This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Automatic Hybrid AzureAD Join


We are trying to get Automatic Hybrid Azure AD Join working without success.  We have followed the documentation which includes configuring WS Federation and WS-Trust. 

NAM seems to be processing WS-Trust requests properly as we can see claims for ImmutableID and UPN being added in the log file (catalina.out) and properly constructed SAML 

tokens in the response.  I am not entirely sure what is generating this traffic - it could be one drive.

Automatic Hybrid Azure AD configuration requires adding Kerberos to the WS-Trust/STS Configuration/Methods and modifying the web.xml file to add the NetIQSTS12MEX servlet, on the identity servers. 

However, we are not getting the PRT token (i.e. when we run dsregcmd /status, AzureADPRT is NO.).  

I can't help thinking that we are missing something.  For example, the claims required by a device seem to differ from those required by a user (according to Microsoft's documentation).  e.g. devices require objectSid from AD.  This is a problem as our "Name/Password - Form-WebService" method's user store is not AD but an eDirectory (our identity vault).

I don't want to elaborate too much in case this makes no sense to anyone.  But has anyone got this working?


Steve Tennant

  • Hi!

    Maybe problem lies around this sentence:

    This is a problem as our "Name/Password - Form-WebService" method's user store is not AD but an eDirectory (our identity vault).

    In order for AM to authenticate device, AM need to have access to devices (computers) in backend directory. This is also the reason for step 1b in

    For device to be authenticated using kerberos token you need to:

    • Have configured Kerberos method and link it to directory with device information (for information extracted from device's kerberos token to be validated there)
    • Set this method as WS-Trust authentication method (Devices > Identity Servers > Edit > WS-Trust > STS Configuration)

    Do you have Kerberos method configured and attached to Active Directory user store where computer OU is added to search context?

    Kind regards,


  • Suggested Answer

    Hi Sebastijan,

    Thanks for taking the time to reply.  The Kerberos method is configured and assigned.

    There has been a significant development with the help of Microfocus and we now have got this working.  One issue was we were sending a SAML2 token - we changed this to SAML1.  The other issue was relating to the domain of the user being identified which did not match.  We have populated another attribute with the variant domain (for each user) and added it to the query in the WebService form.  It all works now.

    Thanks for the feedback.