Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Public preview of Azure AD support for FIDO2 security keys in hybrid environments
Published Feb 24 2020 09:00 AM 107K Views

I’m excited to announce the public preview of Azure AD support for FIDO2 security keys in hybrid environments. Users can now use FIDO2 security keys to sign in to their Hybrid Azure AD joined Windows 10 devices and get seamless sign-in to their on-premises and cloud resources.  Since the launch of the public preview of FIDO2 support for Azure AD joined devices and browser sign ins, this has been the top most requested feature from our passwordless customers.

 

We all know that passwords are no longer effective in protecting customers from cybersecurity threats. In fact, compromised passwords are the most frequent cause of enterprise security breaches. Alternatively, passwordless authentication using advanced technologies like biometrics and public/private key cryptography provides a convenient, easy to use experience and world class security.

 

With the expansion of FIDO2 support to Hybrid environments, we offer seamless sign-in to Windows devices and virtually unphishable access to on-premises and cloud resources, using a strong hardware-backed public/private-key credential.

 

Public preview of Azure AD support for FIDO2 security keys in hybrid environments teaser.jpg

 

Our customers shared that simpler deployments are essential for a successful passwordless journey. We took their feedback seriously and enabled FIDO2 security keys for your hybrid environment requires only three deployment components:

 

  1. Windows Server patch for Domain controllers (Server 2016/Server 2019).
  2. Windows Insider Builds 18945 or later for PCs.
  3. Version 1.4.32.0 or later of Azure AD Connect.

To get started on your FIDO2 journey, you need to:  

 

  1. Enable security keys as a passwordless authentication method for your tenant and have your users provision their FIDO2 security keys.
    For additional information see: Enable passwordless security key sign-in to on-premises resources with Azure AD and User registration and management of FIDO2 security keys
  2. Ensure that Windows devices are enabled to use FIDO2 security keys to sign in.
    For additional information see: Enable passwordless security key sign-in to Windows 10 devices with Azure AD
  3. Configure components required to sign in to your hybrid AADJ devices as well as for single sign-on (SSO) to on-premises and cloud resources.
    For additional information see: Enable passwordless security key sign-in to on-premises resources with Azure Active Directory (previ...

Additionally, we’re excited to share additional hardware options for FIDO2 security keys from our Microsoft Intelligent Security Association partners. Ensurity Technologies now offers the Thin-C USB key with storage, eWBM Inc. has a new Goldengate USB-C key, and Thales announced Azure AD passwordless sign-in integrations with its PKI-FIDO smartcard. See the full listing of tested compatible devices.

 

To get started on your passwordless journey, visit Go passwordless.

 

As always, we love to get your feedback and suggestions! Let us know what you think in the comments below.  

 

Best regards,

Alex Simons (@Alex_A_Simons)

Corporate VP of Program Management

Microsoft Identity Division

58 Comments
Copper Contributor
Do all domain controllers in the domain need to be version 2016 or higher, or do we need at least one for schema updates?
Brass Contributor
Great news! Been looking forward to this.
Microsoft

@Greg K Thank you for your interest. 

We recommend  patching  a  majority  of  your  2016/2019  domain  controllers  with  the  patch  to ensurethey can handle the authentication request load of your organizationWe recommend patching a majority of your 2016/2019 domain controllers with the server patch to ensure they can handle the authentication request load of your organization. You need to upgrade “enough DCs” to support clients that are capable of FIDO logins. 

 

 

Microsoft

Is this preview for retail only or is it approved for use in GCC clouds as well?

Microsoft

@AStratton Thanks a lot for your interest. 

Currently this preview is available only for Public clouds. 

 

This is Awesome News :cool: 

Shared it with the Community and with the Company.

Brass Contributor

Great news! 

Copper Contributor
Will administrator provisioning be added to public preview or is that only when it goes GA?
Microsoft

@Timothy McGill Thanks a lot for your interest.

Administrator provisioning is not part of this public preview. 

Copper Contributor

Where can I download the new ADMX templates that contain the updated version of credentialprovider.admx?

Copper Contributor

This is great, thank you!

Is there anyway to require the users to use their security key at the Windows login screen, and disallow password only logins? It seems like they can still log into Windows with only their password if they just choose the password sign in method instead.  I know there's a way to do this at the device level, that disallows password logins for all users of the device, but wondering if there's a option for this to be a per user policy instead.

Brass Contributor

Great news!

