Windows 10 Hybrid Join User Authentication for PRT

%3CLINGO-SUB%20id%3D%22lingo-sub-2339166%22%20slang%3D%22en-US%22%3EWindows%2010%20Hybrid%20Join%20User%20Authentication%20for%20PRT%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2339166%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Team%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20attempting%20to%20do%20Hybrid%20Device%20Join%20for%20Windows%2010%2C%3C%2FP%3E%3CP%3Efor%20Authentication%20we%20have%20federation%20setup%20using%20Onprem%20AD%20Fed%20%26lt%3B-%26gt%3B%20Azure%20AD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20There%20is%20new%20thing%20noticed%20is%20when%20a%20user%20(synced%20to%20AAD)%20is%20using%20Office%20365%20ProPlus%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20They%20get%20a%20message%20to%20let%20their%20organization%20manage%20this%20device%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E3.%20If%20the%20user%20clicks%20Yes%2FOk%20Username%20and%20Device%20are%20Registered%20in%20Azure%20AD%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E4.%20After%20which%20it%20is%20noticed%20that%20there%20is%20no%20need%20to%20username%2Fpassword%20for%20the%20user%20to%20sign%20in%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E5.%20infact%20it%20is%20observed%20that%20no%20requests%20are%20forwarded%20to%20IDP%2FSTS%20anymore%2C%20when%20this%20registration%20happen%20there%20is%20a%20connected%20work%2Fschool%20account%20gets%20registered%20on%20windows%2010%20in%20settings%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E6.%20The%20token%20used%20here%20is%20this%20PRT%20%3F%3F%3F%20bcoz%20when%20running%20DsRegCmd%20%2FDebug%20%2FStatus%20does%20not%20show%20AzureADPRT%20as%20NO%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E7.%20However%20when%20the%20same%20device%20is%20Hybrid%20joined%20then%20running%20the%20above%20command%20very%20clearly%20shows%20AzureADPRT%20as%20YES%20and%20its%20issuance%20validity%20expiry%20details%20etc.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E8.%20So%20what%20is%20the%20difference%20in%20the%20two%20what%20is%20exactly%20is%20the%20above%20one%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E9.%20Also%20specific%20to%20Federation%20and%20PRT%20when%20the%20device%20is%20Hybrid%20and%20on%20the%20device%20it%20can%20be%20seen%20AzureADPrt%20is%20there%20during%20this%20Federation%20Auth%20Flow%20especially%20when%20it%20is%20the%20very%20first%20logon%20right%20after%20when%20the%20device%20has%20been%20made%20hybrid%20there%20is%20a%20specific%20tokenprocessor%20which%20used%20here%20it%20is%20called%20%22UsernameTokenProcessor%22%2C%20it%20is%20seen%20here%20that%20lsass%20has%20the%20user%20password%20in%20clear%20text%20which%20is%20exchanged%20in%20a%20TLS%20session%2C%3C%2FP%3E%3CP%3Ehow%20to%20stop%20this%20%3F%2C%3C%2FP%3E%3CP%3Ehow%20to%20stop%20windows%20from%20keeping%20from%20clear%20text%20password%20%3F%2C%3C%2FP%3E%3CP%3EWhat%20are%20the%20implications%2C%20how%20to%20monitor%2Fanalyze%20%3F%3F%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBR%2C%3C%2FP%3E%3CP%3E%2FHS%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2339166%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EWindows%2010%20Hybrid%20Join%20User%20Authentication%20for%20PRT%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2356903%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20Hybrid%20Join%20User%20Authentication%20for%20PRT%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2356903%22%20slang%3D%22en-US%22%3EHello%2C%3CBR%20%2F%3E%3CBR%20%2F%3EWe%20are%20a%20bit%20further%20now%20on%20this%2C%20Yes%20all%20of%20this%20is%20known%2C%20that%20is%20how%20we%20are%20able%20to%20understand%20and%20share%20this%20much%3CBR%20%2F%3E%3CBR%20%2F%3Ehowever%20my%20concerns%20are%20may%20be%20not%20clear%20in%20the%20last%20post%3CBR%20%2F%3E1.%20This%20UTP%20Username%20Token%20Processor%20can%20this%20be%20disabled%20and%20still%20have%20the%20PRT%20feature%20continue%20to%20work%20fine%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3E2.%20What%20other%20Authentication%20scheme%20can%20be%20used%20here%2C%20what%20about%20Pass-Thru%20is%20it%20more%20secure%20then%20Federation%20%3F%3CBR%20%2F%3E%3CBR%20%2F%3E3.%20If%20Federation%20is%20still%20the%20most%20secure%20which%20one%20should%20be%20used%20ADFS%20%2F%20PingFed%20which%20one%20has%20better%20security%20capabilities%20which%20is%20more%20equipped%20to%20mitigate%20all%20sorts%20identity%20related%20attacks%3CBR%20%2F%3E%3CBR%20%2F%3EBR%2C%3CBR%20%2F%3E%2FHS%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2356934%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20Hybrid%20Join%20User%20Authentication%20for%20PRT%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2356934%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45912%22%20target%3D%22_blank%22%3E%40Himanshu%20Singh%3C%2FA%3E%26nbsp%3BHello%2C%20this%20isn't%20really%20within%20my%20%22comfort%20zone%22%20but%20I%20will%20answer%20anyway%20hoping%20someone%20else%20might%20fill%20in.