AADSTS90019 when attempting automatic Azure AD registration of domain-joined Windows 10 device
I understand your frustration with this. I just spent about 20 hours troubleshooting problems with automatic AAD joining. I am running the latest version of AD Connect, and am running an ADFS farm on Server 2016. I did NOT let AD Connect configure my ADFS servers.
I had the exact same error. The issue was a missing ImmutableID claim. This link proved to be the best resource for setting up azure AD join: https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup
There is a script listed there to automatically add the necessary claim rules. Now that i practically understand this whole process inside and out, I can say that the script actually does work and adds the correct claims rules.
However, what is misleading is how to configure the couple of variables in the script. So, I thought I would clarify based on my learning, hopefully it will save somebody some time.
-
$MultipleVerifiedDomainNames
: The description and name is both WRONG and MISLEADING. Set this to $TRUE only if you have MULTIPLE FEDERATED DOMAINS in your Office 365 tenant. -
$immutableIDAlreadyIssuedforUsers
: If the Immutable ID (Source Anchor) for your AD Connect synchronization does NOT use objectGUID then set this to $TRUE. -
$oneOfVerifiedDomainNames
: If you set $MultipleVerifiedDomainNames to $true, then set this to the Office 365 verified domain name that you want your devices to register to.
Do not change any other components of the script, and make sure you only run it once. If you need to run it again, you need to manually remove the added claims issuance rules from the RP trust or they will be duplicated.
Another very helpful thing to know when it comes to troubleshooting on Windows 10, use DSREGCMD. It has to run as SYSTEM so you'll need something like PSEXEC.
psexec -i -s cmd.exe
dsregcmd /debug
This will force an immediate registration to Azure, and report detailed information about the failure. During my testing, Windows 7 worked fine, but Windows 10 would not AD join. If the ImmutableID is the problem you'll see the error is: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
If, you included a verified domain when you shouldn't have or it's wrong you'll see: AADSTS50107: Requested federation realm object your specified domain
does not exist.
Related videos on Youtube
Cameron
Full stack programmer (.NET, JavaScript, TypeScript, HTML5). Embedded development. Dev ops.
Updated on September 18, 2022Comments
-
Cameron over 1 year
I am attempting to set up automatic AAD join for Windows 10 as described here: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-conditional-access-automatic-device-registration-setup/
We have two internal ADFS 3.0 servers (Server 2012R2). They are configured using Azure AD Connect for federation with Office 365 on four UPNs:
- ad.dom1.com - this is the forest name, we only have a single forest
- dom1.com - most users exist under this domain
- dom2.com
- dom3.com
The ADFS servers are exposed using a TCP-level load balancer on https://adfs.ad.dom1.dom, with a certificate signed by a public CA. The ADFS servers are not running the DRS, as we are intending to do that with Azure AD.
The federated authentication with Office 365 is successful for users created with any of those UPN suffixes, but only after having altered the third rule as described in https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-sso-to-office-365/
All of the prerequisite steps on the Azure article have been performed:
- Set the service connection point
- Executed Initialize-ADSyncDomainJoinedComputerSync
- Ensured that first three federation rules in the article exist (they were created automatically by Azure AD Connect)
- Ensured that Auth Method Claim Rule exists and executed Set-AdfsRelyingPartyTrust
- Created the Group Policy
Additionally, the domains:
- enterpriseregistration.dom1.com
- enterpriseregistration.ad.dom1.com
- enterpriseregistration.dom2.com
- enterpriseregistration.dom3.com
Are all CNAMEs for enterpriseregistration.windows.net
However, while all other authentication seems to work fine, the automatic AADJ process fails on all existing Windows 10 Enterprise domain joined client machines. The following errors are present in the Microsoft/Windows/User Device Registration event log:
Event ID 305
Automatic registration failed at authentication phase. Unable to acquire access token. Exit code: Unspecified error. Server error: AdalMessage: GetStatus returned failure AdalError: invalid_request AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: <uuid> Correlation ID: <uuid> Timestamp: 2016-11-14 12:30:28Z AdalErrorCode: 0xcaa90006 AdalCorrelationId: <uuid> AdalLog: HRESULT: 0xcaa90006 AdalLog: HRESULT: 0xcaa20002 AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: <uuid> Correlation ID: <uuid> Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0 AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":<uuid>"} ; HRESULT: 0x0 AdalLog: WebRequest Status:400 ; HRESULT: 0x0 AdalLog: Webrequest has valid state ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: Webrequest opening connection ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0 AdalLog: Authority validation is completed ; HRESULT: 0x0 AdalLog: Authority validation is enabled ; HRESULT: 0x0 AdalLog: Token is not available in the cache ; HRESULT: 0x0 . Tenant Type: dom1.com
