Forum Discussion

Stefan Ringler's avatar
Stefan Ringler
Brass Contributor
Apr 04, 2018

On-prem access from an aad joined device with Windows Hello for Business

Recently one of my clients asked me to setup Windows Hello for Business as part of our Modern IT Management PoC. So currently they are using convenience pin and the use case was that on their Modern ...
Azure Active Directory (AAD)
microsoft intune
passwordless
Nima Gharib's avatar
Nima Gharib
Copper Contributor
Aug 30, 2018

Hi Stefan,

 

Can you explain a bit what you did on the hybrid key trust part? 

The documentation follows a Hybrid Azure AD joined deployment, while you (and I) are Azure AD joined only, if I understood your post correctly. 

 

Or is the solution to actually enable Hybrid Azure AD Join? 

Stefan Ringler's avatar
Stefan Ringler
Brass Contributor
Dec 14, 2018

The goal of this solution is to have your AAD joined devices accessing On-prem resources when in corp lan and using WHfB Pin/Biometrics. So I just wanted to outline some of the pitfalls I came across to get that working because at my first attempt I was able to access On-prem resources with username/pw but not with using PIN.

  • ChrisWebbTech's avatar
    ChrisWebbTech
    MVP
    Dec 14, 2018
    Yeah I got everything setup and working, it's the same issue with PIN not working, but I finally found a good explination and how to fix it in the same guide here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base

    Basically with like you said the CRL which I was confused by publishing to internet in your original statement, but it makes sense now that you can't get the default CRL because you cannot query active directory because your not authenticated yet and it requires that CRL so you publish it to internal http endpoint so it can pass that check. At least that's what it looks like, I'm working on setting that up now. Then hopefully PIN will work!
    • ChrisWebbTech's avatar
      ChrisWebbTech
      MVP
      Dec 14, 2018
      Do you happen to know if renewing and rekeying ath Domain controller certificate as one of those steps adding the new CDP etc. will have any effects on current client machines etc?
      • JonasBack's avatar
        JonasBack
        Steel Contributor
        Mar 06, 2019

        Great discussion! One thing to point out that is not clearly mentioned for the Key Trust model is that you need to deploy a new certificate template to your domain controllers: the Kerberos Authentication template instead of the default Domain Controller Authentication template. It's not enough to add KDC Authentication in Intended Purposes on the old default template since this template does not have the FQDN of the domain in the certificate.

Resources