question

SamaraSoucy-MSFT avatar image
0 Votes"
SamaraSoucy-MSFT asked AkinAjewole-1375 commented

[MSDN Redirect] Azure Hybrid Join

Hybrid join configured and devices sync to Azure but showing pending.

Seeing error in event log, anyone see this before?

The get join response operation callback failed with exit code: Unknown HResult Error code: 0x801c03f2.
Activity Id: 9efcbaec-15da-4f36-a9d5-13d36bdc8543
The server returned HTTP status: 400
Server response was: {"ErrorType":"DirectoryError","Message":"The public key user certificate is not found on the device object with id: (1c069c7b-d5f2-48f2-9bea-e60c15c39c92).","TraceId":"9efcbaec-15da-4f36-a9d5-13d36bdc8543","Time":"02-25-2020 12:41:11Z"}

Automatic registration failed at join phase.
Exit code: Unknown HResult Error code: 0x801c03f2
Server error: The public key user certificate is not found on the device object with id: (1c069c7b-d5f2-48f2-9bea-e60c15c39c92).
Tenant type: Federated
Registration type: fallback_sync
Debug Output:
joinMode: Join
drsInstance: azure
registrationType: fallback_sync
tenantType: Federated
tenantId: b5da5f35-6442-4f5a-9622-92ec6a535127
configLocation: undefined
errorPhase: join
adalCorrelationId: undefined
adalLog:
undefined
adalResponseCode: 0x0

Source: https://social.msdn.microsoft.com/Forums/en-US/59d020db-f7ce-4afe-8b5f-54ed939a09a4/azure-hybrid-join?forum=azureappconfiguration


azure-active-directory
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

KAREDD-MSFT avatar image
0 Votes"
KAREDD-MSFT answered AkinAjewole-1375 commented

It looks like the federated Hybrid join flow is failing "azure registrationType: fallback_sync".

So, if you have Windows 10 clients which are 1803 and above, then when the federated flow fails, the client will automatically try the managed method. In this method, the computer object needs to be in sync scope.

Based on the error, it looks like the user certificate object populated on the computer object in AD is not yet synced to the cloud.

If you want the federated method to work, I would start with the ADFS claim rules and also check if you are getting this error across multiple devices?

For the fallback method to work, let the sync cycles run and then restart your device once. This should trigger another device registration request.

Update: I checked the device and the certificate is populated now. If you restart or logout/login again , Device registration should complete now.

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AkinAjewole-1375 avatar image AkinAjewole-1375 ·

Thanks. It is showing registered now. Did you do anything? It was enabled early 02/23. Devices synced before we enable hybrid join and it did finish till 10mins ago.


Also, the portal wont allow sort, anyway to get report of machines in pending and registered state?


0 Votes 0 ·
KAREDD-MSFT avatar image KAREDD-MSFT AkinAjewole-1375 ·

I didn't. It looks the sync cycle took some time to run. The time taken for the sync cycle depends on your environment. Also, the certificate gets populated only when a device registration request gets triggered. So, all the devices might not get registered at the same time.

For Filtering, I would recommend using the PowerShell command to filter the devices.

Get-AzureADDevice

Ref: https://docs.microsoft.com/en-us/powershell/module/azuread/get-azureaddevice?view=azureadps-2.0

Or

Get-MsolDevice -All | Where-Object {$_.DeviceTrustType -eq "Workplace Joined"} | ft DisplayName,ObjectID,DeviceTrustType

Ref: https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldevice?view=azureadps-1.0

0 Votes 0 ·
AkinAjewole-1375 avatar image AkinAjewole-1375 KAREDD-MSFT ·

Thanks. The devices that are already Azure AD join, will they consolidate? I saw a documentation that says they should but I still have two devices showing up.

0 Votes 0 ·