We've had this error "Windows couldn't sign you in. Your credentials could not be verified." happen three times for three different reasons in our org, when our users are using Windows Hello for Business with their fingerprint / PIN or face to unlock or login to their devices. They can successfully log in with their normal password.
Both times for users inside our LAN, users off campus without their VPN activated haven't been impacted. Which leads us to all sorts of trouble shooting things but for us, it points to our internal certificate infrastructure.
The first time was the IIS service on our AD Certificate Authority server had failed to start after overnight patching, so clients could not connect to the CRL. Restart the IIS service and problem resolved.
The second time was the Active Directory Certificate Services service had failed to start after overnight patching. Restarted the Active Directory Certificate Services and the problem resolved.
The third time took a bit longer. The AD Certificate Authority server wasn't the problem this time. It was expired certs on some of our domain controllers. With some, not all, domain controllers with expired certs, the issue was intermittent between clients and not consistent.
You can check this roughly with certutil -dcinfo verify and look for the DC's with expired certs. Or more explicitly, check the certificate that a DC uses for LDAPS, KDC etc with some PowerShell:
$DCName = "domain controller name"
$TcpClient = New-Object System.Net.Sockets.TcpClient($DCName, 636)
$SslStream = New-Object System.Net.Security.SslStream($TcpClient.GetStream(), $false)
$SslStream.AuthenticateAsClient($DCName)
# Display the certificate details
$SslStream.RemoteCertificate | Select-Object Subject, NotAfter, SerialNumber, Thumbprint | fl
Restart-Service KDCIf all that fails, there's Google or your favourite AI engine.
