Muokkaa

Jaa


Troubleshoot primary refresh token issues on Windows devices

This article discusses how to troubleshoot issues that involve the primary refresh token (PRT) when you authenticate on a Microsoft Entra joined Windows device by using your Microsoft Entra credentials.

On devices that are joined to Microsoft Entra ID or hybrid Microsoft Entra ID, the main component of authentication is the PRT. You obtain this token by signing in to Windows 10 by using Microsoft Entra credentials on a Microsoft Entra joined device for the first time. The PRT is cached on that device. For subsequent sign-ins, the cached token is used to let you use the desktop.

As part of the process of locking and unlocking the device or signing in again to Windows, a background network authentication attempt is made one time every four hours to refresh the PRT. If problems occur that prevent refreshing the token, the PRT eventually expires. Expiration affects single sign-on (SSO) to Microsoft Entra resources. It also causes sign-in prompts to be shown.

If you suspect that a PRT problem exists, we recommend that you first collect Microsoft Entra logs, and follow the steps that are outlined in the troubleshooting checklist. Do this for any Microsoft Entra client issue first, ideally within a repro session. Complete this process before you file a support request.

Troubleshooting checklist

Step 1: Get the status of the primary refresh token

  1. Sign in to Windows under the user account in which you experience PRT issues.

  2. Select Start, and then search for and select Command Prompt.

  3. To run the device registration command (dsregcmd), enter dsregcmd /status.

  4. Locate the SSO state section of the device registration command's output. The following text shows an example of this section:

    +----------------------------------------------------------------------+
    | SSO State                                                            |
    +----------------------------------------------------------------------+
    
                    AzureAdPrt : YES
          AzureAdPrtUpdateTime : 2020-07-12 22:57:53.000 UTC
          AzureAdPrtExpiryTime : 2020-07-26 22:58:35.000 UTC
           AzureAdPrtAuthority : https://login.microsoftonline.com/00001111-aaaa-2222-bbbb-3333cccc4444
                 EnterprisePrt : YES
       EnterprisePrtUpdateTime : 2020-07-12 22:57:54.000 UTC
       EnterprisePrtExpiryTime : 2020-07-26 22:57:54.000 UTC
        EnterprisePrtAuthority : https://msft.sts.microsoft.com:443/adfs
    
    +----------------------------------------------------------------------+
    
  5. Check the value of the AzureAdPrt field. If it's set to NO, an error occurred when you tried to acquire the PRT status from Microsoft Entra ID.

  6. Check the value of the AzureAdPrtUpdateTime field. If the value of the AzureAdPrtUpdateTime field is more than four hours, a problem is likely preventing the PRT from refreshing. Lock and unlock the device to force a PRT refresh, and then check whether the time is updated.

Step 2: Get the error code

The next step is to get the error code that causes the PRT error. The quickest way to get the PRT error code is to examine the device registration command output. However, this method requires the Windows 10 May 2021 update (version 21H1) or a later version. The other method is to find the error code in Microsoft Entra analytic and operational logs.

Method 1: Examine the device registration command output

Note

This method is available only if you're using the Windows 10 May 2021 update (version 21H1) or a later version of Windows.

To get the PRT error code, run the dsregcmd command, and then locate the SSO State section. In the AzureAdPrt field, the Attempt Status field contains the error code. In the following example, the error code is 0xc000006d.

                AzureAdPrt : NO
       AzureAdPrtAuthority : https://login.microsoftonline.com/aaaa0000-bb11-2222-33cc-444444dddddd
     AcquirePrtDiagnostics : PRESENT
      Previous Prt Attempt : 2020-09-18 20:20:09.760 UTC
            Attempt Status : 0xc000006d
             User Identity : user@contoso.com
           Credential Type : Password
            Correlation ID : aaaa0000-bb11-2222-33cc-444444dddddd
              Endpoint URI : https://login.microsoftonline.com/aaaa0000-bb11-2222-33cc-444444dddddd/oauth2/token
               HTTP Method : POST
                HTTP Error : 0x0
               HTTP status : 400
         Server Error Code : invalid_grant
  Server Error Description : AADSTS50126: Error validating credentials due to invalid username or password.

Method 2: Use Event Viewer to examine AAD analytic and operational logs

  1. Select Start, and then search for and select Event Viewer.

  2. If the console tree doesn't appear in the Event Viewer window, select the Show/Hide Console Tree icon to make the console tree visible.