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%26nbsp%3B%3CSPAN%3EAs%20far%20as%20I%20know%20it's%20used%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Eobtaining%20the%20AAD%20PRT%20using%20pingfederate%20(are%20you%20using%20that%3F)%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E2.%20I'm%20just%20linking%20to%20these%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fchoose-ad-authn%23decision-tree%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EDecision%20tree%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fchoose-ad-authn%23comparing-methods%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3EComparing%20methods%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%3CSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fhybrid%2Fchoose-ad-authn%23recommendations%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%22%3ERecommendations%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3E3.%20I%20can't%20say%20to%20be%20honest.%26nbsp%3BIt%20depends%20on%20the%20needs%20of%20your%20organization.%20If%20possible%20though%2C%20you%20should%20consider%20leaving%20federation%20or%20at%20least%20introduce%20PHS%20on%20top%20of%20ADFS%20(in%20my%20opinion).%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2339875%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20Hybrid%20Join%20User%20Authentication%20for%20PRT%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2339875%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45912%22%20target%3D%22_blank%22%3E%40Himanshu%20Singh%3C%2FA%3E%26nbsp%3BHi%2C%20have%20you%20read%20this%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20AD%20joined%20or%20Hybrid%20Azure%20AD%20joined%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20PRT%20is%20issued%20during%20Windows%20logon%20when%20a%20user%20signs%20in%20with%20their%20organization%20credentials.%20A%20PRT%20is%20issued%20with%20all%20Windows%2010%20supported%20credentials%2C%20for%20example%2C%20password%20and%20Windows%20Hello%20for%20Business.%20In%20this%20scenario%2C%20Azure%20AD%20CloudAP%20plugin%20is%20the%20primary%20authority%20for%20the%20PRT.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20AD%20registered%20device%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EA%20PRT%20is%20issued%20when%20a%20user%20adds%20a%20secondary%20work%20account%20to%20their%20Windows%2010%20device.%20Users%20can%20add%20an%20account%20to%20Windows%2010%20in%20two%20different%20ways.%3CBR%20%2F%3E-%20Adding%20an%20account%20via%20the%20%3CEM%3EUse%20this%20account%20everywhere%20on%20this%20device%3C%2FEM%3E%20prompt%20after%20signing%20in%20to%20an%20app%20(for%20example%2C%20Outlook)%3CBR%20%2F%3E-%20Adding%20an%20account%20from%20%3CEM%3ESettings%20%26gt%3B%20Accounts%20%26gt%3B%20Access%20Work%20or%20School%20%26gt%3B%20Connect%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevices%2Fconcept-primary-refresh-token%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EPrimary%20Refresh%20Token%20(PRT)%20and%20Azure%20AD%20-%20Azure%20Active%20Directory%20%7C%20Microsoft%20Docs%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2359193%22%20slang%3D%22en-US%22%3ERe%3A%20Windows%2010%20Hybrid%20Join%20User%20Authentication%20for%20PRT%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2359193%22%20slang%3D%22en-US%22%3EI%20get%20that.%20But%20that%20wasn't%20the%20point%20now%20was%20it%3F%20As%20I%20usually%20don't%20reply%20to%20questions%20about%20PRT%20and%20pingfederate%20I%20only%20mentioned%20that%20as%20I%20actually%20hope%20someone%20with%20experience%20from%20it%20will%20join%20the%20conversation.%20So%20instead%20of%20commenting%20only%20that%2C%20did%20the%20reading%20in%20the%20docs%20about%20the%20different%20approaches%20make%20things%20clearer%20for%20you%3F%20I%20think%20the%20decisions%20tree%20is%20simple%20and%20effective.%20If%20not%2C%20perhaps%20you%20should%20consider%20reaching%20out%20to%20the%20official%20support%20with%20a%20service%20request.%3CBR%20%2F%3E%3CBR%20%2F%3EFrom%20my%20experience%20being%20in%20the%20community%20every%20day%20for%20over%20a%20year%20people%20tend%20to%20avoid%20conversations%20like%20these%20(too%20many%20questions)%20in%20case%20you%20wondering%20why%20no%20one%20else%20might%20not%20reply.%3C%2FLINGO-BODY%3E
Frequent Contributor

