locked
Is Windows 8.1 device workplace join supported with Windows Server 2016 on-premise only ? RRS feed

  • Question

  • In Windows Server 2012 R2, Windows 8.1 and Android and iOS device can workplace join to Windows Server 2012 R2 Active Directory Domain using Windows Server 2012 R2 AD DS, AD FS, and Web Application Proxy (WAP).

    I could it on-premise only without Azure AD Integration. I could also use device registration service of Azure AD, and write back device to on-premise Active Directory.

    I built the same environment (on-premise only, without Azure AD) using Windows Server 2016 GA AD DS, AD FS, and WAP. But I encountered several problems and didn't succeed.

    My procedure is as follows. I use Japanese language OS.

    On-premise environment:
    1. Install AD DS
    2. Install AD CS and CRL distribution point
    3. Install AD FS
    4. Enable Device Registration by ADFS admin snap-in.
    (I also tried "Initialize-ADDeviceRegistration -ServcieName..., Enable-AdfsDeviceRegistration, Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true")
    6. Execute "Set-AdfsProperties -enableidpinitiatedsignonpage $true"
    (because windows server 2016 ad fs's default is false)
    7. Register DNS records adfsserver.domainsuffix and enterpriseregistration.domainsuffix for internal clients
    8. Install WAP
    9. Publish CRL distribution point using WAP pass-through http proxy.
    10. Register DNS records adfsserver.domainsuffix and enterpriseregistration.domainsuffix for external clients

    Windows 8.1 device on Internet:
    1. Import enterprise root ca certificate to trusted root ca of local computer.
    2. Add https://*domainsuffix to trusted sites in Internet Option.
    3. Setup Workplace Join
    4. Company Portal show error "No strong authentication method found for the request", and workplace join failed.

    "No strong auth..." error could be resolved by this way.

    I found (Get-AdfsDeviceRegistration).AccessControlPolicyName return "すべてのユーザーを許可し、MFA を要求して、デバイスの自動登録を許可"("Permit everyone and require MFA from unauthenticated devices" in English). I think this default configuration for Windows 10 auto device registration.
    I change this Access Control Policy to "すべてのユーザーを許可 (Permit everyone)".
    PS C:\> Set-AdfsDeviceRegistration -AccessControlPolicyName "すべてのユーザーを許可"

    I tried workplace join again. Company portal form authentication success. But workplace join failed with this error.

    "正しいサインイン情報を使っていて、社内ネットワークでこの機能が使われていることを確認してください。"(Confirm you are using the correct sign-in info, and that your workplace uses this feature.)

    I found 0x80180008 unknown error event (event id 200) in Workplace Join/Admin Log

    Hybrid environment with Azure AD Integration works fine. Windows 8.1 device can workplace join by Azure AD and write back to on-premise. And domain joined Windows 10 auto registration works fine too. But I want to on-premise only environment for Windows 8.1 workplace join like Windows Server 2012 R2 can.



    Saturday, November 5, 2016 1:29 AM

All replies

  • I'm facing exactly the same issue. ADFS replies with 500 HTTP error and following message:

    WindowsEnrollmentServiceInternalError: RequestSecurityToken failed with Exception: Object reference not set to an instance of an object..

    Thursday, January 26, 2017 3:54 AM