Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

«
»

(2019-05-22) Some Basic Steps For Troubleshooting PRTs

Posted by Jorge on 2019-05-22


In Windows 10 currently there are 2 PRTs:

  • The Azure AD Primary Refresh Token
  • And the Enterprise Primary Refresh Token, a.k.a. the ADFS Primary Refresh Token

For both the following troubleshooting steps apply if you are experiencing issues somehow:

  • Always check the output of: DSREGCMD.EXE /STATUS
  • Event Logs to check on the client:
    • “Applications And Services Log\Microsoft\Windows\AAD\Operation” Event Log
    • “Applications And Services Log\Microsoft\Windows\User Device Registration\Admin” Event Log
  • Any correlation ID in any event related to the error experienced on the client, can most like also be found at server side in the corresponding event log. If server side is AAD, then you need Microsoft. If server side is ADFS, then you can check it yourself
  • Changing or resetting the password, invalidates the current PRTs and fresh ones are retrieved/generated
  • If a PRT is missing, triggering to try to retrieve a PRT can be done by either logoff/logon or lock/unlock

With this information you should have a good start to try troubleshooting PRT related issues, although not always easy!

Do not forget to also read Jairo’s blog post about how SSO works in Windows 10

Enjoy and have fun!,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

This entry was posted on 2019-05-22 at 23:05 and is filed under Active Directory Federation Services (ADFS), Azure AD PRT, Enterprise PRT, Windows Azure Active Directory. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “(2019-05-22) Some Basic Steps For Troubleshooting PRTs”

  1. Fernan said

    2020-05-07 at 20:44

    Hi, there, thanks it’s a very helpfull article , there’s not much information about PRT on microsoft KBs.

    We have a federated environment (devices are hybrid join) and we’re getting some issues on a couple of users that won’t get a PRT
    Checking on Device Log it shows:

    DSREGCMD Status is showing:

    AzureADJoin: YES
    IsUserAzureAD: NO

    AAD operational Logs Showing the following:

    -Event 1104; AAD Cloud AP plugin call GenericCallPkg returned error: 0xC0048512
    -Event 1025; Http request status: 500. Method: POST Endpoint Uri: https://sts.mycorp.com/adfs/services/trust/13/usernamemixed Correlation ID:
    -Event 1088; WSTrust response error: FailedAuthentication Error description: ID3242: The security token could not be authenticated or authorized.

    I’ve checked resetting AD Password, and checked ADFS Endpoints to be reachable, also a browser query to IdpInitiatedsignon is good and entering username /password authenticates succesfully.
    Also cleared MS-Organization-P2P certificates on User is not helping.

    Any ideas about this ?

    Thank you

    Like

    Reply

    • Jorge said

      2020-05-08 at 10:16

      HI,

      Things to check:
      * All users have issues, or only these users?
      * If those users logon to another Windows 10, does it work then?
      * If other users logon to those Windwos, does it work then?
      * Are all the required endpoints enabled on ADFS?
      WS-Trust Endpoint: AddressPath = /adfs/services/trust/mex
      WS-Trust Endpoint: AddressPath = /adfs/services/trust/2005/windowstransport
      WS-Trust Endpoint: AddressPath = /adfs/services/trust/13/windowstransport
      WS-Trust Endpoint: AddressPath = /adfs/services/trust/2005/usernamemixed
      WS-Trust Endpoint: AddressPath = /adfs/services/trust/13/usernamemixed

      If you are willing to send me the client logs through mail or some file sharing, then I could have a look at it if you want

      Like

      Reply

  2. fernand said

    2020-05-11 at 19:17

    Hi Jorge, thanks for your support! I tried to contact Jairo C, with no luck

    Actually there’s just a couple of users with this issue, and I’ve seen that we have at least one case per month with this issue. Usually this cases end up in a rewave, but now this is not an option due to OSS offices to be closed per quarentine. I’m on the desktop engenieering team, so I have no access to check ADFS farm, but it’s generally working for all users (more than 100K)

    What we have checked:
    -Reset AD Password
    -Rejoin AD Computer Object
    -Unjoin/ReJoin Hybrid Device (Azure)
    -Delete Device in Azure Portal, and the Run HybridJoin Task again
    -Delete all content under “C:\ProgramData\Microsoft\Crypto\Keys”
    – Delete Ms-Organization* Certificates Under User/Personal Store
    -Delete Ms-Organization* Certificates under LocalMachine/Personal Store
    -Browse IdpInitiatedsignon, succesfull

    What we have not tried:
    -Same User on diff machine (no way to reach that scenario as users are on remote)
    -Diff User on same machine
    -Fiddler to trace the traffic during join process

    I can share you more logs via mail , most of them are showing “WsTrust response error”

    Any Idea you have on this it would help me a lot

    Thanks i appreciate your interest

    Like

    Reply

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

«
»