{"id":655,"date":"2023-07-12T15:35:00","date_gmt":"2023-07-12T07:35:00","guid":{"rendered":"https:\/\/www.ruianding.com\/blog\/?p=655"},"modified":"2023-08-31T01:49:56","modified_gmt":"2023-08-30T17:49:56","slug":"whfb-key-trust-sign-in-failure-0xc0000320","status":"publish","type":"post","link":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/","title":{"rendered":"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320"},"content":{"rendered":"\n

Here’s a scenario that devices enrolled in Intune and has enabled Windows Hello for Business in the Intune Endpoint (Hybrid Azure AD Joined). However, we have found that our users are unable to successfully log in with PIN.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We encountered a common error message: “This option is temporarily unavailable. For now, please use a different method to sign in.” This error message usually indicates that the key has not been written back to the local user’s MS-keycredentiallink attribute. However, even after verifying that this value has been written back, the issue still persists.<\/p>\n\n\n\n

After analyzing the authentication logs, it was discovered that the issue was caused by the absence of the KDC certificate in the domain controller.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

We confirmed that the KDC certificate was never configured, and Intune is only responsible for enabling the Windows Hello for Business policy, which is equivalent to enabling the policy through group policy.<\/p>\n\n\n\n

We still require our Enterprise CA to issue a KDC certificate for client and local AD Kerberos authentication.<\/p>\n\n\n\n

\n\n\n\n

We can follow the steps in the following document to configure the KDC certificate on our DC (defaulting to Key Trust for now): Windows Hello for Business hybrid key trust deployment – Windows Security | Microsoft Learn<\/a><\/p>\n\n\n\n

Our login process is stuck at the third step shown in the following diagram:<\/strong><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

