locked
Device Authentication Issues -- No certificate prompt on client RRS feed

  • Question

  • Hi there,

    I have ADFS 3.0 deployed, using Azure DRS for workplace join.  That portion is working as expected, device writeback looks good in the local directory, etc.

    The issue I'm having is that when I enable a test account for MFA utilizing certificate authentication as the secondary source (FBA as the primary), I'm never prompted to select the certificate issued via workplace join.  I've verified that it's present in the computer's personal store, and that the guid matches that of the device object written back to AD via AADC.  I've enabled debug tracing within ADFS, and I can see the request come in, the policy hit based on the username, and while there's no error, I do see this clearly:

    Event 54, AD FS Tracing

    Request did not contain a device security token

    All the research I've done(and if there's a blog or forum post on the subject, believe me i've read it!) suggests a few possible scenarios, none of which seem to be the culprit:

    1. Port 49443 between client and ADFS servers\WAPs blocked

    -- Have verified this not to be the case.  I can telnet from the client(s) to the servers on that port without issue, and just to verify that the client is attempting to communicate properly, I watched the transaction in WireShark and Fiddler...connection is good, SSL handshake is good...no issues there.

    2. Presence of non-self-signed root certs on ADFS servers\lack of root certs on WAPs

    --Verified that everything is good from that perspective, verified that the bindings are as they should be, as well.  The WAPs are actually domain joined, so they have the proper root and intermediate cert by virtue of that

    I've tried this in multiple browsers in multiple ways, and nothing seems to work.  Aside from this portion, ADFS and SSO are in good shape and FBA\WIA both work swimmingly.  

    Any advice?

    Tuesday, June 7, 2016 10:37 PM

Answers

  • Yes, we finally determined that the way client device authentication changed from Windows 7/8 to Windows 10.   It's not possible to use ADFS in Server 2012\2008 to device authenticate Windows 10 machines.  Microsoft verified this, you need Server 2016 and the new release of ADFS.
    • Marked as answer by jafnelson Thursday, February 16, 2017 6:58 PM
    Thursday, February 16, 2017 6:58 PM

All replies

  • Have you set SupportsMFA to $True via Set-MSOLDomainFederationSettings cmdlet? This should trigger MFA on your AD FS server.

    http://blog.auth360.net

    Saturday, June 11, 2016 7:10 AM
  • Hi,

    Did you ever resolve this one?  I'm having the same issue.  Verified everything you mentioned but nothing is changing this behaviour.

    Any ideas?

    Thanks

    Matt

    Thursday, February 16, 2017 6:56 PM
  • Yes, we finally determined that the way client device authentication changed from Windows 7/8 to Windows 10.   It's not possible to use ADFS in Server 2012\2008 to device authenticate Windows 10 machines.  Microsoft verified this, you need Server 2016 and the new release of ADFS.
    • Marked as answer by jafnelson Thursday, February 16, 2017 6:58 PM
    Thursday, February 16, 2017 6:58 PM
  • Thanks for the quick reply. 

    Actually, I had Windows 10 device authentication working perfectly with ADFS 3.0 (2012).  Now I have a fresh installation of ADFS 4.0 (2016) and this doesn't work.  Confusing to say the least!

    Thursday, February 16, 2017 8:07 PM
  • Thanks for the quick reply. 

    Actually, I had Windows 10 device authentication working perfectly with ADFS 3.0 (2012).  Now I have a fresh installation of ADFS 4.0 (2016) and this doesn't work.  Confusing to say the least!

    Hi Matty,

    Most likely, the issue is that your device is "AAD Joined", as opposed to "Workplace Joined", which is both AAD registration. When you have a BYOD that is connected to Work or School account- so not a device that is on-premise AD joined (and thus auto-AAD Joined via your setup)- you will notice that you get the certificate prompt for Device Authentication. Then, your claims of Is Registered User will work. 

    Anything Azure AD Joined / Auto Joined will not be Workplace joined. You can use the "DSREGCMD /STATUS" command to verify this:

    -- trimmed output --

    +----------------------------------------------------------+
    | Device State                                                         |
    +----------------------------------------------------------+

              AzureAdJoined : NO <----
           EnterpriseJoined : NO

     +--------------------------------------------------------+
    | User State                                                           |
    +---------------------------------------------------------+

                     NgcSet : NO
            WorkplaceJoined : YES <--- Will make you get a Certificate prompt for Device Auth, to utilize the "Is Registered User" claim.

    Hope this helps!

    And p.s., 

    While 2012R2 is not the supported way for Windows 10, it does indeed work still.

    Thursday, February 15, 2018 9:34 PM