  3. In the console tree, select Event Viewer (Local). If child nodes don't appear underneath this item, double-click your selection to show them.

  4. Select the View menu. If a check mark isn't displayed next to Show Analytic and Debug Logs, select that menu item to enable that feature.

  5. In the console tree, expand Applications and Services Logs > Microsoft > Windows > AAD. The Operational and Analytic child nodes appear.

    Note

    In the Microsoft Entra Cloud Authentication Provider (CloudAP) plug-in, Error events are written to the Operational event logs, and information events are written to the Analytic event logs. You have to examine both the Operational and Analytic event logs to troubleshoot PRT issues.

  6. In the console tree, select the Analytic node to view AAD-related analytic events.

  7. In the list of analytic events, search for Event IDs 1006 and 1007. Event ID 1006 denotes the beginning of the PRT acquisition flow, and Event ID 1007 denotes the end of the PRT acquisition flow. All events in the AAD logs (both Analytic and Operational) that occurred between Event ID 1006 and Event ID 1007 are logged as part of the PRT acquisition flow. The following table shows an example event listing.

    Level Date and Time Source Event ID Task Category
    Information 6/24/2020 3:35:35 AM AAD 1006 AadCloudAPPlugin Operation
    Information 6/24/2020 3:35:35 AM AAD 1018 AadCloudAPPlugin Operation
    Information 6/24/2020 3:35:35 AM AAD 1144 AadCloudAPPlugin Operation
    Information 6/24/2020 3:35:35 AM AAD 1022 AadCloudAPPlugin Operation
    Error 6/24/2020 3:35:35 AM AAD 1084 AadCloudAPPlugin Operation
    Error 6/24/2020 3:35:35 AM AAD 1086 AadCloudAPPlugin Operation
    Error 6/24/2020 3:35:35 AM AAD 1160 AadCloudAPPlugin Operation
    Information 6/24/2020 3:35:35 AM AAD 1007 AadCloudAPPlugin Operation
    Information 6/24/2020 3:35:35 AM AAD 1157 AadCloudAPPlugin Operation
    Information 6/24/2020 3:35:35 AM AAD 1158 AadCloudAPPlugin Operation
  8. Double-click the row that contains Event ID 1007. The Event Properties dialog box for this event appears.

  9. In the description box on the General tab, copy the error code. The error code is a 10-character string that begins with 0x, followed by an 8-digit hexadecimal number.

Step 3: Get troubleshooting instructions for certain error codes

Status codes ("STATUS_" prefix, codes that begin with "0xc000")

STATUS_LOGON_FAILURE (-1073741715 / 0xc000006d),
STATUS_WRONG_PASSWORD (-1073741718 / 0xc000006a)
Cause
  • The device can't connect to the Microsoft Entra authentication service.

  • The device received a 400 Bad Request HTTP error response from one of the following sources:

    • The Microsoft Entra authentication service
    • An endpoint for the WS-Trust protocol (required for federated authentication)
Solution
  • If the on-premises environment requires an outbound proxy, make sure that the computer account of the device can discover and silently authenticate to the outbound proxy.

  • Get the server error code and error description, and then go to the Common server error codes ("AADSTS" prefix) section to find the cause of that server error code and the solution details.

    In the Microsoft Entra operational logs, Event ID 1081 contains the server error code and error description if the error occurs in the Microsoft Entra authentication service. If the error occurs in a WS-Trust endpoint, the server error code and error description are found in Event ID 1088. In the Microsoft Entra analytic logs, the first instance of Event ID 1022 (that precedes operational Event IDs 1081 and 1088) contains the URL that's being accessed.

    To view Event IDs in the Microsoft Entra operational and analytic logs, refer to the Method 2: Use Event Viewer to examine Microsoft Entra analytic and operational logs section.

STATUS_REQUEST_NOT_ACCEPTED (-1073741616 / 0xc00000d0)
Cause

The device received a 400 Bad Request HTTP error response from one of the following sources:

  • The Microsoft Entra authentication service
  • An endpoint for the WS-Trust protocol (required for federated authentication)
Solution

Get the server error code and error description, and then go to the Common server error codes ("AADSTS" prefix) section to find the cause of that server error code and the solution details.

