Event 1098: "Error: 0xCAA5001C Token broker operation failed" in Windows 10

Symptoms
After you log on to a Windows 10-based computer, you try to access Windows Store for Business. However, Azure Active Directory authentication fails, and the following events are logged in the Microsoft-Windows-AAD/Operational log: 

Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Event ID: 1098
Task Category: AadTokenBrokerPlugin Operation
Level: Error
User: S-1-5-21-299502267-1950408961-849522115-1818
Computer: computer.contoso.com
Description:
Error: 0xCAA5001C Token broker operation failed.
Operation name: GetTokenSilently, Error: -2147024891 (0x80070005), Description: Access is denied


Log Name: Microsoft-Windows-AAD/Operational
Source: Microsoft-Windows-AAD
Event ID: 1104
Task Category: AadCloudAPPlugin Operation
Level: Error
User: SYSTEM
Computer: computer.contoso.com
Description:
AAD Cloud AP plugin call Get token returned error: 0xC000005F


In addition to Windows Store for Business, this issue may affect Enterprise State Roaming.
Cause
This issue occurs if there are missing permissions or ownership attributes on one or both of the following registry keys:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR

HKEY_USERS\S-1-5-21-299502267-1950408961-849522115-1818\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR

Note Match the SID reported for the user in event ID 1098 to the path under HKEY_USERS. In this example, it is S-1-5-21-299502267-1950408961-849522115-1818.
Resolution
To resolve this issue, follow these steps:
  1. Take ownership of the key if necessary (Owner = SYSTEM).
  2. Fix the permissions on these registry keys by enabling inheritance (fixing one should fix both, unless multiple users log on to the same device):
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR

    HKEY_USERS\S-1-5-21-299502267-1950408961-849522115-1818\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
    TypePrincipalAccessInherited fromApplies to
    AllowS-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272Query ValueNoneThis key only
    AllowSYSTEMFull ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowDomain User Account (user@contoso.com)Full ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowAdministrators (COMPUTER\Administrators)Full ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowCREATOR OWNERFull ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataSubkeys only
    Note: If you view the permissions of the ~\PSR registry key under HKEY_USERS\{SID}, the Inherited from field shows inheritance from the HKEY_USERS\{SID} path.

    If this does not resolve the issue, consider running Process Monitor while performing the authentication method to look for ACCESS DENIED in other areas of the registry or file system that could be causing the authentication failure. If you discover any, add them to this article.
Eigenschaften

Artikelnummer: 3196528 – Letzte Überarbeitung: 10/14/2016 23:39:00 – Revision: 2.0

Windows 10, Windows 10 Version 1511, Windows 10 Version 1607

  • KB3196528
Feedback