{"id":633,"date":"2023-07-12T14:29:57","date_gmt":"2023-07-12T06:29:57","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=633"},"modified":"2023-12-18T11:26:26","modified_gmt":"2023-12-18T03:26:26","slug":"whfb-cloud-trust-sign-in-failure-0xc000006d","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/","title":{"rendered":"WHFB Cloud Trust Sign-in Failure | 0xc000006d"},"content":{"rendered":"\n

The symptom is receiving the error message “This sign-in option is temporarily unavailable” when trying to log in to the account. This error is actually a false error because the WHFB PIN Sign-in logic first attempts Cloud Trust. However, if Cloud Trust fails, it falls back to Key Trust. If we have not configured Key Trust, then it is not possible to authenticate using KDC certificates.<\/p>\n\n\n\n

\n\n\n\n

To examine the entire authentication process, check the kerberos.etl<\/strong> file in the Authlog package<\/a>:
Initially, if Cloud Trust is enabled, you will see that NGC Cloud Trust is enabled.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

According to the flow, we need to contact the AAD Kerberos Provider to obtain a Partial TGT. You can search for the keyword “mcticket.<\/strong>” If you find the field “using the McTicket to get TGT,<\/strong>” it means that the cloud-side TGT has been obtained, and you need to contact the local Kerberos provider to exchange it for TGT.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

However, the actual problem we encountered is as follows:<\/strong>
We found that we could locate the DC, and calling the KDC was successful. However, the redeeming of the AS_REP ticket was not successful.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

[KerbGetTicketGrantingTicketFromAsRepCallback_New] Failed to redeem AS_REP ticket (McTicket) for Hub TGT: 0xc000006d (STATUS_LOGON_FAILURE).<\/p>\n\n\n\n

Let’s start with the actual reason:<\/strong>
The KDC always performs a check to see if the RODC (AzureADKerberos)<\/strong> has the capability to cache the principal’s credentials, which determines if it can issue the TGT.<\/p>\n\n\n\n

Note that RODC does not cache the credentials itself; it only checks the user’s permissions to see if it has the qualifications to issue the TGT.<\/p>\n\n\n\n

\n\n\n\n

The actual problem we encountered is that the user has too many permissions, and the RODC cannot issue this TGT. The solution is actually documented in the FIDO2 Key documentation:
FAQs for hybrid FIDO2 security key deployment – Microsoft Entra | Microsoft Learn<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

So, how do we identify the this issue?<\/strong><\/p>\n\n\n\n

You need to capture the log script on each DC simultaneously and check on the client-side which DC is located. The following error represented the KDC cache ability check by the branch krbtgt.<\/p>\n\n\n\n

[2] 028C.0D10::09\/28\/22-13:47:27.5505718 [dll] gettgs_cxx8727 HandleTGSRequest() – Ruian.Ding
[2] 028C.0D10::09\/28\/22-13:47:27.5505722 [dll] gettgs_cxx8728 HandleTGSRequest() – Realm AD
[2] 028C.0D10::09\/28\/22-13:47:27.5505779 [commoniumsafe] tickets_cxx1254 KerbPackTicketEx() – KerbPackTicket: Using KeyVersion 0x41 and Algorithm 18 to encrypt ticket
[2] 028C.0D10::09\/28\/22-13:47:27.5505968 [commoniumsafe] tickets_cxx1857 I_GetASTicket() – KerbPackKdcReplyBody: KeyVersion 0x0 Algorithm 18 KerbErr 0x0
[2] 028C.0D10::09\/28\/22-13:47:27.5512652 [dll] tktutil_cxx8911 KdcEnforceRodcCachability() – TGT for user Ruian.Ding(0x376F) not cacheable by branch krbtgt_279(0x117)<\/strong>
[2] 028C.0D10::09\/28\/22-13:47:27.5512669 [dll] tktutil_cxx8309 KdcVerifyKdcRequest() – Decrypted ticket failed to verify: 0x14<\/strong>
[2] 028C.0D10::09\/28\/22-13:47:27.5512714 [dll] gettgs_cxx7883 HandleTGSRequest() – HandleTGSRequest KLIN(4041ecb) Failed to verify TGS request: 0x14<\/strong><\/p>\n\n\n\n

