![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 90%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
5,886 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 68%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
@Mike I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.
Issue: Interesting issue we're running into while trying to deploy Windows Hello for Business. I've noticed in our Azure AD Synchronization Service Manager, during export from Entra to on-prem DC, the msDS-KeyCredentialLink attribute is not being updated due to permission issues, error 8344. We also have the same issue with the msDS-ExternalDirectoryObjectID attribute, but this is unrelated to Hello, same permission error, likely the same problem. I see 'adds' with new values that aren't updating the old value.
The attribute reference is present in the user's attribute when viewing under AD Users and Computers. However, when I try to edit the msDS-KeyCredentialLink attribute, I get an ADSIEdit error: There is no editor registered to handle this attribute type.
I've verified permissions via the methods provided in this link: https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/user-prov-sync/troubleshoot-permission-issue-sync-service-manager
I've also gone through this troubleshooting guide and verified everything is as expected: https://techcommunity.microsoft.com/t5/microsoft-entra-blog/azure-ad-mailbag-windows-hello-for-business/ba-p/445349
The main guide I've followed is this one: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/
I've done everything mentioned in those articles, and the error related to permissions persists. We're a Server 2019 domain, Domain functional level 2016, Forest level is 2008 R2 (not sure if that matters or not, we're upgrading soon), Schema version 88 (2019), Hybrid Joined, running the latest Azure AD Connect version (2.3.8.0), using Duo for MFA. I opened up a support ticket with Entra support, but we've been back and forth for a while and not gotten anywhere.
Solution: Resolved by @Mike
One month later, I finally figured it out. There was one primary component missing all along - the Azure AD Kerberos domain controller computer object. What's most frustrating, is the "Plan a Windows Hello for Business deployment" article barely touches the AzureADKerberos account and doesn't provide proper procedure. @Givary-MSFT , take note of this.
This is all that the official deployment guide specifies on the topic:
This is not enough information and misleads the admin following it. An entire unreferenced article exists about how to create the AzureADKerberos account. I wasted around 80 hours of my life over this.
Anyways...
I simply followed this guide: How to set up Windows Authentication for Microsoft Entra ID with the incoming trust-based flow - Azure SQL Managed Instance | Microsoft Learn
All of my WHfB issues went away after following it step-by-step. The problem with the msDN-KeyCredentialLink synced right up and works properly.
Some other things you might want to check are the following:
Make sure 'Use cloud trust for on-premise authentication' is enabled. Make sure the 'Use certificate for on-premise' is disabled or Not configured.
Make sure WHfB is enabled for both the Computer and User GPOs. - Run dsregcmd /status. You're looking for CloudTGT. This should be either True, Yes, or Enabled. If it's No or False, there's a problem with the Azure AD Kerberos domain controller object. Refer to the guide above.
Refer to the following guide for any permission issues: Azure AD Mailbag: Windows Hello for business - Microsoft Community Hub and also here: Permission-issue error 8344 in Synchronization Service Manager - Azure | Microsoft Learn
Step through the main setup guide here and make sure you didn't miss anything. Plan a Windows Hello for Business Deployment - Windows Security | Microsoft Learn
A good event viewer log for HelloForBusiness would like this:
If you have any other questions or are still running into more issues, please let me know. Thank you again for your time and patience throughout this issue.
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.