Hello Team,

 

We are attempting to do Hybrid Device Join for Windows 10,

for Authentication we have federation setup using Onprem AD Fed <-> Azure AD

 

1. There is new thing noticed is when a user (synced to AAD) is using Office 365 ProPlus

 

2. They get a message to let their organization manage this device

 

3. If the user clicks Yes/Ok Username and Device are Registered in Azure AD

 

4. After which it is noticed that there is no need to username/password for the user to sign in

 

5. infact it is observed that no requests are forwarded to IDP/STS anymore, when this registration happen there is a connected work/school account gets registered on windows 10 in settings

 

6. The token used here is this PRT ??? bcoz when running DsRegCmd /Debug /Status does not show AzureADPRT as NO

 

7. However when the same device is Hybrid joined then running the above command very clearly shows AzureADPRT as YES and its issuance validity expiry details etc.

 

8. So what is the difference in the two what is exactly is the above one ?

 

9. Also specific to Federation and PRT when the device is Hybrid and on the device it can be seen AzureADPrt is there during this Federation Auth Flow especially when it is the very first logon right after when the device has been made hybrid there is a specific tokenprocessor which used here it is called "UsernameTokenProcessor", it is seen here that lsass has the user password in clear text which is exchanged in a TLS session,

how to stop this ?,

how to stop windows from keeping from clear text password ?,

What are the implications, how to monitor/analyze ???

 

BR,

/HS

 

 

 

5 Replies

@Himanshu Singh Hi, have you read this?

 

Azure AD joined or Hybrid Azure AD joined:

 

A PRT is issued during Windows logon when a user signs in with their organization credentials. A PRT is issued with all Windows 10 supported credentials, for example, password and Windows Hello for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.

 

Azure AD registered device:

 

A PRT is issued when a user adds a secondary work account to their Windows 10 device. Users can add an account to Windows 10 in two different ways.
- Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
- Adding an account from Settings > Accounts > Access Work or School > Connect

 

Primary Refresh Token (PRT) and Azure AD - Azure Active Directory | Microsoft Docs

Hello,

We are a bit further now on this, Yes all of this is known, that is how we are able to understand and share this much

however my concerns are may be not clear in the last post
1. This UTP Username Token Processor can this be disabled and still have the PRT feature continue to work fine ?

2. What other Authentication scheme can be used here, what about Pass-Thru is it more secure then Federation ?

3. If Federation is still the most secure which one should be used ADFS / PingFed which one has better security capabilities which is more equipped to mitigate all sorts identity related attacks

BR,
/HS

@Himanshu Singh Hello, this isn't really within my "comfort zone" but I will answer anyway hoping someone else might fill in.

 

1. As far as I know it's used obtaining the AAD PRT using pingfederate (are you using that?)

 

2. I'm just linking to these

Decision tree 

Comparing methods

Recommendations

 

3. I can't say to be honest. It depends on the needs of your organization. If possible though, you should consider leaving federation or at least introduce PHS on top of ADFS (in my opinion).

Well thats the idea of putting it out in/to the community so that others can also share......
I get that. But that wasn't the point now was it? As I usually don't reply to questions about PRT and pingfederate I only mentioned that as I actually hope someone with experience from it will join the conversation. So instead of commenting only that, did the reading in the docs about the different approaches make things clearer for you? I think the decisions tree is simple and effective. If not, perhaps you should consider reaching out to the official support with a service request.

From my experience being in the community every day for over a year people tend to avoid conversations like these (too many questions) in case you wondering why no one else might not reply.