In the future, if you encounter errors related to 0x14<\/strong>, always check the roles assigned to the user. The solution is the same as mentioned in the FIDO2 key document:<\/p>\n\n\n\n

Get-ADPrincipalGroupMembership <Username> | select name<\/pre>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Remove the Domain Admins, Enterprise Admins, and Administrators roles. This way, the RODC can issue TGT to high-privileged users.<\/p>\n\n\n\n
\"\"<\/figure>\n","protected":false},"excerpt":{"rendered":"
The symptom is receiving the error message “This sign-in option is temporarily unavailable” when trying to log in to the account. This error is actually a false error because the WHFB PIN Sign-in logic first attempts Cloud Trust. However, if Cloud Trust fails, it falls back to Key Trust. If we have not configured Key […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[43],"tags":[],"class_list":["post-633","post","type-post","status-publish","format-standard","hentry","category-whfb"],"yoast_head":"\nWHFB Cloud Trust Sign-in Failure | 0xc000006d - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WHFB Cloud Trust Sign-in Failure | 0xc000006d - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"The symptom is receiving the error message “This sign-in option is temporarily unavailable” when trying to log in to the account. This error is actually a false error because the WHFB PIN Sign-in logic first attempts Cloud Trust. However, if Cloud Trust fails, it falls back to Key Trust. If we have not configured Key […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-12T06:29:57+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-12-18T03:26:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"WHFB Cloud Trust Sign-in Failure | 0xc000006d\",\"datePublished\":\"2023-07-12T06:29:57+00:00\",\"dateModified\":\"2023-12-18T03:26:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/\"},\"wordCount\":511,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png\",\"articleSection\":[\"WHFB\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/\",\"name\":\"WHFB Cloud Trust Sign-in Failure | 0xc000006d - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png\",\"datePublished\":\"2023-07-12T06:29:57+00:00\",\"dateModified\":\"2023-12-18T03:26:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png\",\"width\":1088,\"height\":324},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WHFB Cloud Trust Sign-in Failure | 0xc000006d\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WHFB Cloud Trust Sign-in Failure | 0xc000006d - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/","og_locale":"en_US","og_type":"article","og_title":"WHFB Cloud Trust Sign-in Failure | 0xc000006d - \u6781\u7b80IT\uff5cSimpleIT","og_description":"The symptom is receiving the error message “This sign-in option is temporarily unavailable” when trying to log in to the account. This error is actually a false error because the WHFB PIN Sign-in logic first attempts Cloud Trust. However, if Cloud Trust fails, it falls back to Key Trust. If we have not configured Key […]","og_url":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-07-12T06:29:57+00:00","article_modified_time":"2023-12-18T03:26:26+00:00","og_image":[{"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png","type":"","width":"","height":""}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"WHFB Cloud Trust Sign-in Failure | 0xc000006d","datePublished":"2023-07-12T06:29:57+00:00","dateModified":"2023-12-18T03:26:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/"},"wordCount":511,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png","articleSection":["WHFB"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/","url":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/","name":"WHFB Cloud Trust Sign-in Failure | 0xc000006d - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png","datePublished":"2023-07-12T06:29:57+00:00","dateModified":"2023-12-18T03:26:26+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-46.png","width":1088,"height":324},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/whfb-cloud-trust-sign-in-failure-0xc000006d\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"WHFB Cloud Trust Sign-in Failure | 0xc000006d"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/633","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=633"}],"version-history":[{"count":10,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/633\/revisions"}],"predecessor-version":[{"id":1446,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/633\/revisions\/1446"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=633"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=633"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=633"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}