Products
Solutions
Partners
Support
Company
Try Now
Pulse Secure Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Windows Hello for Business + Azure SAML + Windows 10

SOLVED
Go to solution
bally
New Contributor
‎05-16-2019 02:05:AM
‎05-16-2019 02:05:AM

Windows Hello for Business + Azure SAML + Windows 10

Hi All,

 

We have intergrated Pulse Connect Secure with Azure AD as per:

 

https://www-prev.pulsesecure.net/download/techpubs/current/1540/pulse-connect-secure/pcs/9.0rx/ps-pc...

 

However, we seem to be having an issue when a user logins into there Windows 10 device using Windows Hello for Business (WHfB). When authenticating the user will get the following error message:

 
<*
Sign in

Sorry, but we’re having trouble with signing you in.

 
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'.

 

*>

 

We have added X509 in the Authn Context Classes but the error remains.

 

Comparision Method for Authentication Classes is set to 'Exact'.


Can anyone please advise?

 

 

0 Kudos
1 ACCEPTED SOLUTION

Accepted Solutions
bally
New Contributor
‎05-17-2019 05:30:AM
‎05-17-2019 05:30:AM

Re: Windows Hello for Business + Azure SAML + Windows 10

Hi Zanyterp,

 

Managed to get this working!

 

We have to select only x509 as the only accepted for Authentication Class. Windows 10 authentication using either username+password or WHfB would work.


But to answer you question incase anyone else needs future help:

 

1) Yes - Username+Password login to Windows 10 device would work. This would SSO correctly as the per the Pulse document guide.

2) Same as above

3) Error/authentication on the PCS log:

 

Info        SML31067           2019-05-13 18:49:39 - ive - [127.0.0.1] Default Network:Smiley Frustratedystem()[] - SAML AuthnRequest generation succeeded for SigninUrl:'https://URL', SSO Service URL: 'https://login.microsoftonline.com/xxx/saml2'

 

On the Azure side, barring the error message above, the log would say:

 

Status: Failure

Error code: 75011

Failure Reason:

Authentication method by which the user authenticated with the service doesn't match requested authentication method. Contact the app owner.

 

View solution in original post

11 REPLIES 11
zanyterp
Moderator
Moderator
‎05-16-2019 06:17:AM
‎05-16-2019 06:17:AM

Re: Windows Hello for Business + Azure SAML + Windows 10

if you do not use Hello, does it work?
if you provide a password, does it work?
what are the error logs on the PCS?
what are the error logs on Azure?
0 Kudos
bally
New Contributor
‎05-17-2019 05:30:AM
‎05-17-2019 05:30:AM

Re: Windows Hello for Business + Azure SAML + Windows 10

Hi Zanyterp,

 

Managed to get this working!

 

We have to select only x509 as the only accepted for Authentication Class. Windows 10 authentication using either username+password or WHfB would work.


But to answer you question incase anyone else needs future help:

 

1) Yes - Username+Password login to Windows 10 device would work. This would SSO correctly as the per the Pulse document guide.

2) Same as above

3) Error/authentication on the PCS log:

 

Info        SML31067           2019-05-13 18:49:39 - ive - [127.0.0.1] Default Network:Smiley Frustratedystem()[] - SAML AuthnRequest generation succeeded for SigninUrl:'https://URL', SSO Service URL: 'https://login.microsoftonline.com/xxx/saml2'

 

On the Azure side, barring the error message above, the log would say:

 

Status: Failure

Error code: 75011

Failure Reason:

Authentication method by which the user authenticated with the service doesn't match requested authentication method. Contact the app owner.

 

r@yElr3y
Moderator
Moderator
‎05-17-2019 06:06:AM
‎05-17-2019 06:06:AM

Re: Windows Hello for Business + Azure SAML + Windows 10

Thank you for sharing the solution.

From the Azure logs, it seems that the user is authenticating using a non-supported auth service as X509 rather the supported method like password.

So you have selected X509 on the VPN server settings to fix this (which will cause the authn request class as X509 in the SAML request)?
PCS Expert
Pulse Connect Secure Certified Expert
0 Kudos
zanyterp
Moderator
Moderator
‎05-20-2019 03:50:PM
‎05-20-2019 03:50:PM

Re: Windows Hello for Business + Azure SAML + Windows 10

Thank you for sharing the fix and ideas on how to work on this.
0 Kudos
gtzikas
New Member
‎04-22-2020 07:34:PM
‎04-22-2020 07:34:PM

Re: Windows Hello for Business + Azure SAML + Windows 10

hey guys, having the same issue now. Did we end up resolving this? can someone supply the fix?

 

thanks kindly

0 Kudos
r@yElr3y
Moderator
Moderator
‎05-07-2020 07:24:PM
‎05-07-2020 07:24:PM

Re: Windows Hello for Business + Azure SAML + Windows 10

Fix shared by the topic admin "We have to select only x509 as the only accepted for Authentication Class. Windows 10 authentication using either username+password or WHfB would work."

PCS Expert
Pulse Connect Secure Certified Expert
0 Kudos
rstephens17
New Contributor
‎11-19-2020 10:13:AM
‎11-19-2020 10:13:AM

Re: Windows Hello for Business + Azure SAML + Windows 10

Does this not disable use of Passwords though? Or does this let people use Windows Hello methods AND passwords? I saw another post that said followed your instructions, and now their users can't authenticate to Pulse with passwords.

0 Kudos
rstephens17
New Contributor
‎11-19-2020 10:15:AM
‎11-19-2020 10:15:AM

Re: Windows Hello for Business + Azure SAML + Windows 10

Doesn't this disable the use of passwords for authentication though? Another thread said they followed these instructions, and now Windows Hello works, but anyone signing in with a password gets an error.

 

 

0 Kudos
Hermanbrood
New Contributor
‎11-23-2020 05:52:AM
‎11-23-2020 05:52:AM

Re: Windows Hello for Business + Azure SAML + Windows 10

Exactly what rstephens17 says. 

 

X509 in SAML auth method: Windows Hello users can happily sign on. Users without Windows Hello cannot. 

 

Password in SAML auth method: Users without Windows Hello can happily sign on. Users with Windows Hello cannot. 

 

Adding both X509 and password does not fix the issue.

 

This caused us to fall back to Google TOTP for MFA for multiple customers. 

0 Kudos
© 2017 Pulse Secure, LLC. Use of this website assumes acceptance of our Legal Notices and Privacy Policy. Pulse Secure has updated its Privacy Policy effective June 28, 2017.