In the Microsoft Entra operational logs, Event ID 1081 contains the server error code and error description if the error occurs in the Microsoft Entra authentication service. If the error occurs in a WS-Trust endpoint, the server error code and error description are found in Event ID 1088. In the Microsoft Entra analytic logs, the first instance of Event ID 1022 (that precedes operational Event IDs 1081 and 1088) contains the URL that's being accessed.

To view Event IDs in the Microsoft Entra operational and analytic logs, refer to the Method 2: Use Event Viewer to examine Microsoft Entra analytic and operational logs section.

STATUS_NETWORK_UNREACHABLE (-1073741252 / 0xc000023c),
STATUS_BAD_NETWORK_PATH (-1073741634 / 0xc00000be),
STATUS_UNEXPECTED_NETWORK_ERROR (-1073741628 / 0xc00000c4)
Cause
  • The device received a 4xx HTTP error response from one of the following sources:

    • The Microsoft Entra authentication service
    • An endpoint for the WS-Trust protocol (required for federated authentication)
  • A network connectivity issue to a required endpoint exists.

Solution
  • Get the server error code and error description, and then go to the Common server error codes ("AADSTS" prefix) section to find the cause of that server error code and the solution details.

    In the Microsoft Entra operational logs, Event ID 1081 contains the server error code and error description if the error occurs in the Microsoft Entra authentication service. If the error occurs in a WS-Trust endpoint, the server error code and error description are found in Event ID 1088.

  • For a network connectivity issue, get the URL that's being accessed and the suberror code from the network stack. Event ID 1022 in the Microsoft Entra analytic logs contains the URL that's being accessed. Event ID 1084 in the Microsoft Entra operational logs contains the suberror code from the network stack.

To view Event IDs in the Microsoft Entra operational and analytic logs, refer to the Method 2: Use Event Viewer to examine Microsoft Entra analytic and operational logs section.

STATUS_NO_SUCH_LOGON_SESSION (-1073741729 / 0xc000005f)
Cause

The user realm discovery failed because the Microsoft Entra authentication service can't find the user's domain.

Solution

Common CloudAP plug-in error codes ("AAD_CLOUDAP_E_" prefix, codes that begin with "0xc004")

AAD_CLOUDAP_E_OAUTH_USERNAME_IS_MALFORMED (-1073445812 / 0xc004844c)
Cause

The UPN for the user isn't in the expected format. The UPN value varies according to the device type, as shown in the following table.

Device join type UPN value
Microsoft Entra joined devices The text that's entered when the user signs in
Microsoft Entra hybrid joined devices The UPN that the domain controller returns during the sign-in process
Solution
AAD_CLOUDAP_E_OAUTH_USER_SID_IS_EMPTY (-1073445822 / 0xc0048442)
Cause

The user security identifier (SID) is missing in the ID token that the Microsoft Entra authentication service returns.

Solution

Make sure that the network proxy doesn't interfere with or modify the server response.

AAD_CLOUDAP_E_WSTRUST_SAML_TOKENS_ARE_EMPTY (-1073445695 / 0xc00484c1 / 0x800484c1)
Cause

You received an error from the WS-Trust protocol endpoint (required for federated authentication).

Solution
AAD_CLOUDAP_E_HTTP_PASSWORD_URI_IS_EMPTY (-1073445749 / 0xc004848b)
Cause

The Metadata Exchange (MEX) endpoint is configured incorrectly. The MEX response doesn't contain any password URLs.

Solution
  • Make sure that the network proxy doesn't interfere with or modify the server response.

  • Fix the MEX configuration to return valid URLs in the response.

AAD_CLOUDAP_E_HTTP_CERTIFICATE_URI_IS_EMPTY (-1073445748 / 0xc004848c)
Cause

The Metadata Exchange (MEX) endpoint is configured incorrectly. The MEX response doesn't contain any certificate endpoint URLs.

Solution
  • Make sure that the network proxy doesn't interfere with or modify the server response.

  • Fix the MEX configuration in the identity provider to return valid certificate URLs in the response.

Common XML error codes (codes that begin with "0xc00c")

WC_E_DTDPROHIBITED (-1072894385 / 0xc00cee4f)
Cause

The XML response from the WS-Trust protocol endpoint (required for federated authentication) included a document type definition (DTD). The DTD isn't expected in the XML response, and response parsing fails if the DTD is included.

