ADFS Device Registration Server Kein Zertifikat

[StefanWe 14]

Hallo,

wir betreiben einen ADFS 2016 welcher für uns die Device Registration übernimmt. Dies funktioniert soweit auch. Also die Geräte sind in Azure registriert und da wo wir testweise Hello for Business verwenden, funktioniert dies einwandfrei.

Ich sehe aber im Eventlog vom Device Registration Server die folgende Fehlermeldung mit Error Code 144

No certificate could be found on the Device Registration Service object that can be used as the issuing certificate.

 

Ein Get-AdfsDeviceRegistration ergibt folgendes

 

PS C:\> Get-AdfsDeviceRegistration


DrsObjectDN                          : CN=DeviceRegistrationService,CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=hen,DC=de
DevicesPerUser                       : 0
MaximumInactiveDays                  : 0
DeviceObjectLocation                 : CN=RegisteredDevices,DC=hen,DC=de
IsAdfsServiceAuthorizationReady      : True
IsDirectoryConfigured                : True
IsDeviceAuthenticationReady          : True
IssuanceAuthorizationRules           :
IssuanceTransformRules               : @RuleName = "Pass through all claims but group SIDs"
                                       c:[Type !~ "^(?i).+(group|primarygroup)+sid$"]
                                        => issue(claim = c);

                                       @RuleName = "Issue Permit Device Registration claim"
                                        => issue(Type = "http://schemas.microsoft.com/authorization/claims/PermitDeviceRegistration", Value = "true");

                                       @RuleName = "Issue Custom Quota to Administrators"
                                       [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "^(?i)S-1-5-21-\d{1,10}-\d{1,10}-\d{1,10}-512$"]
                                        => issue(Type = "http://schemas.microsoft.com/authorization/claims/deviceregistrationquota", Value = "2147483647");

                                       @RuleName = "Issue Account Store Claim"
                                       c:[Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore"]
                                       => issue(Type = "http://schemas.microsoft.com/authorization/claims/accountStore", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

                                       @RuleName = "Issue Inside Corp Network Claim"
                                       c:[Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/insidecorporatenetwork"]
                                       => issue(Type = "http://schemas.microsoft.com/authorization/claims/insidecorporatenetwork", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

                                       @RuleName = "MFA for Domain Joined Machines"
                                       c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value =~ "515$"]
                                       => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value = "DJ");

                                       @RuleName = "Object identifier"
                                       c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value == "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] &&
                                        c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(store = "Active Directory", types =
                                       ("http://schemas.microsoft.com/identity/claims/objectidentifier"), query = ";objectguid;{0}", param = c2.Value);

                                       @RuleName = "On-Prem Object GUID"
                                        c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =~ "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] && c2:[Type ==
                                       "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(store = "Active Directory", types =
                                       ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query = ";objectguid;{0}", param = c2.Value);

                                       @RuleName = "Primary SID"
                                       c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =~ "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
                                       Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c2);


AllowedAuthenticationClassReferences : {ngcmfa, wiaormultiauthn}
AdditionalAuthenticationRules        :
AccessControlPolicyName              : Permit everyone and require MFA, allow automatic device registration
AccessControlPolicyParameters        :
ResultantPolicy                      : RequireFreshAuthentication:False
                                       IssuanceAuthorizationRules:
                                       {
                                         Permit users
                                           with 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' claim regex matches '-515$' in the request;

                                         Permit users
                                           and when authentication includes MFA
                                         except
                                           with 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid' claim regex matches '-515$' in the request;

                                         Permit users
                                           with 'http://schemas.microsoft.com/claims/authnmethodsreferences' claim equals to 'http://schemas.microsoft.com/claims/wiaormultiauthn' in the request
                                       }



PS C:\>

 

Im Internet finde ich dazu eigentlich gar nichts. 

Ansonsten funktioniert auch alles auf dem ADFS, 

 

Ist jemand schon mal über den Fehler gestolpert, bzw. hat Ideen, wo man zwecks Fehlersuche starten kann?