AADSTS90019 when attempting automatic Azure AD registration of domain-joined Windows 10 device

windows-server-2012-r2 microsoft-office-365 adfs azure-active-directory
13,949

I understand your frustration with this. I just spent about 20 hours troubleshooting problems with automatic AAD joining. I am running the latest version of AD Connect, and am running an ADFS farm on Server 2016. I did NOT let AD Connect configure my ADFS servers.

I had the exact same error. The issue was a missing ImmutableID claim. This link proved to be the best resource for setting up azure AD join: https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup

There is a script listed there to automatically add the necessary claim rules. Now that i practically understand this whole process inside and out, I can say that the script actually does work and adds the correct claims rules.

However, what is misleading is how to configure the couple of variables in the script. So, I thought I would clarify based on my learning, hopefully it will save somebody some time.

  • $MultipleVerifiedDomainNames: The description and name is both WRONG and MISLEADING. Set this to $TRUE only if you have MULTIPLE FEDERATED DOMAINS in your Office 365 tenant.
  • $immutableIDAlreadyIssuedforUsers: If the Immutable ID (Source Anchor) for your AD Connect synchronization does NOT use objectGUID then set this to $TRUE.
  • $oneOfVerifiedDomainNames: If you set $MultipleVerifiedDomainNames to $true, then set this to the Office 365 verified domain name that you want your devices to register to.

Do not change any other components of the script, and make sure you only run it once. If you need to run it again, you need to manually remove the added claims issuance rules from the RP trust or they will be duplicated.

Another very helpful thing to know when it comes to troubleshooting on Windows 10, use DSREGCMD. It has to run as SYSTEM so you'll need something like PSEXEC.

psexec -i -s cmd.exe

dsregcmd /debug

This will force an immediate registration to Azure, and report detailed information about the failure. During my testing, Windows 7 worked fine, but Windows 10 would not AD join. If the ImmutableID is the problem you'll see the error is: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.

If, you included a verified domain when you shouldn't have or it's wrong you'll see: AADSTS50107: Requested federation realm object your specified domain does not exist.

Share:
13,949

Related videos on Youtube

Cameron
Author by

Cameron

Full stack programmer (.NET, JavaScript, TypeScript, HTML5). Embedded development. Dev ops.

Updated on September 18, 2022

Comments

  • Cameron
    Cameron over 1 year

    I am attempting to set up automatic AAD join for Windows 10 as described here: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-conditional-access-automatic-device-registration-setup/

    We have two internal ADFS 3.0 servers (Server 2012R2). They are configured using Azure AD Connect for federation with Office 365 on four UPNs:

    • ad.dom1.com - this is the forest name, we only have a single forest
    • dom1.com - most users exist under this domain
    • dom2.com
    • dom3.com

    The ADFS servers are exposed using a TCP-level load balancer on https://adfs.ad.dom1.dom, with a certificate signed by a public CA. The ADFS servers are not running the DRS, as we are intending to do that with Azure AD.

    The federated authentication with Office 365 is successful for users created with any of those UPN suffixes, but only after having altered the third rule as described in https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-sso-to-office-365/

    All of the prerequisite steps on the Azure article have been performed:

    • Set the service connection point
    • Executed Initialize-ADSyncDomainJoinedComputerSync
    • Ensured that first three federation rules in the article exist (they were created automatically by Azure AD Connect)
    • Ensured that Auth Method Claim Rule exists and executed Set-AdfsRelyingPartyTrust
    • Created the Group Policy

    Additionally, the domains:

    • enterpriseregistration.dom1.com
    • enterpriseregistration.ad.dom1.com
    • enterpriseregistration.dom2.com
    • enterpriseregistration.dom3.com

    Are all CNAMEs for enterpriseregistration.windows.net

    However, while all other authentication seems to work fine, the automatic AADJ process fails on all existing Windows 10 Enterprise domain joined client machines. The following errors are present in the Microsoft/Windows/User Device Registration event log:

    Event ID 305

    Automatic registration failed at authentication phase.  Unable to acquire access token.  Exit code: Unspecified error. Server error: AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: <uuid>
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
. Tenant Type: dom1.com

    Event ID 304

    Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0xcaa1000e. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: fed
tenantType: fed
tenantId: <uuid>
configLocation: undefined
errorPhase: auth
adalCorrelationId: <uuid>
adalLog: AdalLog:  HRESULT: 0xcaa1000e
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0

adalLog: AdalLog:  HRESULT: 0xcaa1000e
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0

adalResponseCode: 0xcaa1000e
.

    dsregcmd.exe

    Similar errors appear if I try to run C:\windows\system32\dsregcmd.exe /debug from a SYSTEM command prompt:

    dsregcmd::wmain logging initialized.DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:ad.dom1.com forest:ad.dom1.com domainController:\\ldndc01.ad.dom1.com isDcAvailable:true }
PreJoinChecks Complete.
preCheckResult: Join
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: YES
isSystem: YES
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 1
resultCode: 0x0
Automatic device join pre-check tasks completed.TenantInfo::Discover: tenant type detection, validating https://adfs.ad.dom1.com/adfs/ls/
TenantInfo::Discover: tenant type detection, checking match against https://login.microsoftonline.com
TenantInfo::Discover: tenant type detection, checking match against https://login.windows-ppe.net
TenantInfo::Discover: Join Info TenantType:Federated  AutoJoinEnabled:1 TenandID:<uuid> TenantName:dom1.com

DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog:  HRESULT: 0xcaa20002
AdalLog:  HRESULT: 0xcaa90006
AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: {39AEBF80-8679-4A5A-86D3-409CB1A8D8EF}
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog:  HRESULT: 0xcaa1000e
wmain: Unable to retrieve access token 0x80004005.
DSREGCMD_END_STATUS
        AzureAdJoined : NO
     EnterpriseJoined : NO
    • maweeras
      maweeras over 7 years
      Don't sanitize correlation id guids. They are necessary to view backend logs.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What's the upgrade path for ADFS 2.1 to 3.0 (Server 2012 to 2012 R2)
How to join a system to a domain controller in Microsoft Azure
Active Directory passwords not syncing with Office 365
AD FS 3.0 does not redirect back to relying party
ADFS 3.0 / Web Application Proxy Server 2012 R2 error
Get list of users (not shared mailboxes) with or without license in Office365 using Powershell
Which licence covers all of Intune, Azure AD Premium and Office 365?
Field to add employee ID in Azure AD/Office365
Microsoft Azure AD Connect Health Agent for sync 3.0.164.0 high CPU usage
Azure AD Connect Import