This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(198.4, 64%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello,
I am having troubles to let Windows 10 Hybrid Join on startup. It is only working right now when the computer object is synchronised. Because the Windows 10 is a non-persistent VDI it needs to join on startup. I am getting the below error. The ADFS server is in a remote domain with a external domain trust. The SCP is in place and the Endpoints in ADFS are also enabled. Windows Authentication is enabled on the ADFS Intranet. Because it is a multidomain ADFS i was not able to let AD Connect configure it ( https://video2.skills-academy.com/en-us/azure/active-directory/devices/hybrid-azuread-join-federated-domains ). I must be missing something.
Automatic registration failed at authentication phase. Unable to acquire access token.
Exit code: Unknown HResult Error code: 0xcaa9002c
Tenant Name: MY valided Domain
Tenant Type: Federated
Server error:
AdalErrorCode: 0xcaa1000e
AdalCorrelationId: a4c3289b-06ba-40ba-9ee6-ddfef7681f5a
AdalLog: HRESULT: 0xcaa1000e
ADALUseWindowsAuthenticationTenant failed, unable to preform integrated auth
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0xcaa9002c
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::GetAppliesTo: using resource ID "urn:federation:MicrosoftOnline" for authority "https://login.microsoftonline.com/common". ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth- received realm info ; HRESULT: 0x0
AdalLog: HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 47%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Just curious, which claim was missing?
Hi Stefan,
See below for a claim example we are using.
Value =~ "(^192.168.1.)" = the IP subnet the clients are in
http://domain.nl/adfs/services/trust/"); = the federated domain name.
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "-515$", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]
&& c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip", Value =~ "(^192.168.1.)"]
=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = "http://domain.nl/adfs/services/trust/");