : 331
Message : Automatic device join pre-check tasks completed. Debug output:\r\n preCheckResult: DoNotJoin
deviceKeysHealthy: YES
isJoined: YES
isDcAvailable: YES
isSystem: YES
keyProvider: Microsoft Platform Crypto Provider
keyContainer: c9bc09fb-e9bd-4de7-b06a-f8798e6f377c
dsrInstance: AzureDrs
elapsedSeconds: 1
resultCode: 0x1
TimeCreated : 13/05/2020 11:55:09
Id : 335
Message : Automatic device join pre-check tasks completed. The device is already joined.
TimeCreated : 13/05/2020 11:55:05
Id : 369
Message : The Workstation Service logged a device registration message.
Message: AutoJoinSvc/WJComputeWorkplaceJoinTaskState: Machine is already joined to Azure AD.
TimeCreated : 13/05/2020 11:55:05
Id : 369
Message : The Workstation Service logged a device registration message.
Message: AutoJoinSvc/WJSetScheduledTaskState: Running task "\Microsoft\Windows\Workplace Join\Automatic-Device-Join".
TimeCreated : 13/05/2020 11:55:05
Id : 369
Message : The Workstation Service logged a device registration message.
Message: AutoJoinSvc/WJComputeWorkplaceJoinTaskState: Global policy found with value 1.
答案1
几天前我遇到过类似的情况。我无法获取企业主刷新令牌并开始配置。
我在我的 ADFS 节点上遇到了与您相同的错误:
Error description: MSIS9683: Received invalid OAuth JWT Bearer request. Transport key for the device is invalid. It must be a RSA public key blob or TPM storage key blob.
我运行了一些 wireshark,发现当您登录到即将配置的 PC 时,它会尝试针对 ADFS 进行身份验证以获取企业 PRT,而 ADFS 很可能会进入 AD 以获取错误中提到的传输密钥。
此传输密钥应存储在 CN=RegisteredDevices、DC=contoso、DC=com 下的属性 msDS-KeyCredentialLink 下。此容器由 Azure AD Connect 通过设备写回填充。问题是,就我而言,该属性未填充,因此 ADFS 为空。我检查了容器上的所有权限,但一切似乎都正常。最终有帮助的是通过 Azure AD Connect 强制执行域架构刷新。但由于所有权限一开始都是正确的,我认为是 AAD Connect 随后启动的完整同步周期实际上解决了我的问题并填充了属性。
TL;DR:由于某种原因,AAD Connect 可能不会将 Azure AD 注册设备的公钥 blob 同步回本地 AD,强制他这样做:
Import-Module ADSync
Start-ADSyncSyncCycle -PolicyType Initial
希望这可以帮助。
干杯