Brass Contributor
Tested it, and works fine with my YubiKey!! But for some reason this is not the "primary" auto selected login method. I always have to click on Sign-In Options>Security Key to make this work.
Microsoft

@Adam Parker - Thank you for your interest 

You need the latest windows client insider build 18945 or later which has the latest version need for security key support in Hybrid

Microsoft

@AlphaSeb Thank you for testing it out and the feedback!

Ideally it would pick up the last login method as the first auto default sign in option. Is it still asking you to select after you have logged in using the keys for couple of times ? 

Brass Contributor
@Aakashi Yes, unfortunately it does. This is what I have to do: -I have the security key plugged in -I lock my account (WIN+L) -I see my lockscreen, and need to press CTRL+ALT+DEL -I press CTRL+ALT+DEL -I'm presented with my Image, Name and the "Sign in Options" Link -I click on the security-key icon, nothing happens -I click on password, and the password field shows -I click back on the security-key icon, and now I'm presented with the PIN field (which was not showing before) -I enter my PIN and confirm with the Button on my Yubikey 5 Series and I'm in. On each lock/unlock, it's the same procedure. When restarting the computer, it's the same. It seems that the key is not properly initialized. Another method that works is: -I have the security key plugged in -I lock my account (WIN+L) -I see my lockscreen, and need to press CTRL+ALT+DEL -I press CTRL+ALT+DEL -I replug the key -Now I'm presented with the option to enter the PIN and it works.
Copper Contributor
Can't get past the "Set-AzureADKerberosServer" step. Getting error message "Failed to read secrets from the domain ", and it only creates the Kerberos object on-prem in AD. The Cloud fields in the object are all blank. I suspect it's because the cmdlet doesn't support MFA for the global admin credentials. Any info on this? Anyone else encountering?
Copper Contributor

@Aakashi Thanks for your response. I understand the Windows 10 client needs to be on build 18945 or later, but in order to enforce this setting through group policy doesn't the domain controller need the corresponding ADMX templates installed? Also, when I try to install KB4534321 on our 2019 domain controller I get the error "This update is not applicable to your computer".

Copper Contributor

The document reference Server Patch KB4534307 which is a non-security patch back in Jan 23, 2020 for Windows 2016 Servers  Do you still need this patch if the Feb 2020 Cumulative patch KB4537764 has already been applied?

 

So I assume this will a user to login to any DC joined PC by using a valid FIDO2 key and PIN and do NOT have to go through the WHfB registration process?

 

-Doug

Copper Contributor

Do user account still requires a password?

Can we deploy the setting without Intune and using GPO only?

What are the minimum subscription that we need? Free Azure AD is supported?

What sign-in method on Azure AD is support and not supported? ADFS, Password Hash Synchronization or Pass-through Authentication.

Is there impact when user change their password?

What is the difference using password login and FIDO login? Does user still obtain an Kerberos ticket?

How to determine the domain controller support FIDO login? Is there any PowerShell to query the number of server that supported FIDO login?

Can you explain the login flow using FIDO, client authenticate with Azure AD and pass the token to Win2016 server?

What event log to look for on Windows server to determine a computer or user login via FIDO?

Can client login FIDO while its temporary offline using cache?

A FIDO U2F device relies on public/private key, do they expires and need to renew?

 

 

 

Copper Contributor

Windows Hello for Business and FIDO2 are both passwordless journey. And Windows 10 supports both authenticate method.

Forgot about the biometric part of Whfb, it can use PIN to unlock the certificate or key in TPM. What are the advantage on FIDO2 over Whfb and how should we position each technology.

 

The first thing I can imagine, its Whfb key are store locally, user working with multiple device need to enroll multiple times. It is more suitable when user assigned a dedicated computer.

While with FIDO2, endpoint trust the FIDO authentication server. User can login in multiple device using same FIDO key, it is great in shared computer environment.

 

 

Copper Contributor

I have some questions, does the primary requirement of having an On-Premise AD its only needed for the Hybrid environment? Can i have a full cloud environment (AzureAD Joined Machines) without an on-premise AD servers and with the FIDO2 MFA support ? Or this will o ly work for Hybrid environments?
Also about security, does that type of MFA cloud mitigated fully the Pass-The-Hash and Golden tickets attacks? How does the machines will store the NTML hash's ?

Copper Contributor

Full cloud deployment (only AzureAD) is already supported. This announcement extend support for hybrid deployment

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/announcing-the-public-preview...