Solution

Common server error codes ("AADSTS" prefix)

You can find a full list and description of server error codes in Microsoft Entra authentication and authorization error codes.

AADSTS50155: Device authentication failed
Cause
Solution

Re-register the device based on the device join type. For instructions, see I disabled or deleted my device. But the local state on the device says it's still registered. What should I do?.

AADSTS50034: The user account <Account> does not exist in the <tenant-id> directory
Cause

Microsoft Entra ID can't find the user account in the tenant.

Solution
AADSTS50126: Error validating credentials due to invalid username or password
Cause
  • The user entered an incorrect username or password in the sign-in UI.

  • The password hasn't been synchronized to Microsoft Entra ID because of the following scenario:

    • The tenant has enabled password hash synchronization.
    • The device is a Microsoft Entra hybrid joined device.
    • The user recently changed the password.
Solution

To acquire a fresh PRT that has the new credentials, wait for the Microsoft Entra synchronization to finish.

Common network error codes ("ERROR_WINHTTP_" prefix)

You can find a full list and description of network error codes in Error messages (Winhttp.h).

ERROR_WINHTTP_TIMEOUT (12002),
ERROR_WINHTTP_NAME_NOT_RESOLVED (12007),
ERROR_WINHTTP_CANNOT_CONNECT (12029),
ERROR_WINHTTP_CONNECTION_ERROR (12030)
Cause

Common general network-related issues.

Solution
  • Get the URL that's being accessed. You can find the URL in Event ID 1084 of the Microsoft Entra operational log or Event ID 1022 of the Microsoft Entra analytic log.

    To view Event IDs in the Microsoft Entra operational and analytic logs, refer to the Method 2: Use Event Viewer to examine Microsoft Entra analytic and operational logs section.

  • If the on-premises environment requires an outbound proxy, make sure that the computer account of the device can discover and silently authenticate to the outbound proxy.

  • Collect network traces by following these steps:

    Important

    Don't use Fiddler during this procedure.

    1. Run the following netsh trace start command:

      netsh trace start scenario=InternetClient_dbg capture=yes persistent=yes
      
    2. Lock the device.

    3. If the device is a Microsoft Entra hybrid joined device, wait at least 60 seconds to let the PRT acquisition task finish.

    4. Unlock the device.

    5. Run the following netsh trace stop command:

      netsh trace stop
      

Step 4: Collect the logs and traces

Regular logs

  1. Download the Auth script archive, and extract the scripts into a local directory. If it's necessary, review the usage instructions in KB 4487175.

  2. Open an administrative PowerShell session, and change the current directory to the directory in which you saved the Auth scripts.

  3. To begin the error tracing session, enter the following command:

    .\Start-auth.ps1 -v -acceptEULA
    
  4. Switch the Windows user account to go to your problem user's session.

  5. Lock the device.

  6. If the device is a Microsoft Entra hybrid joined device, wait at least 60 seconds to let the PRT acquisition task finish.

  7. Unlock the device.

  8. Switch the Windows user account back to your administrative session that's running the tracing session.

  9. After you reproduce the issue, run the following command to end the tracing session:

    .\stop-auth.ps1
    
  10. Wait for all tracing to stop completely.

Time travel traces

The following procedure describes how to capture traces by using the Time Travel Debugging (TTD) feature.

Warning

Time travel traces contain personal data. In addition, Local Security Authority Subsystem Service (LSASS or lsass.exe) traces contain extremely sensitive information. When you handle these traces, make sure that you use best practices for the storage and sharing of this type of information.

  1. Select Start, enter cmd, locate and right-click Command Prompt in the search results, and then select Run as administrator.

  2. At the command prompt, create a temporary directory:

    mkdir c:\temp
    
  3. Run the following tasklist command:

    tasklist /m lsasrv.dll
    
  4. In the tasklist command output, find the process identifier (PID) of lsass.exe.

  5. To begin a tracing session of the lsass.exe process, run the following time travel debugging command (TTD.exe):

    TTD.exe -attach <lsass-pid> -out c:\temp
    
  6. Lock the device that's signed in under the domain account.

  7. Unlock the device.

  8. To end the time travel tracing session, run the following TTD command:

    TTD.exe -stop all
    
  9. Get the latest lsass##.run file.