"Workplace Join discovery failed" error with exit code 0x80072F19

Symptoms

When a user tries to perform a Workplace Join, he or she receives the following error message:

Confirm you are using the current sign-in info, and that your workplace uses this feature. Also, the connection to your workplace might not be working right now. Please wait and try again.

Additionally, an administrator may see the following event details in Event Viewer:

Event ID:102
Log Name:Microsoft-Windows-Workplace Join/Admin
Source:Microsoft-Windows-Workplace Join
Level:Error
Description:Workplace Join discovery failed.

Exit Code: 0x80072F19.

It was not possible to connect to the revocation server or a definitive response could not be obtained. Could not connect to 'https://EnterpriseRegistration.domain.com:443/EnrollmentServer/contract?api-version=1.0'.

Cause

This problem occurs for one of the following reasons:
  • Revocation failed while the DRS Service SSL certificate was being checked.
  • The CRL Distribution Path for a certificate in the chain was not reachable.
  • The client is configured by using a proxy that requires NTLM authentication. This operation fails if it's performed in a system security context.

Resolution

To resolve this problem, try the following methods.

Method 1: Update the root certificates

To update the root certificates, run Microsoft Update, and then make sure that the updates for root certificates are all installed.

If this does not fix the problem, try the next method.

Method 2: Verify date and time settings, clear SSL state, and reregister DLL files

Try the methods that are described in the following article in the Microsoft Knowledge Base:

813444 You cannot log in to or connect to secured Web sites in Internet Explorer
If this does not fix the problem, try the next method.

Method 3: Flush the DNS cache

Open a Command Prompt window as an administrator, and then run the following command:

ipconfig /FlushDNS
If this does not fix the problem, try the next method.

Method 4: Force the CRL Cache to expire

Open a Command Prompt window as an administrator, and then run the following command:

certutil -setreg chain\ChainCacheResyncFiletime @now
Note If there is a proxy server in the environment, make sure that the client is configured to use the proxy server.

If this does not fix the problem, try the next method.

Method 5: Check connectivity to the CRL distribution points

  1. Open the certificate, and then on the Details tab, click CRL Distribution Points.
  2. Make sure that the client can open the URL that is provided on the CRL Distribution Point path.

    CRL Distribution Point URL

Workaround

To temporarily work around this problem, clear the Check for server certificate revocation check box under Advanced Settings of Internet Options.

References

Learn how to troubleshoot certificate revocation.

For more troubleshooting information, see the following article in the Microsoft Knowledge Base:

3045377 Diagnostic logging for troubleshooting Workplace Join issues
For additional troubleshooting specific to this problem, filter for Capi2 events 50 and 53. Then, review network capture for failures trying to reach the CRL distribution path.
Egenskaper

Artikel-id: 3045384 – senaste granskning 16 mars 2015 – revision: 1

Feedback