 

Also this is not Azure MFA signin (phone, SMS, push). It's FIDO, of course you can call it 2FA, but it is not brand under Azure AD MFA. User experience will be different when user login to web app which requires Azure AD MFA.

 

 

Copper Contributor

Thank you @scout249 !

Copper Contributor

Hello everyone,

we have just tried in our environment (after long test with azure AD joined PCs) and it will work fine with Yubikey security keys.

Is there a way in your opinion to instruct Windows 10 to lock (Windows+L) after security key removal? I know that it's possible with smart card but I can't actually find the option for secuity key.

 

Thanks

Andrea

Copper Contributor
 
 
 
  is there a roadmap when Windows servers will support FIDO2 login?
Microsoft

@AlphaSeb Is the device Azure AD joined or Hybrid Azure AD joined ? Does it have the latest windows insider build 18945 or later on it? 

Microsoft

@Scott Hetherington Thanks for trying out the feature. 

This error means that the credentials you are using to create the kerberos server object does not have permissions to do this operation. The account should be either a domain admin or enterprise admin to perform this operation. 

Hope that helps. 

Microsoft

@DougTran Thanks for your interest. 

Yes you will need this patch for FIDO2 support as the older patches did not have that. 

 

Once you follow all the steps and have the client version updated, the users should be able to sign in to a Hybrid Azure AD joined device (i.e. device joined to a domain and Azure AD both. Please note this does not work for only domain joined PCs) using their FIDO2 security keys. This offering is in parallel to WHFB i.e. depending on your scenario you can choose to enable either WHFB or FIDO2 keys or both but there is no need for users to go through WHFB registration process for FIDO2 keys. 

Copper Contributor

@Aakashi When I try to install the required patch KB4534321 on our 2019 domain controller I get the error "This update is not applicable to your computer".

Copper Contributor

@Aakashi The account is a domain admin, as was elevated to Enterprise Admin temporarily to try and fix the issue. The AD object is being created, but the Cloud object is not. The account is also a global admin in the cloud.

Microsoft

@scout249 Thank you for your interest. 

Those are some really good questions and I will try to answer them as much as I can :) Please find the responses inline below 

 

Do user account still requires a password?

[a]- As of now there is no way to remove passwords or delete passwords for user accounts. But there is no requirement to have a password for FIDO2 sign ins. 

 

Can we deploy the setting without Intune and using GPO only?

[a] - Yes you can enable setting only through GPO as well. Here are the details https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password... 

 

What are the minimum subscription that we need? Free Azure AD is supported?

[a] - There is no specific subscription required for FIDO2 support but we do require MFA before you can add security keys as a passwordless method or users can provision their keys. 

 

What sign-in method on Azure AD is support and not supported? ADFS, Password Hash Synchronization or Pass-through Authentication.

[a] - It does not work with any of those as of now. 

 

Is there impact when user change their password?

[a] - No this is a separate authentication method 

 

What is the difference using password login and FIDO login? Does user still obtain an Kerberos ticket?

[a] - Yes they do. Details in responses below. 

 

How to determine the domain controller support FIDO login? Is there any PowerShell to query the number of server that supported FIDO login?

[a] - To check if you can see a server that is running the feature, check the output of nltest /dsgetdc:redmond /keylist /kdc

 

Can you explain the login flow using FIDO, client authenticate with Azure AD and pass the token to Win2016 server?

[a] - The details of Authentication flow are available here https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password... 

 

What event log to look for on Windows server to determine a computer or user login via FIDO?

[a] - Will get back with this detail. 

 

Can client login FIDO while its temporary offline using cache?

[a] - Yes, it requires internet connection and line of sight to the DC for the first login or bootstrapping though.

 

A FIDO U2F device relies on public/private key, do they expires and need to renew?

[a]- I am not sure about this and will have to check back. 

 

Hope this helps. 

Copper Contributor

After further testing it appears the server patches mentioned in the article (Server 2016/Server 2019) are not required if you already have the February 2020 Cumulative update installed. I can confirm logging in with FIDO2 security keys for hybrid Azure-AD Joined Windows 10 devices is working successfully after following the instructions to "Create Kerberos server object" on our AD Connect server as described in the following article - https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password...

Copper Contributor

@Adam Parker -  Thank you for the confirmation.  Where did you obtain the credentialprovider.admx that supports the FIDO key?  I'm also in a hybrid environment.

 

-Doug

Copper Contributor

May I validate if it has to be in Insider Build only?   As the web state "Windows Insider Builds 18945 or later"    I wonder if 1909 is considered newer?

