Forum Discussion
Stefan Ringler
Apr 04, 2018Brass Contributor
On-prem access from an aad joined device with Windows Hello for Business
Recently one of my clients asked me to setup Windows Hello for Business as part of our Modern IT Management PoC. So currently they are using convenience pin and the use case was that on their Modern ...
Nima Gharib
Aug 30, 2018Copper Contributor
Hi Stefan,
Can you explain a bit what you did on the hybrid key trust part?
The documentation follows a Hybrid Azure AD joined deployment, while you (and I) are Azure AD joined only, if I understood your post correctly.
Or is the solution to actually enable Hybrid Azure AD Join?
Stefan Ringler
Dec 14, 2018Brass Contributor
The goal of this solution is to have your AAD joined devices accessing On-prem resources when in corp lan and using WHfB Pin/Biometrics. So I just wanted to outline some of the pitfalls I came across to get that working because at my first attempt I was able to access On-prem resources with username/pw but not with using PIN.
- Dec 14, 2018Yeah I got everything setup and working, it's the same issue with PIN not working, but I finally found a good explination and how to fix it in the same guide here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base
Basically with like you said the CRL which I was confused by publishing to internet in your original statement, but it makes sense now that you can't get the default CRL because you cannot query active directory because your not authenticated yet and it requires that CRL so you publish it to internal http endpoint so it can pass that check. At least that's what it looks like, I'm working on setting that up now. Then hopefully PIN will work!- Dec 14, 2018Do you happen to know if renewing and rekeying ath Domain controller certificate as one of those steps adding the new CDP etc. will have any effects on current client machines etc?
- JonasBackMar 06, 2019Steel Contributor
Great discussion! One thing to point out that is not clearly mentioned for the Key Trust model is that you need to deploy a new certificate template to your domain controllers: the Kerberos Authentication template instead of the default Domain Controller Authentication template. It's not enough to add KDC Authentication in Intended Purposes on the old default template since this template does not have the FQDN of the domain in the certificate.