Event ID 304
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0xcaa1000e. Server error: empty. Debug Output:\r\n joinMode: Join drsInstance: azure registrationType: fed tenantType: fed tenantId: <uuid> configLocation: undefined errorPhase: auth adalCorrelationId: <uuid> adalLog: AdalLog: HRESULT: 0xcaa1000e AdalLog: HRESULT: 0xcaa90006 AdalLog: HRESULT: 0xcaa20002 AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: <uuid> Correlation ID: <uuid> Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0 AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0 AdalLog: WebRequest Status:400 ; HRESULT: 0x0 AdalLog: Webrequest has valid state ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: Webrequest opening connection ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0 AdalLog: Authority validation is completed ; HRESULT: 0x0 AdalLog: Authority validation is enabled ; HRESULT: 0x0 AdalLog: Token is not available in the cache ; HRESULT: 0x0 adalLog: AdalLog: HRESULT: 0xcaa1000e AdalLog: HRESULT: 0xcaa90006 AdalLog: HRESULT: 0xcaa20002 AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: <uuid> Correlation ID: <uuid> Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0 AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0 AdalLog: WebRequest Status:400 ; HRESULT: 0x0 AdalLog: Webrequest has valid state ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: Webrequest opening connection ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0 AdalLog: Authority validation is completed ; HRESULT: 0x0 AdalLog: Authority validation is enabled ; HRESULT: 0x0 AdalLog: Token is not available in the cache ; HRESULT: 0x0 adalResponseCode: 0xcaa1000e .
dsregcmd.exe
Similar errors appear if I try to run C:\windows\system32\dsregcmd.exe /debug from a SYSTEM command prompt:
dsregcmd::wmain logging initialized.DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:ad.dom1.com forest:ad.dom1.com domainController:\\ldndc01.ad.dom1.com isDcAvailable:true } PreJoinChecks Complete. preCheckResult: Join isPrivateKeyFound: undefined isJoined: undefined isDcAvailable: YES isSystem: YES keyProvider: undefined keyContainer: undefined dsrInstance: undefined elapsedSeconds: 1 resultCode: 0x0 Automatic device join pre-check tasks completed.TenantInfo::Discover: tenant type detection, validating https://adfs.ad.dom1.com/adfs/ls/ TenantInfo::Discover: tenant type detection, checking match against https://login.microsoftonline.com TenantInfo::Discover: tenant type detection, checking match against https://login.windows-ppe.net TenantInfo::Discover: Join Info TenantType:Federated AutoJoinEnabled:1 TenandID:<uuid> TenantName:dom1.com DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ AdalLog: Token is not available in the cache ; HRESULT: 0x0 AdalLog: Authority validation is enabled ; HRESULT: 0x0 AdalLog: Authority validation is completed ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: Webrequest opening connection ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: Webrequest has valid state ; HRESULT: 0x0 AdalLog: WebRequest Status:400 ; HRESULT: 0x0 AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace _id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0 AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: <uuid> Correlation ID: <uuid> Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0 AdalLog: HRESULT: 0xcaa20002 AdalLog: HRESULT: 0xcaa90006 AdalMessage: GetStatus returned failure AdalError: invalid_request AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: <uuid> Correlation ID: <uuid> Timestamp: 2016-11-14 12:30:28Z AdalErrorCode: 0xcaa90006 AdalCorrelationId: {39AEBF80-8679-4A5A-86D3-409CB1A8D8EF} AdalLog: HRESULT: 0xcaa90006 AdalLog: HRESULT: 0xcaa20002 AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials. Trace ID: <uuid> Correlation ID: <uuid> Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0 AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace _id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0 AdalLog: WebRequest Status:400 ; HRESULT: 0x0 AdalLog: Webrequest has valid state ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: Webrequest opening connection ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0 AdalLog: HRESULT: 0x4aa90010 AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0 AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0 AdalLog: Authority validation is completed ; HRESULT: 0x0 AdalLog: Authority validation is enabled ; HRESULT: 0x0 AdalLog: Token is not available in the cache ; HRESULT: 0x0 AdalLog: HRESULT: 0xcaa1000e wmain: Unable to retrieve access token 0x80004005. DSREGCMD_END_STATUS AzureAdJoined : NO EnterpriseJoined : NO
-
maweeras over 7 yearsDon't sanitize correlation id guids. They are necessary to view backend logs.