Estou tentando configurar a associação automática do AAD para o Windows 10, conforme descrito aqui:
Temos dois servidores internos do ADFS 3.0 (Server 2012R2). Eles são configurados usando o Azure AD Connect para federação com o Office 365 em quatro UPNs:
- ad.dom1.com - este é o nome da floresta, só temos uma floresta
- dom1.com - a maioria dos usuários existe sob este domínio
- dom2.com
- dom3.com
Os servidores do ADFS são expostos usando um balanceador de carga no nível do TCP no link , com um certificado assinado por uma autoridade de certificação pública. Os servidores do ADFS não estão executando o DRS, já que pretendemos fazer isso com o Azure AD.
A autenticação federada com o Office 365 é bem-sucedida para usuários criados com qualquer um desses sufixos UPN, mas somente depois de ter alterado a terceira regra, conforme descrito em link
Todas as etapas de pré-requisito no artigo do Azure foram executadas:
- Defina o ponto de conexão de serviço
- Executado Initialize-ADSyncDomainJoinedComputerSync
- Assegure-se de que as três primeiras regras de federação existentes no artigo existam (elas foram criadas automaticamente pelo Azure AD Connect)
- Assegure-se de que Regra de reivindicação de método de autenticação exista e execute Set-AdfsRelyingPartyTrust
- criou a política de grupo
Além disso, os domínios:
- enterpriseregistration.dom1.com
- enterpriseregistration.ad.dom1.com
- enterpriseregistration.dom2.com
- enterpriseregistration.dom3.com
São todos os CNAMEs para enterpriseregistration.windows.net
No entanto, embora todas as outras autenticações pareçam funcionar bem, o processo automático do AADJ falha em todas as máquinas cliente associadas ao domínio do Windows 10 Enterprise existentes. Os seguintes erros estão presentes no registro de eventos Registro de dispositivos do usuário / Microsoft / Windows :
ID do evento 305
Automatic registration failed at authentication phase. Unable to acquire access token. Exit code: Unspecified error. Server error: AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: <uuid>
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
. Tenant Type: dom1.com
ID do evento 304
Automatic registration failed at join phase. Exit code: Unknown HResult Error code: 0xcaa1000e. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: fed
tenantType: fed
tenantId: <uuid>
configLocation: undefined
errorPhase: auth
adalCorrelationId: <uuid>
adalLog: AdalLog: HRESULT: 0xcaa1000e
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
adalLog: AdalLog: HRESULT: 0xcaa1000e
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
adalResponseCode: 0xcaa1000e
.
dsregcmd.exe
Erros semelhantes aparecem se eu tentar executar C: \ windows \ system32 \ dsregcmd.exe / debug a partir de um prompt de comando SYSTEM:
dsregcmd::wmain logging initialized.DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:ad.dom1.com forest:ad.dom1.com domainController:\ldndc01.ad.dom1.com isDcAvailable:true }
PreJoinChecks Complete.
preCheckResult: Join
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: YES
isSystem: YES
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 1
resultCode: 0x0
Automatic device join pre-check tasks completed.TenantInfo::Discover: tenant type detection, validating https://adfs.ad.dom1.com/adfs/ls/
TenantInfo::Discover: tenant type detection, checking match against https://login.microsoftonline.com
TenantInfo::Discover: tenant type detection, checking match against https://login.windows-ppe.net
TenantInfo::Discover: Join Info TenantType:Federated AutoJoinEnabled:1 TenandID:<uuid> TenantName:dom1.com
DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: HRESULT: 0xcaa20002
AdalLog: HRESULT: 0xcaa90006
AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: {39AEBF80-8679-4A5A-86D3-409CB1A8D8EF}
AdalLog: HRESULT: 0xcaa90006
AdalLog: HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: HRESULT: 0xcaa1000e
wmain: Unable to retrieve access token 0x80004005.
DSREGCMD_END_STATUS
AzureAdJoined : NO
EnterpriseJoined : NO