We are trying to get Automatic Hybrid Azure AD Join working without success. We have followed the documentation which includes configuring WS Federation and WS-Trust.
NAM seems to be processing WS-Trust requests properly as we can see claims for ImmutableID and UPN being added in the log file (catalina.out) and properly constructed SAML
tokens in the response. I am not entirely sure what is generating this traffic - it could be one drive.
Automatic Hybrid Azure AD configuration requires adding Kerberos to the WS-Trust/STS Configuration/Methods and modifying the web.xml file to add the NetIQSTS12MEX servlet, on the identity servers.
However, we are not getting the PRT token (i.e. when we run dsregcmd /status, AzureADPRT is NO.).
I can't help thinking that we are missing something. For example, the claims required by a device seem to differ from those required by a user (according to Microsoft's documentation). e.g. devices require objectSid from AD. This is a problem as our "Name/Password - Form-WebService" method's user store is not AD but an eDirectory (our identity vault).
I don't want to elaborate too much in case this makes no sense to anyone. But has anyone got this working?