WS-Trust, JWT Token errors with ADFS 2012 R2 / WAP for workplace join/DRS RRS feed

  • Question

  • Hello, I have a fresh Internet accessible lab 2012 R2 ADFS / WAP setup using the best practices (other than HA) as defined on the TechNet pages and such.   I am having some errors and workplace join failures.  This is being setup to emulate a prod deployment with internet workplace join.

    I am using alternative UPN addresses as my local domain is not internet unique/accessible.

    I have a 3rd party UCC cert issued on the ADFS and WAP hosts that include fs.<internetdomain>.com and enterpriseregistration.<internetdomain>.com SANs. And the proper internet DNS entries to direct those domains to my WAP server.  The WAP Server and the ADFS have local HOST file entries pointing to the ADFS servers internal IP.

    Everything seems to be working correctly for ADFS Pass through, And configuration of the DRS services was successful on the WAP. But when I try workplace join with a Windows 8.1 device I end up getting  the following errors:

    On the WAP server (in the ADFS Event Log): (domain name edited)

    The Federation Service encountered an error while processing the WS-Trust request.

    Request type: https://fs.(internetdomain).com/EnrollmentServer/DeviceEnrollmentWebService.svc

    Additional Data

    Exception details:


    On the ADFS Server I see the following two errors in the DRS Admin Event Log: 

    The Device Registration Service could not authenticate the caller.

    Additional information

    Failure Type: AuthenticationError.

    Failure Reason: Invalid JWT token.


    The following exception occured while enrolling a device.

    Additional information

    Error: System.ServiceModel.FaultException`1[Microsoft.DeviceRegistration.WindowsDeviceEnrollmentServiceError]: WindowsEnrollmentServiceError (Fault Detail is equal to Microsoft.DeviceRegistration.WindowsDeviceEnrollmentServiceError)..

    Only Error I see in the ADFS Admin Event Log is below and it happens at boot of the server only:

    The SSL certificate does not contain all UPN suffix values that exist in the enterprise.  Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.  For more information, see http://go.microsoft.com/fwlink/?LinkId=311954.

    Which is expected because my SSL cert has the UPN for the alternative UPN I issued in the directory, but not my local UPN.

    I am really not sure what to check next... everything else seems to be working right!  Any help would be greatly appreciated! :)

    • Edited by JoeK78 Sunday, June 1, 2014 6:25 PM
    Sunday, June 1, 2014 6:18 PM

All replies

  • I have confirmed if I go to the ADFS server directly for device join the system works. It only fails when using WAP up front.
    Monday, June 2, 2014 2:40 PM
  • Did you get it to work with WAP?


    Monday, June 16, 2014 1:33 PM