cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Windows 10 Hybrid Join User Authentication for PRT

Himanshu Singh
Iron Contributor

‎May 09 2021 09:22 AM - last edited on ‎Jan 14 2022 04:02 PM by

‎May 09 2021 09:22 AM - last edited on ‎Jan 14 2022 04:02 PM by

Windows 10 Hybrid Join User Authentication for PRT

Hello Team,

 

We are attempting to do Hybrid Device Join for Windows 10,

for Authentication we have federation setup using Onprem AD Fed <-> Azure AD

 

1. There is new thing noticed is when a user (synced to AAD) is using Office 365 ProPlus

 

2. They get a message to let their organization manage this device

 

3. If the user clicks Yes/Ok Username and Device are Registered in Azure AD

 

4. After which it is noticed that there is no need to username/password for the user to sign in

 

5. infact it is observed that no requests are forwarded to IDP/STS anymore, when this registration happen there is a connected work/school account gets registered on windows 10 in settings

 

6. The token used here is this PRT ??? bcoz when running DsRegCmd /Debug /Status does not show AzureADPRT as NO

 

7. However when the same device is Hybrid joined then running the above command very clearly shows AzureADPRT as YES and its issuance validity expiry details etc.

 

8. So what is the difference in the two what is exactly is the above one ?

 

9. Also specific to Federation and PRT when the device is Hybrid and on the device it can be seen AzureADPrt is there during this Federation Auth Flow especially when it is the very first logon right after when the device has been made hybrid there is a specific tokenprocessor which used here it is called "UsernameTokenProcessor", it is seen here that lsass has the user password in clear text which is exchanged in a TLS session,

how to stop this ?,

how to stop windows from keeping from clear text password ?,

What are the implications, how to monitor/analyze ???

 

BR,

/HS

 

 

 

2,811 Views
1 Like
5 Replies
Reply
5 Replies
ChristianJBergstrom

‎May 10 2021 12:16 AM

‎May 10 2021 12:16 AM

Re: Windows 10 Hybrid Join User Authentication for PRT

@Himanshu Singh Hi, have you read this?

 

Azure AD joined or Hybrid Azure AD joined:

 

A PRT is issued during Windows logon when a user signs in with their organization credentials. A PRT is issued with all Windows 10 supported credentials, for example, password and Windows Hello for Business. In this scenario, Azure AD CloudAP plugin is the primary authority for the PRT.

 

Azure AD registered device:

 

A PRT is issued when a user adds a secondary work account to their Windows 10 device. Users can add an account to Windows 10 in two different ways.
- Adding an account via the Use this account everywhere on this device prompt after signing in to an app (for example, Outlook)
- Adding an account from Settings > Accounts > Access Work or School > Connect

 

Primary Refresh Token (PRT) and Azure AD - Azure Active Directory | Microsoft Docs

0 Likes
Reply
Himanshu Singh

‎May 15 2021 03:14 AM

‎May 15 2021 03:14 AM

Re: Windows 10 Hybrid Join User Authentication for PRT

Hello,

We are a bit further now on this, Yes all of this is known, that is how we are able to understand and share this much

however my concerns are may be not clear in the last post
1. This UTP Username Token Processor can this be disabled and still have the PRT feature continue to work fine ?

2. What other Authentication scheme can be used here, what about Pass-Thru is it more secure then Federation ?

3. If Federation is still the most secure which one should be used ADFS / PingFed which one has better security capabilities which is more equipped to mitigate all sorts identity related attacks

BR,
/HS
0 Likes
Reply
ChristianJBergstrom

‎May 15 2021 04:05 AM

‎May 15 2021 04:05 AM

Re: Windows 10 Hybrid Join User Authentication for PRT

@Himanshu Singh Hello, this isn't really within my "comfort zone" but I will answer anyway hoping someone else might fill in.

 

1. As far as I know it's used obtaining the AAD PRT using pingfederate (are you using that?)

 

2. I'm just linking to these

Decision tree 

Comparing methods

Recommendations

 

3. I can't say to be honest. It depends on the needs of your organization. If possible though, you should consider leaving federation or at least introduce PHS on top of ADFS (in my opinion).

0 Likes
Reply
Himanshu Singh

‎May 16 2021 10:42 AM

‎May 16 2021 10:42 AM

Re: Windows 10 Hybrid Join User Authentication for PRT

Well thats the idea of putting it out in/to the community so that others can also share......
0 Likes
Reply
ChristianJBergstrom

‎May 16 2021 11:06 AM

‎May 16 2021 11:06 AM

Re: Windows 10 Hybrid Join User Authentication for PRT

I get that. But that wasn't the point now was it? As I usually don't reply to questions about PRT and pingfederate I only mentioned that as I actually hope someone with experience from it will join the conversation. So instead of commenting only that, did the reading in the docs about the different approaches make things clearer for you? I think the decisions tree is simple and effective. If not, perhaps you should consider reaching out to the official support with a service request.

From my experience being in the community every day for over a year people tend to avoid conversations like these (too many questions) in case you wondering why no one else might not reply.
0 Likes
Reply