2,426 questions
No PRT with Certificate Based Authentication in Entra Hybrid Setup
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 79%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EH%3C/text%3E%3C/svg%3E)
Hari
0
Reputation points
I have Entra Hybrid setup where on prem AD is connected to Azure AD using AzureAD Connect.
From a domain joined computer, if user logs in with username/password, PRT is available and user can open office portal without entering credentials.
But if user logs in with passwordless solution(certificate based authentication), PRT is not available and while opening office portal, user is asked to enter credentials.
dsregcmd /status output
- AzureADPrt : NO Server Error Code : invalid_client Server Error Description : AADSTS50017 : Validation of given certificate for certificate based authentication failed.
I have uploaded CA certificate in Azure portal certificate authorities page and enabled CBA.
Event viewer AAD Operational log shows the same error AADSTS50017. Analytic log with event ID 1007 has AadCloudAPPlugin GetToken Stop Status: 0xC000006D
I have tried sample V2 credential provider with username/password and PRT is issued. So, third party CP may not be a problem for issuing PRT.
Thanks for the help.
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 10,040 Reputation points Microsoft Vendor2024-12-26T20:07:45.75+00:00 Hello @Hari,
Thank you for posting your query on Microsoft Q&A.
From your description, it appears that when you attempt to sign in using Windows smart card with Microsoft Entra certificate-based authentication, the device does not receive a valid Primary Refresh Token (PRT). However, when you log in using your username and password, the device successfully receives a valid PRT.
To better understand the situation, please check if Entra CBA works in the browser. If you're unsure, I recommend starting there to ensure that the browser sign-in functions correctly first, as this will make troubleshooting easier. Once that is confirmed, please check if the windows version of your device lies under Supported Windows platforms as per below document.
Thanks,
Raja Pothuraju.
Sign in to comment
Sign in to answer