I’m experiencing an intermittent issue in our hybrid network setup and would love your insights. We have laptops that are AzureAD-joined but not domain-joined, connecting to an on-premises server environment through Zscaler. We also use Windows Hello for Business for user authentication. Here’s the situation: What happens? After signing in to a laptop (using PIN, password, or biometrics via Windows Hello for Business), Single Sign-On (SSO) to on-premises SMB file shares sometimes fails. If signed in with a password, users might see: "The system cannot contact a domain controller to service the authentication request." If signed in with PIN or biometrics, a credential prompt appears when accessing the file shares. Observations: The issue appears to be related to missing Kerberos tickets. Running klist shows no TGTs are active when the problem occurs. The problem resolves itself after 10-15 minutes without intervention, at which point Kerberos tickets appear, and SSO starts working as expected. Running the command nltest /dsgetdc:<domainname> consistently returns a correct domain controller with accurate details, even when the issue is present. What we’ve checked so far: DNS and connectivity: DNS resolution and network access to the domain controllers seem fine. Time synchronization: Clocks on the laptops and domain controllers are in sync. Credential Guard: Disabled, but no effect. Windows Hello for Business configuration: No clear issues found. Logs: No significant errors or clues in laptop or domain controller logs. Our question: Has anyone experienced similar issues with Windows Hello for Business in a hybrid environment? Are there specific tools, settings, or areas we should focus on to diagnose this further? Any suggestions or advice would be greatly appreciated. Thanks in advance for your help! 😊

Weird on-prem authentication issues on AzureAD-Joined Laptops

Janssen R. (Rick) 0

I’m experiencing an intermittent issue in our hybrid network setup and would love your insights. We have laptops that are AzureAD-joined but not domain-joined, connecting to an on-premises server environment through Zscaler. We also use Windows Hello for Business for user authentication. Here’s the situation:

What happens? After signing in to a laptop (using PIN, password, or biometrics via Windows Hello for Business), Single Sign-On (SSO) to on-premises SMB file shares sometimes fails.

If signed in with a password, users might see: "The system cannot contact a domain controller to service the authentication request."
If signed in with PIN or biometrics, a credential prompt appears when accessing the file shares.

Observations:

The issue appears to be related to missing Kerberos tickets. Running klist shows no TGTs are active when the problem occurs.
The problem resolves itself after 10-15 minutes without intervention, at which point Kerberos tickets appear, and SSO starts working as expected.
Running the command nltest /dsgetdc:<domainname> consistently returns a correct domain controller with accurate details, even when the issue is present.

What we’ve checked so far:

DNS and connectivity: DNS resolution and network access to the domain controllers seem fine.
Time synchronization: Clocks on the laptops and domain controllers are in sync.
Credential Guard: Disabled, but no effect.
Windows Hello for Business configuration: No clear issues found.
Logs: No significant errors or clues in laptop or domain controller logs.

Our question:

Has anyone experienced similar issues with Windows Hello for Business in a hybrid environment?
Are there specific tools, settings, or areas we should focus on to diagnose this further?

Any suggestions or advice would be greatly appreciated. Thanks in advance for your help! 😊

FrankEscarosBuechsel-MSFT 575 Reputation points Microsoft Employee

2024-12-23T15:24:19.2333333+00:00

Hi @Janssen R. (Rick) • Thank you for reaching out.

It seems you are getting intermittent login prompts from Entra joined clients.

On devices that are joined to Microsoft Entra ID or hybrid Microsoft Entra ID, the main component of authentication is the Primary Refresh Token (PRT). You obtain this token by signing in to Windows 10 by using Microsoft Entra credentials on a Microsoft Entra joined device for the first time. The PRT is cached on that device. For subsequent sign-ins, the cached token is used to let you use the desktop.

As part of the process of locking and unlocking the device or signing in again to Windows, a background network authentication attempt is made one time every four hours to refresh the PRT. If problems occur that prevent refreshing the token, the PRT eventually expires. Expiration affects single sign-on (SSO) to Microsoft Entra resources. It also causes sign-in prompts to be shown.

Your issue self-resolving after 15 minutes sounds like the PRT refresh happens within that timeframe. How often can you reproduce the issue, if it happens often enough it would be very helpful if you could work through the checklist described in the following Learn Article: Troubleshoot primary refresh token issues on Windows devices

On a high level the article will walk you through 4 steps, with the first step letting us confirm the suspicion if your problems indeed are related to the PRT or not:

Step 1: Get the status of the primary refresh token Step 2: Get the error code Step 3: Get troubleshooting instructions for certain error codes Step 4: Collect the logs and traces

You can read more about the PRT in general: What is a Primary Refresh Token?

Please let me know if you have any further questions on this and if the above indeed does match to your issue please let us know as well.

Share via

Weird on-prem authentication issues on AzureAD-Joined Laptops

Your answer