If you're able to see a DC with this feature, the user's password may have changed since they signed in, or there's another issue.
To check if you can see a server that is running the feature, review the output of nltest /dsgetdc: /keylist /kdc Make sure that enough DCs are patched to respond in time to service your resource request. Users are unable to get SSO to my NTLM network resource after signing in with a FIDO2 security key and receiving a credential prompt Check that both AzureAdJoined and DomainJoined show YES. To check the current status, use the dsregcmd /status command. This behavior is a known limitation for domain-joined devices, and isn't specific to FIDO2 security keys. Users aren't able to use FIDO2 security keys immediately after they create a hybrid Azure AD joined machineĪfter the domain-join and restart process on a clean install of a hybrid Azure AD joined machine, you must sign in with a password and wait for policy to synchronize before you can use to use a FIDO2 security key to sign in. If Windows Hello Face prevents the users from trying the FIDO2 security key sign-in scenario, users can turn off Hello Face sign in by removing Face Enrollment in Settings > Sign-In Options.
FIDO2 security keys are intended for use on shared devices or where Windows Hello for Business enrollment is a barrier. Windows Hello Face is the intended best experience for a device where a user is enrolled. Users are unable to sign in using FIDO2 security keys as Windows Hello Face is too quick and is the default sign-in mechanism
0 kommentar(er)
