cancel
Showing results for 
Search instead for 
Did you mean: 

Windows Hello for Business + Azure SAML + Windows 10

SOLVED
New Contributor

Windows Hello for Business + Azure SAML + Windows 10

Hi All,

 

We have intergrated Pulse Connect Secure with Azure AD as per:

 

https://www-prev.pulsesecure.net/download/techpubs/current/1540/pulse-connect-secure/pcs/9.0rx/ps-pc...

 

However, we seem to be having an issue when a user logins into there Windows 10 device using Windows Hello for Business (WHfB). When authenticating the user will get the following error message:

 
<*
Sign in

Sorry, but we’re having trouble with signing you in.

 
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

 

*>

 

We have added X509 in the Authn Context Classes but the error remains.

 

Comparision Method for Authentication Classes is set to 'Exact'.


Can anyone please advise?

 

 

4 REPLIES 4
Moderator

Re: Windows Hello for Business + Azure SAML + Windows 10

if you do not use Hello, does it work?
if you provide a password, does it work?
what are the error logs on the PCS?
what are the error logs on Azure?
New Contributor

Re: Windows Hello for Business + Azure SAML + Windows 10

Hi Zanyterp,

 

Managed to get this working!

 

We have to select only x509 as the only accepted for Authentication Class. Windows 10 authentication using either username+password or WHfB would work.


But to answer you question incase anyone else needs future help:

 

1) Yes - Username+Password login to Windows 10 device would work. This would SSO correctly as the per the Pulse document guide.

2) Same as above

3) Error/authentication on the PCS log:

 

Info        SML31067           2019-05-13 18:49:39 - ive - [127.0.0.1] Default Network:Smiley Frustratedystem()[] - SAML AuthnRequest generation succeeded for SigninUrl:'https://URL', SSO Service URL: 'https://login.microsoftonline.com/xxx/saml2'

 

On the Azure side, barring the error message above, the log would say:

 

Status: Failure

Error code: 75011

Failure Reason:

Authentication method by which the user authenticated with the service doesn't match requested authentication method. Contact the app owner.

 

Moderator
Moderator

Re: Windows Hello for Business + Azure SAML + Windows 10

Thank you for sharing the solution.

From the Azure logs, it seems that the user is authenticating using a non-supported auth service as X509 rather the supported method like password.

So you have selected X509 on the VPN server settings to fix this (which will cause the authn request class as X509 in the SAML request)?
Moderator

Re: Windows Hello for Business + Azure SAML + Windows 10

Thank you for sharing the fix and ideas on how to work on this.