Jump to content
Welcome to our new Citrix community!
  • 0

Azure AD Hybrid Join Stopped working


Scott80

Question

Hi,

 

We have several published apps servers running Server 2016 with Virtual Apps and Desktop 1912 CU6 VDA installed.

These VM's are provisioned using Citrix MCS, are joined to our on-prem domain and also hybrid azure AD joined. Back in November the hybrid Azure Ad Join stopped working correctly. It now works intermittently.

 

The VM's are setup to run dsregcmd /join as SYSTEM user as part of startup. This is set by GPO on the server. However this sometimes fails so when the VM reboots it is no longer Azure AD joined, which gives our users problems with MS Office applications.

 

When the join fails I see 2 errors in the User Device Registration/Admin event log. Event ID 304 and Event ID 305, details of these are below. When I get these failures I am normally able to run dsregcmd /join manually myself (as SYSTEM) and the join succeeds. I do sometimes still get failures which are resolved by running a /leave wait a couple of minutes and then /join.

 

I have ensured the gold image VM's are not registered in Azure AD. I have been through the steps in https://desktopsurgery.com/2021/02/13/to-hell-and-back-with-hybrid-ad-join-for-vdi/ . We also have Windows 10 VM's which do not have any problem with the /join

 

Has anyone else experienced this? Any ideas? The system we have worked successfully for over 1 year then suddenly the joins started failing. 

 

Event 305
Automatic registration failed at authentication phase.  Unable to acquire access token.  Exit code: Unspecified error. Server error: AdalMessage: ADALUseWindowsAuthenticationTenant failed,  unable to preform integrated auth
AdalError: authentication_failed
AdalErrorDesc: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Service Unavailable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Service Unavailable</h2>
<hr><p>HTTP Error 503. The service is unavailable.</p>
</BODY></HTML>

AdalErrorCode: 0xcaa301f7
AdalCorrelationId: {878C092E-9AAA-486A-8223-C49BCA04F730}
AdalLog: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Service Unavailable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Service Unavailable</h2>
<hr><p>HTTP Error 503. The service is unavailable.</p>
</BODY></HTML>
; HRESULT: 0xcaa301f7
AdalLog:  HRESULT: 0xcaa9002b
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0
. Tenant Type: xxx.xxx.com

 

Event 304
Automatic registration failed at join phase.  Exit code: Unknown HResult Error code: 0xcaa1000e. Server error: empty. Debug Output:\r\n joinMode: Join
drsInstance: azure
registrationType: fed
tenantType: fed
tenantId: xxx
configLocation: undefined
errorPhase: auth
adalCorrelationId: {878C092E-9AAA-486A-8223-C49BCA04F730}
adalLog: AdalLog:  HRESULT: 0xcaa1000e
AdalLog: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Service Unavailable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Service Unavailable</h2>
<hr><p>HTTP Error 503. The service is unavailable.</p>
</BODY></HTML>
; HRESULT: 0xcaa301f7
AdalLog:  HRESULT: 0xcaa9002b
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0

adalLog: AdalLog:  HRESULT: 0xcaa1000e
AdalLog: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Service Unavailable</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Service Unavailable</h2>
<hr><p>HTTP Error 503. The service is unavailable.</p>
</BODY></HTML>
; HRESULT: 0xcaa301f7
AdalLog:  HRESULT: 0xcaa9002b
AdalLog:  HRESULT: 0x4aa90010
AdalLog: AggregatedTokenRequest::UseWindowsIntegratedAuth w Tenant ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- returns false ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken- refresh token is not available ; HRESULT: 0x0
AdalLog: AggregatedTokenRequest::AcquireToken get refresh token info ; HRESULT: 0x0
AdalLog: Authority validation is completed ; HRESULT: 0x0
AdalLog: Authority validation is enabled ; HRESULT: 0x0
AdalLog: Token is not available in the cache ; HRESULT: 0x0

adalResponseCode: 0xcaa1000e
 

 

Thanks

Link to comment

1 answer to this question

Recommended Posts

  • 0

Here is my process for Workspace Join.  Every environment I have deployed this in has executed without any issues.

 

1. Add the Tenant ID and Tenant Name in the registry directly, or via GPO.

2. Modify the Workspace Join to add a Startup Trigger along with the existing login triggers

3. Create a machine sealing script or process to run a dsregcmd /leave command on your master image before deploying it to your non-persistent machines

4. Make sure you don't use any form of OU sync for machine accounts you are managing via this process.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...