Hybrid environemtn - SSO not working

Andreas 1,301 Reputation points
2024-04-13T23:37:55.65+00:00

Hi,

We have a Hybrid environment, and are trying to auto enroll our Hybrid joined machines to Intune.

I have created a GPO and linked it to the machines

User's image

It seems to work for some, but many fails.

When I check dsregcmd I get the following

User's image

User's image

EntraID object

User's image

As I understand it fails to acquiring the PRT status from Microsoft Entra ID.

I login with a user that is username@domain.com since we have added the UPN domain.com to the user that works fine. I guess if I have logged on with username@domain.local it would have failed, right ?

When I check the user in EntraID is is synchronized correctly

User's image

Seamless single sign-on is also working ?

User's image

What am i missing here ?

Some event logs

User's image

User's image

Thanks for any reply

/R

Andreas

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,881 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,521 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akhilesh 4,775 Reputation points Microsoft Vendor
    2024-04-16T13:15:35.71+00:00

    Hi @Andreas

    Regarding your question about the UPN, you are correct that logging in with a UPN that is not synced to Azure AD might cause issues with the device registration process. It is recommended to use a UPN that is synced to Azure AD for logging in to the affected machines.

    The error code OxCAAA9006 indicates a failure in acquiring a token via the WS-Trust flow it may causes problem with the federation server in a Hybrid Azure AD join configuration or might be the network issue preventing the device from reaching the Domain controller.
    if you are using Hybrid Azure AD join with a federated environment could check the authentication logs in the federation server and share to us.
    https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-hybrid-join-windows-current#other-errors-1

    Event ID 1097 is an error that indicates Group Policy processing has failed because Windows could not determine the computer account to enforce Group Policy settings. for more details, please refer Event ID 1097 and Event ID 1098
    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Akhilesh.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.