Steel Contributor

@nopchai11909 isn't an insider build, it's an SAC: 18945 is newer/later than 1909 as it's an insider build for the upcoming 2004 SAC

Brass Contributor

@Aakashi Yes. The device is Hybrid AAD Joined, running 2004,  19041.113. (Slow Ring)

 

This is beeing shown after CTRL+ALT+DEL. I have to click on "Sign in Options" to be able to sign in at all.This is beeing shown after CTRL+ALT+DEL. I have to click on "Sign in Options" to be able to sign in at all.

Clicking on "Security Key" doesnt show PIN fieldClicking on "Security Key" doesnt show PIN field

After clicking on smartcard or password and then back to "Security Key" the PIN field shows.After clicking on smartcard or password and then back to "Security Key" the PIN field shows.

Copper Contributor

@Aakashi Thanks, so for users that wish to perform FIDO2 auth, with that only work against patched 2016/2019 domain controllers?   I would like to understand if there's an environment that contains dozens of 2012R2 domain controllers disbursed geographically, would we require that ALL are upgraded and patched to 2016/2019 before this can be considered production deployment ready?

Copper Contributor

@DougTran The new ADMX templates that contain the updated version of credentialprovider.admx do not appear to be available yet. I had to enable the "Turn on security key sign-in" policy on the Windows 10 client computer locally by using gpedit.msc. Hopefully Microsoft will provide an ETA for the release of the templates.

Microsoft

@Adam Parker Thanks for confirming Adam. Yes you are right the patches are cumulative so if you get the latest patch you should be good. I read the post inaccurately :) 

Microsoft

@Greg K Thanks for your interest.

In an environnment with multiple servers including 2012, we recommend that you patch “just enough DCs” to support clients that were capable of this new functionality i.e. FIDO2 support. The clients will seek DCs that are capable of FIDO logon.

Copper Contributor

Our environment is hybrid, I've gone through the procedures multiple times and keep getting the error "Your credential couldn't be verified (code: 0xc000006d,0x0)" The key works as expected in the Office365 realm but not for on-prem Windows login. Anyone else with the same experience or did I just miss something?

Copper Contributor

@AttaBoyLuther 

I have the same problem. 

The Yubikey is working fine when logging in to Office 365, but not for Windows login. 

There are some Events (5061) in the Security Event Log, but not really helpful. 

Copper Contributor

Hello, is there anywhere in Azure AD to specify the minimum PIN length or complexity for security keys?

Copper Contributor

@AttaBoyLuther and @DanTheManSWE same problem for me...upgraded all DC to Win2019...moved AADconnect on DC with FSMO roles...but same error @Aakashi can you help us with some suggestions?

 

Thanks a lot

 

 

Hello @Aakashi Is there any update to share on the support for ADFS?
And other missing pieces in the passwordless journey like support on mobile devices in combination with AAD and the feature to register a key by IT Admins?

Thanks.

Microsoft

@ilsensa7@AttaBoyLuther  and @DanTheManSWE - Are the clients on the latest insider build (Build greater than 18945) ? Have you set up the Azure AD kerberos object in your on premises environment and registered it to Azure AD using the steps outlined here https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-password... . If the problem still persists after successfully implementing these steps, I would suggest to reach out to our customer support who can investigate it further by looking into your logs or other details as needed. Thank you for your interest. 

Copper Contributor

I have the latest 2004 windows update (19041.264) and I also receive the 0xc000006d,0x0 error when trying to login to my device. FIDO2 works when using it online with Office 365. The command Get-AzureADKerberosServer runs and I see CloudID and Keyversion matching. The Windows 2016 DC has the latest May 12 patch 14393.3686.

Brass Contributor

I have a basic question.

Once you try to sign into the device, that device must be AAD-joined or Hybrid-joined.

my question here is,

  do you find the primary-refresh-token (PRT) in the windows box once you complete the sign in.

   if yes,  I am not following how PRT is possible ?  my understanding is PRT contains the device-id  of the AAD-joined or Hybrid-joined device

   but in our case during FIDO2-key registration, we just provisioned user's public-key in his profile without any device-association as follow

user1 -- >  pk1   (of yubikey)

user1 -- > pk2   (of Feitian)

 

So how did AAD able to generate a PRT ?

 

Copper Contributor

Will ADFS be supported with FIDO2 keys at all?

Version history
Last update:
‎Aug 19 2021 04:22 PM
Updated by: