question

JohnQ-7759 avatar image
0 Votes"
JohnQ-7759 asked fakhruddinvaghela-7765 commented

Can't do Azure AD Hybrid Join - help needed

I am simply trying to get Azure AD Hybrid join to work so I can manage our laptops via Azure InTune.
We have an on-prem AD and we use Okta for our authentication of users to Azure/O365.
The lack of details and support form both vendors is astounding and only thing holding us back from giving people our money.

I ran the configuration in Azure AD Connect client to do device joining and the SCP page gave me 2 options: ourdomain.okta.com or Azure AD. I chose the Okta one. Nothing else stood out as odd in the wizard.


Thereafter I'm still not sure what to do. I check my computer's event logs and it gives me this error under Applications and Service Logs > Microsoft > Windows > User Device Registration > Admin:

Automatic registration failed at authentication phase. Unable to acquire access token.
Exit code: Unknown HResult Error code: 0x801c0515
Tenant Name: ourdomain.com.com
Tenant Type: Federated
Server error:
AdalMessage: ADALUseWindowsAuthenticationTenant failed, unable to preform integrated auth
AdalErrorCode: 0x2ee6
AdalCorrelationId: undefined
AdalLog: HRESULT: 0x2ee6
AdalLog: HRESULT: 0x2ee6
AdalLog: HRESULT: 0x2ee6
AdalLog: AggregatedTokenRequest::GetAppliesTo: using resource ID "urn:federation:MicrosoftOnline" for authority "https://login.microsoftonline.com/common". ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0

azure-ad-privileged-identity-management
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@JohnQ-7759 By error it looks like the Identity Provider (IdP) does not have the WsTrust endpoint enabled or the required claims are not enabled. Which version of windows you are using ? Did you try creating a support ticket at Microsoft or Okta end for this issue ?

0 Votes 0 ·

@JohnQ-7759 Please let us know if you still facing this issue.


0 Votes 0 ·

Hi Saurabh,
i am also facing the same issue, as per okta Ws-trust endpoint is enabled. is this endpoint using basic authentication ?

0 Votes 0 ·

0 Answers