Recently I have been troubleshooting a nasty Windows Hello for Business problem which prevented all users in a tenant from resetting their Windows Hello for Business PIN’s on Azure AD joined devices while getting the error CAA20004.
Issue # When clicking on “I forgot my PIN”:
After completing the account sign-in and MFA challenge the Error CAA20004 came up:
Troubleshooting # The Azure AD Portal shows us “Failure reason: other”.
While recording all the https traffic to Microsofts oauth2 endpoint with Fiddler this finally unveils usable information:
AADSTS65001: The user or administrator has not consented to use the application with ID ’ 9115dd05-fad5-4f9c-acc7-305d08b1b04e’ named ’ Microsoft Pin Reset Client Production’. Send an interactive authorization request for this user and resource.
The error indicates that an application registration is missing in the tenant for the application “Microsoft Pin Reset Client Production”
Solution # After a short search I found a matching Microsoft docs article. Instead of reading through the whole article the only thing I needed to do was consenthing to the: Microsoft PIN Reset Service production application and also for the Microsoft PIN Reset Client production
I had the honor to deploy Windows Hello for Business several times for customers transitioning to a modern workplace using Azure AD and Microsoft Intune to manage their Windows 10 devices - combined with hybrid user identities. Now I want to share the most common hurdles and my experiences with you.
Just to make sure that you have the modern mindset - here’s a little quote to reconsider your hybrid strategy (if not already done):
You don’t need a Hybrid Azure AD join for your Windows 10 devices. Be brave and don’t be afraid and switch to an Azure AD join. It will simplify your device management and significantly reduce the complexity.
Why additional configuration is required # To access on premise resources who rely on Active Directory (file shares, applications) kerberos is used as authentication protocol. If you have Azure AD connect in place and a user sign’s in with his hybrid Identity using a password to a Windows 10 device which is Azure AD joined he automatically receives the required kerberos tickets if he wants to access resources.
But if the sign-in happens with Windows Hello for Business credentials (pin, biometrics) the authentication flow get’s interrupted because whether the domain controller (if it’s not a Windows Server 2016 DC) or the client can verify the integrity of each other.