AADSTS90019 when attempting automatic Azure AD registration of domain-joined Windows 10 device

Question

AADSTS90019 when attempting automatic Azure AD registration of domain-joined Windows 10 device

I am attempting to set up automatic AAD join for Windows 10 as described here: https://azure.microsoft.com/en-gb/documentation/articles/active-directory-conditional-access-automatic-device-registration-setup/

We have two internal ADFS 3.0 servers (Server 2012R2). They are configured using Azure AD Connect for federation with Office 365 on four UPNs:

ad.dom1.com - this is the forest name, we only have a single forest
dom1.com - most users exist under this domain
dom2.com
dom3.com

The ADFS servers are exposed using a TCP-level load balancer on https://adfs.ad.dom1.dom, with a certificate signed by a public CA. The ADFS servers are not running the DRS, as we are intending to do that with Azure AD.

The federated authentication with Office 365 is successful for users created with any of those UPN suffixes, but only after having altered the third rule as described in https://blogs.technet.microsoft.com/abizerh/2013/02/05/supportmultipledomain-switch-when-managing-sso-to-office-365/

All of the prerequisite steps on the Azure article have been performed:

Set the service connection point
Executed Initialize-ADSyncDomainJoinedComputerSync
Ensured that first three federation rules in the article exist (they were created automatically by Azure AD Connect)
Ensured that Auth Method Claim Rule exists and executed Set-AdfsRelyingPartyTrust
Created the Group Policy

Additionally, the domains:

enterpriseregistration.dom1.com
enterpriseregistration.ad.dom1.com
enterpriseregistration.dom2.com
enterpriseregistration.dom3.com

Are all CNAMEs for enterpriseregistration.windows.net

However, while all other authentication seems to work fine, the automatic AADJ process fails on all existing Windows 10 Enterprise domain joined client machines. The following errors are present in the Microsoft/Windows/User Device Registration event log:

Event ID 305

Automatic registration failed at authentication phase.  Unable to acquire access token.  Exit code: Unspecified error. Server error: AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: <uuid>
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
. Tenant Type: dom1.com

Event ID 304

Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0xcaa1000e. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: fed
tenantType: fed
tenantId: <uuid>
configLocation: undefined
errorPhase: auth
adalCorrelationId: <uuid>
adalLog: AdalLog:  HRESULT: 0xcaa1000e
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0

adalLog: AdalLog:  HRESULT: 0xcaa1000e
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0

adalResponseCode: 0xcaa1000e
.

dsregcmd.exe

Similar errors appear if I try to run C:\windows\system32\dsregcmd.exe /debug from a SYSTEM command prompt:

dsregcmd::wmain logging initialized.DsrCmdAccountMgr::IsDomainControllerAvailable DsGetDcName success { domain:ad.dom1.com forest:ad.dom1.com domainController:\\ldndc01.ad.dom1.com isDcAvailable:true }
PreJoinChecks Complete.
preCheckResult: Join
isPrivateKeyFound: undefined
isJoined: undefined
isDcAvailable: YES
isSystem: YES
keyProvider: undefined
keyContainer: undefined
dsrInstance: undefined
elapsedSeconds: 1
resultCode: 0x0
Automatic device join pre-check tasks completed.TenantInfo::Discover: tenant type detection, validating https://adfs.ad.dom1.com/adfs/ls/
TenantInfo::Discover: tenant type detection, checking match against https://login.microsoftonline.com
TenantInfo::Discover: tenant type detection, checking match against https://login.windows-ppe.net
TenantInfo::Discover: Join Info TenantType:Federated  AutoJoinEnabled:1 TenandID:<uuid> TenantName:dom1.com

