Event 1098: "Error: 0xCAA5001C Token broker operation failed" in Windows 10

Symptoms

After you log on to a Windows 10-based computer, you try to access Windows Store for Business. However, Azure Active Directory authentication fails, and the following events are logged in the Microsoft-Windows-AAD/Operational log: 



In addition to Windows Store for Business, this issue may affect Enterprise State Roaming.

Cause

This issue occurs if there are missing permissions or ownership attributes on one or both of the following registry keys:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
HKEY_USERS\S-1-5-21-299502267-1950408961-849522115-1818\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
Note Match the SID reported for the user in event ID 1098 to the path under HKEY_USERS. In this example, it is S-1-5-21-299502267-1950408961-849522115-1818.

Resolution

To resolve this issue, follow these steps:
  1. Take ownership of the key if necessary (Owner = SYSTEM).
  2. Fix the permissions on these registry keys by enabling inheritance (fixing one should fix both, unless multiple users log on to the same device):
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\ Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
    HKEY_USERS\S-1-5-21-299502267-1950408961-849522115-1818\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion \AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR
    TypePrincipalAccessInherited fromApplies to
    AllowS-1-15-2-1910091885-1573563583-1104941280-2418270861-3411158377-2822700936-2990310272Query ValueNoneThis key only
    AllowSYSTEMFull ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowDomain User Account (user@contoso.com)Full ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowAdministrators (COMPUTER\Administrators)Full ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataThis key and subkeys
    AllowCREATOR OWNERFull ControlCURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppDataSubkeys only
    Note: If you view the permissions of the ~\PSR registry key under HKEY_USERS\{SID}, the Inherited from field shows inheritance from the HKEY_USERS\{SID} path.

    If this does not resolve the issue, consider running Process Monitorwhile performing the authentication method to look for ACCESS DENIED in other areas of the registry or file system that could be causing the authentication failure. If you discover any, add them to this article.
Properties

Article ID: 3196528 - Last Review: Oct 14, 2016 - Revision: 1

Windows 10, Windows 10 Version 1511, Windows 10 Version 1607

Feedback