Hello,
I have followed the somewhat nebulous instructions here: https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-on-premises-setup/
I have an existing ADFS 3.0 infrastructure, as well as a working synchronization with my on premise AD and Azure\Office 365 via Azure Ad Connect. ADFS SSO works within Office 365, Exchange Online, OneDrive, etc. I've seemingly followed this guide
to the letter, but I can't get workplace join to work whatsoever with an on-premise account -- though it does work with a cloud-based account. Using my iPhone as a test, i go to https://enterpriseregistration.windows.net/enrollmentserver/otaprofile/<mydomain>
and i'm redirected to our STS sign in. I sign in, and am told that my credentials are invalid(they aren't) or the connection to my workplace is down, which is possible, but I don't see any other symptoms to suggest that this is true.
If I try to join a non domain-joined machine to Azure AD, it goes to the organization single sign on landing page...i sign in, it takes my credentials, and eventually returns with
"Something went wrong. There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code 801c0002."
This all seems like a pretty raw technology, so there's very little documentation out there. I'm totally lost on this...can anyone point me in the right direction? I should add to that I did all of the federation and SSO tests within Azure AD
Connect and everything passed without issue, so I believe that portion is working properly...