larunner.blogg.se - Cannot login to azure ad joined computer

After I accepted the 2fa push I was logged into my machine.

Alternatively, I could have entered my new password followed by a comma and the 8-digit OTP in the mobile app: After I accepted the 2fa push, it went onto the WLA part and sent me another push notification

It stayed on the "validating local credentials." for a while and sent me a push notification since my organization requires 2fa (this is the WS Trust part).

I signed into the machine with the new password.

If your only 2fa device is via U2F you will be unable to log in if your organization requires 2fa after changing your password. This is totally unintuitive but is ultimately all we can do since federation is limited to the WS trust protocol in a machine logon scenario (Windows control this behavior and we cannot override it unless we change how the WLA handles password validation). If you want to submit an OTP instead of receiving a 2fa push on your first login after changing your password you must enter the password and OTP both into the password field separated by a comma.

After that's successful the OS stores the successful login info used.ĭepending on your organization policy (if it requires 2fa) you can experience double push notifications after you changed your password and are signing into your machine for the first time afterward.

When the user changes their password in Passly, on the next machine login azure AD reaches out to Passly to renegotiate authentication using the organization policy via the WS Trust Protocol with mixed credentials (the machine/AAD forward the username and password to Passly with the configured federation information). The machine/WLA requires a full username add an alternate principal name to the account in Passly “m log in to the machine using with your PASSLY password. Since it’s possible to set the office 365 mapping to use an email address, the machine login and Passly login may not match which is when the alternate principal name would be required Your Passly account REQUIRES a username or an alternate principal name of otherwise the WLA will not be able to map your account for 2fa. The user account in Passly has either a username or an alternate principal name of signing in to the machine you will need to enter the is the domain windows automatically maps the account to when setting up AAD join on the machine

You have an account in Passly that is connected to the AAD account The user account in Passly has a 2fa token registered (push or OTP – u2f not compatible)ĥ. A machine that has been Azure Active Directory joined with your user account You have configured office 365 federation with Passlyģ. How do I use a Windows Logon Agent on an Azure AD-joined machine?ġ.