Blog Post

Core Infrastructure and Security Blog
10 MIN READ

How-to: Password-less FIDO2 Security Key Sign-in to Windows 10 HAADJ Devices

LijuV's avatar
LijuV
Icon for Microsoft rankMicrosoft
Jun 03, 2020
Hello everyone, my name is Liju and I am a Premier Field Engineer specializing in Active Directory and Azure AD. Fido2 support for single sign-on (SSO) was introduced first for cloud resources, and...
Updated Jun 03, 2020
Version 5.0
LijuVarghese
LijuV's avatar
LijuV
Icon for Microsoft rankMicrosoft
Oct 14, 2022

DaSven / SaschaSeipp ,

The Kerberos ticket from Azure AD does contain a PAC and a PAC_REQUESTOR buffer, but not a PAC_ATTRIBUTES buffer. Therefore, authentication will still succeed using FIDO2 security keys, but an event ID 35 will be logged on the DCs.

 

I tested with a fully patched Server 2019 DC and Windows 10 hybrid AAD joined client.
Regardless of whether the PacRequestorEnforcement registry value is absent or set to 2, I was able to sign on using a security key, get a Kerberos ticket, and access the domain SYSVOL share.
The following event was logged in both cases:

 

Log Name: System
Source: Microsoft-Windows-Kerberos-Key-Distribution-Center
Date: 10/14/2022 8:48:32 AM
Event ID: 35
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: <DC.domain.ext>
Description:
The Key Distribution Center (KDC) encountered a ticket-granting-ticket (TGT) from another KDC (login.microsoftonline.com) that did not contain a PAC attributes field. See https://go.microsoft.com/fwlink/?linkid=2173051 to learn more.