AAD-Only Joined W10 + SSO to local AD file and print RRS feed

  • Question

  • Hello

    Noob question. I am trying to do this https://blogs.technet.microsoft.com/janketil/2016/01/25/single-sign-on-to-on-premises-resources-from-azure-ad-joined-when-onprem/

    My setup


    DC: 2008 R2

    Client: W10 1709 Enterprise with Dec-17 CU. Manually joined to my AAD using a Provisioning Package that contains a bulk token.

    Azure AD Connect: Version as of Mar-2018. I am using password hash sync + SSO

    Client is on internal network that has access to local AD domain controller and AAD through the internet (no firewall rules or proxy)

    My on-prem domain is a .local, so I have a publicly routable UPN added to my local AD and assigned to a user account created in local AD that has synchronized to my AAD.



    I fire up my AAD joined device on my internal network. I login to my AAD joined device with my user@upn.com using a PIN, works fine. Access to O365 via Edge has no prompts. 

    When I try to access any internal share, prompts for my PIN again. I enter it, gives me an error. Unspecified error 0x80004005

    The share has full access to all users. How do I start troubleshooting, I'm a bit lost. 


    Saturday, March 3, 2018 2:23 AM

All replies

  • Retry once with Windows server 2016 DC and device writeback enabled. But the ideal solution is Hybrid Join of on-premise devices. This will provide SSO for on-premise and cloud resources.


    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    • Proposed as answer by Ajay Kadam Monday, March 5, 2018 4:35 PM
    • Unproposed as answer by MohitGarg_MSFT Tuesday, March 6, 2018 10:50 PM
    Monday, March 5, 2018 4:35 PM
  • @legionx - Please try below steps. I hope it helps with your situation.

    1. On your Windows 10 device, go to Start > and search for Credential Manager.
    2. Select Windows Credentials
    3. Click on “Add a Windows credential”
    4. A new window will pop up. In the field for “Internet or Network address”, type your samba share path
    5. In the field for “User name”, provide the user name which has access to the folder
    6. For password, type in your password

    • Proposed as answer by MohitGarg_MSFT Tuesday, March 6, 2018 10:51 PM
    Tuesday, March 6, 2018 10:50 PM
  • Thanks but why do I need that when the link states only "A Onpremise Active Directory running on at least Windows Server 2008 R2"? 
    Thursday, March 8, 2018 7:32 AM
  • Thanks, but I am looking for a seamless scenario as described in the link.
    Thursday, March 8, 2018 7:33 AM