workplace join (on-premises DRS) fails

  • 172 Views
  • Last Post 28 November 2015
ZJORZ posted this 26 November 2015

Hi, Was configuring on-premises DRS in ADFSv3. DRS has been initialized in AD and enabled in ADFS When workplace joining an win81 client I continuously get: Event Logs on client and ADFS server do not show any error.Accessing a claims based site from the win81 client works fineDNS is working OKThe client trusts the CAs that issued the certs for ADFSADFS SSL certificates has required Subject and SANs for ADFS and enterprise reg FQDNsTested ADFS SSL cert with Certutil –url for AIA, CDP and OCSP access. All verified OK So, anyone have any ideas why it keeps throwing that error?  Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto*: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

Order By: Standard | Newest | Votes
kevinrjames posted this 27 November 2015

ADFS not finding a 2012 R2 DC perhaps?  /kj 

show

ZJORZ posted this 27 November 2015

During restart of the ADFS or DRS service, the Debug log for DRS shows the enumeration of all kinds of details including a DC for the domain stuff is stored and registered in. It specifically mentions the FQDN of a DC Met vriendelijke groeten / Kind regards, Jorge de Almeida Pinto: JorgeDeAlmeidaPinto@xxxxxxxxxxxxxxxx(: +31 (0)6 26.26.62.80 Description: Description: Description: Description: Think Green 

show

matheesha posted this 28 November 2015

That is a general message and doesn't point to a specific cause. There are many potential causes.
Are you going via WAP to AD FS or to the AD FS direct? Are the OAuth endpoints listening and accessible on both WAP/AD FS (as applicable)? Is DRS endpoint forcing MFA or just a normal windows integrated or forms based auth alone?
Note if you have a farm of AD FS, the enable-adfsdeviceregistration must be done on all farm members.
You should configure Fiddler and see how far you get. You'll need to use the winconfig (enableloopback tool) within fiddler to allow the modern settings app to use Fiddler.
Then with HTTP decryption enabled see how far you get.
When working, the enterpriseregistration.<upnsuffix> is accessed and from this the discovery service endpoint is found. Then it uses the Oauth endpoint to get an authorization code and finally get a token.
See how far you get in the process.
Hope that points you at the root cause. I dont hang on activedir.org much these days. Replies might be delayed.

show

Close