cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Hello for Business + Azure SAML + Windows 10

SOLVED
Highlighted
New Contributor

Windows Hello for Business + Azure SAML + Windows 10

Hi All,

 

We have intergrated Pulse Connect Secure with Azure AD as per:

 

https://www-prev.pulsesecure.net/download/techpubs/current/1540/pulse-connect-secure/pcs/9.0rx/ps-pc...

 

However, we seem to be having an issue when a user logins into there Windows 10 device using Windows Hello for Business (WHfB). When authenticating the user will get the following error message:

 
<*
Sign in

Sorry, but we’re having trouble with signing you in.

 
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

 

*>

 

We have added X509 in the Authn Context Classes but the error remains.

 

Comparision Method for Authentication Classes is set to 'Exact'.


Can anyone please advise?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
New Contributor

Re: Windows Hello for Business + Azure SAML + Windows 10

Hi Zanyterp,

 

Managed to get this working!

 

We have to select only x509 as the only accepted for Authentication Class. Windows 10 authentication using either username+password or WHfB would work.


But to answer you question incase anyone else needs future help:

 

1) Yes - Username+Password login to Windows 10 device would work. This would SSO correctly as the per the Pulse document guide.

2) Same as above

3) Error/authentication on the PCS log:

 

Info        SML31067           2019-05-13 18:49:39 - ive - [127.0.0.1] Default Network:Smiley Frustratedystem()[] - SAML AuthnRequest generation succeeded for SigninUrl:'https://URL', SSO Service URL: 'https://login.microsoftonline.com/xxx/saml2'

 

On the Azure side, barring the error message above, the log would say:

 

Status: Failure

Error code: 75011

Failure Reason:

Authentication method by which the user authenticated with the service doesn't match requested authentication method. Contact the app owner.

 

View solution in original post

9 REPLIES 9
Highlighted
Moderator

Re: Windows Hello for Business + Azure SAML + Windows 10

if you do not use Hello, does it work?
if you provide a password, does it work?
what are the error logs on the PCS?
what are the error logs on Azure?
Highlighted
New Contributor

Re: Windows Hello for Business + Azure SAML + Windows 10

Hi Zanyterp,

 

Managed to get this working!

 

We have to select only x509 as the only accepted for Authentication Class. Windows 10 authentication using either username+password or WHfB would work.


But to answer you question incase anyone else needs future help:

 

1) Yes - Username+Password login to Windows 10 device would work. This would SSO correctly as the per the Pulse document guide.

2) Same as above

3) Error/authentication on the PCS log:

 

Info        SML31067           2019-05-13 18:49:39 - ive - [127.0.0.1] Default Network:Smiley Frustratedystem()[] - SAML AuthnRequest generation succeeded for SigninUrl:'https://URL', SSO Service URL: 'https://login.microsoftonline.com/xxx/saml2'

 

On the Azure side, barring the error message above, the log would say:

 

Status: Failure

Error code: 75011

Failure Reason:

Authentication method by which the user authenticated with the service doesn't match requested authentication method. Contact the app owner.

 

View solution in original post

Highlighted
Moderator

Re: Windows Hello for Business + Azure SAML + Windows 10

Thank you for sharing the solution.

From the Azure logs, it seems that the user is authenticating using a non-supported auth service as X509 rather the supported method like password.

So you have selected X509 on the VPN server settings to fix this (which will cause the authn request class as X509 in the SAML request)?
PCS Expert
Pulse Connect Secure Certified Expert
Highlighted
Moderator

Re: Windows Hello for Business + Azure SAML + Windows 10

Thank you for sharing the fix and ideas on how to work on this.
Highlighted
New Member

Re: Windows Hello for Business + Azure SAML + Windows 10

hey guys, having the same issue now. Did we end up resolving this? can someone supply the fix?

 

thanks kindly

Highlighted
Moderator

Re: Windows Hello for Business + Azure SAML + Windows 10

Fix shared by the topic admin "We have to select only x509 as the only accepted for Authentication Class. Windows 10 authentication using either username+password or WHfB would work."

PCS Expert
Pulse Connect Secure Certified Expert
Highlighted
New Contributor

Re: Windows Hello for Business + Azure SAML + Windows 10

Does this not disable use of Passwords though? Or does this let people use Windows Hello methods AND passwords? I saw another post that said followed your instructions, and now their users can't authenticate to Pulse with passwords.

Highlighted
New Contributor

Re: Windows Hello for Business + Azure SAML + Windows 10

Doesn't this disable the use of passwords for authentication though? Another thread said they followed these instructions, and now Windows Hello works, but anyone signing in with a password gets an error.

 

 

Highlighted
New Contributor

Re: Windows Hello for Business + Azure SAML + Windows 10

Exactly what rstephens17 says. 

 

X509 in SAML auth method: Windows Hello users can happily sign on. Users without Windows Hello cannot. 

 

Password in SAML auth method: Users without Windows Hello can happily sign on. Users with Windows Hello cannot. 

 

Adding both X509 and password does not fix the issue.

 

This caused us to fall back to Google TOTP for MFA for multiple customers.