How Windows Hello for Business authentication works – Windows Security | Microsoft Learn<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Here’s a scenario that devices enrolled in Intune and has enabled Windows Hello for Business in the Intune Endpoint (Hybrid Azure AD Joined). However, we have found that our users are unable to successfully log in with PIN. We encountered a common error message: “This option is temporarily unavailable. For now, please use a different […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_themeisle_gutenberg_block_has_review":false,"footnotes":""},"categories":[43],"tags":[6,28,21],"class_list":["post-655","post","type-post","status-publish","format-standard","hentry","category-whfb","tag-drs","tag-pki","tag-whfb"],"yoast_head":"\nWHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320 - \u6781\u7b80IT\uff5cSimpleIT<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320 - \u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"og:description\" content=\"Here’s a scenario that devices enrolled in Intune and has enabled Windows Hello for Business in the Intune Endpoint (Hybrid Azure AD Joined). However, we have found that our users are unable to successfully log in with PIN. We encountered a common error message: “This option is temporarily unavailable. For now, please use a different […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/\" \/>\n<meta property=\"og:site_name\" content=\"\u6781\u7b80IT\uff5cSimpleIT\" \/>\n<meta property=\"article:published_time\" content=\"2023-07-12T07:35:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-30T17:49:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png\" \/>\n<meta name=\"author\" content=\"Ruian Ding\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Ruian Ding\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/\"},\"author\":{\"name\":\"Ruian Ding\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"headline\":\"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320\",\"datePublished\":\"2023-07-12T07:35:00+00:00\",\"dateModified\":\"2023-08-30T17:49:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/\"},\"wordCount\":240,\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png\",\"keywords\":[\"DRS\",\"PKI\",\"WHFB\"],\"articleSection\":[\"WHFB\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/\",\"name\":\"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320 - \u6781\u7b80IT\uff5cSimpleIT\",\"isPartOf\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png\",\"datePublished\":\"2023-07-12T07:35:00+00:00\",\"dateModified\":\"2023-08-30T17:49:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png\",\"width\":1889,\"height\":921},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.ruianding.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#website\",\"url\":\"https:\/\/www.ruianding.com\/blog\/\",\"name\":\"Ruian's Tech Troubleshooting Toolbox\",\"description\":\"Debug the World.\",\"publisher\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\"},\"alternateName\":\"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":[\"Person\",\"Organization\"],\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b\",\"name\":\"Ruian Ding\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"contentUrl\":\"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png\",\"width\":284,\"height\":284,\"caption\":\"Ruian Ding\"},\"logo\":{\"@id\":\"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/\"},\"description\":\"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.\",\"sameAs\":[\"https:\/\/www.ruianding.com\"],\"url\":\"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320 - \u6781\u7b80IT\uff5cSimpleIT","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/","og_locale":"en_US","og_type":"article","og_title":"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320 - \u6781\u7b80IT\uff5cSimpleIT","og_description":"Here’s a scenario that devices enrolled in Intune and has enabled Windows Hello for Business in the Intune Endpoint (Hybrid Azure AD Joined). However, we have found that our users are unable to successfully log in with PIN. We encountered a common error message: “This option is temporarily unavailable. For now, please use a different […]","og_url":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/","og_site_name":"\u6781\u7b80IT\uff5cSimpleIT","article_published_time":"2023-07-12T07:35:00+00:00","article_modified_time":"2023-08-30T17:49:56+00:00","og_image":[{"url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png","type":"","width":"","height":""}],"author":"Ruian Ding","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Ruian Ding","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#article","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/"},"author":{"name":"Ruian Ding","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"headline":"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320","datePublished":"2023-07-12T07:35:00+00:00","dateModified":"2023-08-30T17:49:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/"},"wordCount":240,"publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png","keywords":["DRS","PKI","WHFB"],"articleSection":["WHFB"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/","url":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/","name":"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320 - \u6781\u7b80IT\uff5cSimpleIT","isPartOf":{"@id":"https:\/\/www.ruianding.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage"},"image":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage"},"thumbnailUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png","datePublished":"2023-07-12T07:35:00+00:00","dateModified":"2023-08-30T17:49:56+00:00","breadcrumb":{"@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#primaryimage","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/07\/image-61.png","width":1889,"height":921},{"@type":"BreadcrumbList","@id":"https:\/\/www.ruianding.com\/blog\/whfb-key-trust-sign-in-failure-0xc0000320\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.ruianding.com\/blog\/"},{"@type":"ListItem","position":2,"name":"WHFB Key Trust Sign-in Failure | Missing KDC Certificate 0xc0000320"}]},{"@type":"WebSite","@id":"https:\/\/www.ruianding.com\/blog\/#website","url":"https:\/\/www.ruianding.com\/blog\/","name":"Ruian's Tech Troubleshooting Toolbox","description":"Debug the World.","publisher":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b"},"alternateName":"\u4e01\u777f\u5b89\u7684\u6280\u672f\u5206\u4eab\u535a\u5ba2","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.ruianding.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":["Person","Organization"],"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/440d88575b7dc819a4cefc8c4199db3b","name":"Ruian Ding","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","contentUrl":"https:\/\/www.ruianding.com\/blog\/wp-content\/uploads\/2023\/05\/logo.png","width":284,"height":284,"caption":"Ruian Ding"},"logo":{"@id":"https:\/\/www.ruianding.com\/blog\/#\/schema\/person\/image\/"},"description":"I am currently a Support Specialist at NIO, focusing on cloud-related issues for NIO Power. Previously, at Microsoft Entra ID, I specialized in identity and access management (IAM), including device registration, Windows Hello for Business (WHfB), multi-factor authentication (MFA), and single sign-on (SSO). In addition to my core expertise, I have a strong foundation in Active Directory, Servers, Cloud Computing, Network Administration, and Front-end Web Development. This diverse technical skill set enables me to effectively handle a wide range of challenges in a fast-paced IT environment.","sameAs":["https:\/\/www.ruianding.com"],"url":"https:\/\/www.ruianding.com\/blog\/author\/ruiand\/"}]}},"_links":{"self":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/655","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/comments?post=655"}],"version-history":[{"count":2,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/655\/revisions"}],"predecessor-version":[{"id":661,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/posts\/655\/revisions\/661"}],"wp:attachment":[{"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/media?parent=655"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/categories?post=655"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ruianding.com\/blog\/wp-json\/wp\/v2\/tags?post=655"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}