Forum Discussion

Jack_Chen1780's avatar
Jack_Chen1780
Brass Contributor
Feb 07, 2022
Solved

Windows Hello for business PIN and Kerberos

  I would like to get some help to troubleshoot WHfB PIN authentication and Kerberos.   I have deployed WHfB with Key trust model in our environment.  It is working as supposed and I have configur...
passwordless
SSO
  • Jack_Chen1780's avatar
    Jack_Chen1780
    Feb 09, 2022
    OK fixed it. first fix AIA and CDL from the offline Root CA, then issue a new sub CA to the issuing CA server with existing key ( so all existing certificates don't need to be regenerated ). Setup a new Intune profile to deploy the new intermediate sub CA to Windows devices, then it worked!
Jack_Chen1780's avatar
Jack_Chen1780
Brass Contributor
Feb 08, 2022

Looks like the issue is related with our DC's certificate. We got 0x800B010A 80092013 error and they are related with Certificate chain. I tuned on CAPI2 and found

 

So we have a offline root CA and a issuing CA, the issuing CA 's CRL setting is configured properly and it passed pkiview test for CRL list.   The issue seems to be the Issuing CA's certificate, it is signed by the offline Root CA and it doesn't have valid http CRL. Not sure if I can regenerate the issuing CA's certificate without breaking all the certificate it signed. Maybe it can be done by renew issuing CA's certificate with existing keypair ?

 

 

 

Jack_Chen1780's avatar
Jack_Chen1780
Brass Contributor
Feb 09, 2022
OK fixed it. first fix AIA and CDL from the offline Root CA, then issue a new sub CA to the issuing CA server with existing key ( so all existing certificates don't need to be regenerated ). Setup a new Intune profile to deploy the new intermediate sub CA to Windows devices, then it worked!

Resources