DsrCmdSettings::GetSetting: The key was not found, so returning FALSE. Key: SOFTWARE\Microsoft\Windows\CurrentVersion\CDJ
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog:  HRESULT: 0xcaa20002
AdalLog:  HRESULT: 0xcaa90006
AdalMessage: GetStatus returned failure
AdalError: invalid_request
AdalErrorDesc: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z
AdalErrorCode: 0xcaa90006
AdalCorrelationId: {39AEBF80-8679-4A5A-86D3-409CB1A8D8EF}
AdalLog:  HRESULT: 0xcaa90006
AdalLog:  HRESULT: 0xcaa20002
AdalLog: Webrequest returns error code:invalid_request and error description:AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.
Trace ID: <uuid>
Correlation ID: <uuid>
Timestamp: 2016-11-14 12:30:28Z ; HRESULT: 0x0
AdalLog: Token response is not successfull. Status:400 ResponseText:{"error":"invalid_request","error_description":"AADSTS90019: No tenant-identifying information found in either the request or implied by any provided
credentials.\r\nTrace ID: <uuid>\r\nCorrelation ID: <uuid>\r\nTimestamp: 2016-11-14 12:30:28Z","error_codes":[90019],"timestamp":"2016-11-14 12:30:28Z","trace
_id":"<uuid>","correlation_id":"<uuid>"} ; HRESULT: 0x0
AdalLog: WebRequest Status:400 ; HRESULT: 0x0
AdalLog: Webrequest has valid state ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: Webrequest opening connection ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
AdalLog:  HRESULT: 0xcaa1000e
wmain: Unable to retrieve access token 0x80004005.
DSREGCMD_END_STATUS
        AzureAdJoined : NO
     EnterpriseJoined : NO

windows-server-2012-r2

microsoft-office-365

adfs

azure-active-directory

asked on Server Fault Nov 14, 2016 by

Cameron

2 Answers

I understand your frustration with this. I just spent about 20 hours troubleshooting problems with automatic AAD joining. I am running the latest version of AD Connect, and am running an ADFS farm on Server 2016. I did NOT let AD Connect configure my ADFS servers.

I had the exact same error. The issue was a missing ImmutableID claim. This link proved to be the best resource for setting up azure AD join: https://docs.microsoft.com/en-gb/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup

There is a script listed there to automatically add the necessary claim rules. Now that i practically understand this whole process inside and out, I can say that the script actually does work and adds the correct claims rules.

However, what is misleading is how to configure the couple of variables in the script. So, I thought I would clarify based on my learning, hopefully it will save somebody some time.

$MultipleVerifiedDomainNames: The description and name is both WRONG and MISLEADING. Set this to $TRUE only if you have MULTIPLE FEDERATED DOMAINS in your Office 365 tenant.
$immutableIDAlreadyIssuedforUsers: If the Immutable ID (Source Anchor) for your AD Connect synchronization does NOT use objectGUID then set this to $TRUE.
$oneOfVerifiedDomainNames: If you set $MultipleVerifiedDomainNames to $true, then set this to the Office 365 verified domain name that you want your devices to register to.

Do not change any other components of the script, and make sure you only run it once. If you need to run it again, you need to manually remove the added claims issuance rules from the RP trust or they will be duplicated.

Another very helpful thing to know when it comes to troubleshooting on Windows 10, use DSREGCMD. It has to run as SYSTEM so you'll need something like PSEXEC.

psexec -i -s cmd.exe

dsregcmd /debug

This will force an immediate registration to Azure, and report detailed information about the failure. During my testing, Windows 7 worked fine, but Windows 10 would not AD join. If the ImmutableID is the problem you'll see the error is: AADSTS90019: No tenant-identifying information found in either the request or implied by any provided credentials.

If, you included a verified domain when you shouldn't have or it's wrong you'll see: AADSTS50107: Requested federation realm object your specified domain does not exist.

answered on Server Fault Jul 18, 2017 by

Appleoddity

Firstly, please note that this process is called Automatic AAD registration or Automatic workplace join, not Automatic AAD join. AAD Join are different with AAD registration, that's a feature only for Win10 (professional or enterprise editions).

I have test this in my lab and successfully completed the automatic registration for my Server2012 R2 and Win10 machines to AAD via the MSI package & GPO. In the first scenario(via MSI package), the schedule task will be triggered when login through the user account which has been synced to AAD via AAD connect. After the task completed, you will find the devices have been registered to AAD and associated with that user.

In the second scenario via GPO, the event log showed that the Automatic Registration is completed and also I can see the machines in Azure AD portal.

For your issue, I think you can try to re-add claim rules($rule1~$rule3) on your ADFS server ahthough they are already existed. Also please ensure that the ADFS server in your environment is configured and worked correctly.

answered on Server Fault Nov 17, 2016 by

Jimmy Sun • edited Nov 17, 2016 by

Jimmy Sun

User contributions licensed under CC BY-SA 3.0