question

DaveBaker-3347 avatar image
0 Votes"
DaveBaker-3347 asked JimmySalian-2011 answered

VDI Hybrid AD PRT token refresh request failing periodically 0xCAA90056 Renew token by the primary refresh token failed and 0xCAA5001C Token broker operation failed!

We are running instant clone Win 10 1909 environment with hybrid AD joined devices and have begun to see periodic instances where a given device fails to authenticate with AAD/AD FS, but when the user signs into a different VM, it works fine. The O365 components of the desktop fail to activate (unable to aquire a license and activate) . The event log shows that hybrid AD join is successful and the user PRT is issued, the problem seems to lie when the application requests an access or refresh token frrom the PRT. The logs in AAD > Operational show:

Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -895025142 (0xcaa7000a), Description: The Internet connection has timed out.
Logged at webaccountprocessor.cpp, line: 593, method: AAD::Core::WebAccountProcessor::ReportOperationError.

Error: 0xCAA7000A The Internet connection has timed out.
Exception of type 'class HttpException' at xmlhttpwebrequest.cpp, line: 171, method: XMLHTTPWebRequest::ReceiveResponse.
Log: 0xcaa90051 Sending OAuth request failed.
Logged at oauthtokenrequestbase.cpp, line: 237, method: OAuthTokenRequestBase::SendRequest.

Error: 0xCAA7000A The Internet connection has timed out.
Code: authentication_failed
Description: The Internet connection has timed out.
TokenEndpoint: https://login.microsoftonline.com/common/oauth2/token
Logged at oauthtokenrequestbase.cpp, line: 237, method: OAuthTokenRequestBase::SendRequest.


The internet connection appears to be fine - we use zScaler with ADFS to authenticate and a .pac file on the desktop. Note - during Startup we perform dsregcmd /join - so the internet connection is required there and when the user logs in the second /join takes place and this is succesful, so something is causing the oAuth mechanism for the 365 apps to fail -any ideas how we troubleshoot this or what else to try and make this work?

Again, this only happens on some VM's - it's not consistent on the device name either, it can be any random VM and any random user.

Dave

azure-ad-connectadfsazure-ad-hybrid-identity
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Curious what your resolution was to this? We are seeing something randomly with Windows 10 machines. When the issue occurs the Start button quits working, couldn't activate office. If we sign in with a new user on the same machine no issues or if that same user signs into a new PC no issues.

Can't figure out root cause or a workaround so the only resolution is to give the user a new machine (or to blow away their user profile).

Have a premier ticket opened but been a few weeks and they haven't come up with anything useful yet.

0 Votes 0 ·

1 Answer

JimmySalian-2011 avatar image
0 Votes"
JimmySalian-2011 answered

Hi,

The error code and symptoms seems to me like some sort of network connectivity, do you have a proxy server? Packet shaper device that throttles bandwidth or Firewall that inspects each packet and filters out?

I would suggest you carry out the checks following this link as this points at each settings for troubleshooting the O365 actvitation.

There was a change in the authentication package recently and here is the detailed information please check the version - connection-issue-when-sign-in-office-2016

I would also check that all the relevant ports are open just to double check and it is known that the issue is sporadic but worth checking with the networks. Link for ports urls-and-ip-address-ranges

0xcaa70007-and-0xcaa80000


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.