Hello everyone, my name is Liju and I am a Premier Field Engineer specializing in Active Directory and Azure AD.
Fido2 support for single sign-on (SSO) was introduced first for cloud resources, and then expanded to include both cloud and on-premises resources. For both cases, you can use either Azure AD joined or Hybrid Azure AD joined Windows 10 devices.
Earlier this year, I was involved in a proof-of concept for the more likely scenario, using FIDO2 security keys to log on to Windows 10 devices that were Hybrid Azure AD joined for SSO to both cloud and on-premises resources. Here are my notes from the field.
For my testing and PoC, I used the Security Key from Yubico that supports FIDO2. This table lists other providers of similar FIDO2 keys.
The FIDO2 specification comes from the Fast IDentity Online (FIDO) alliance and includes the W3C’s Web Authentication (WebAuthn) specification and FIDO Client to Authenticator Protocol (CTAP).
While WebAuthN APIs are used by web applications to access FIDO2 services, CTAP is used by a hardware platform to access hardware authenticators.
FIDO2 security keys provide strong password-less authentication with an optional PIN that serves as an additional factor. Within Azure active directory, successful authentication using security keys satisfy two-factor security verification and allow for password resets.
As an alternative to keys that need to be inserted into USB ports, you can also purchase security keys that use Bluetooth Low Energy or NFC.
As a pre-requisite to being able to authenticate using FIDO2 security keys and gaining single-sign on to on-premises resources, you will need to extend the on-premises Kerberos realm to Azure active directory. This is done by running the Set-AzureADKerberosServer cmdlet described later in the post.
This creates a read-only domain controller object named AzureADKerberos and an associated Kerberos ticket-granting ticket user account, krbtgt_AzureAD.
A key derived from the password of this TGT account is securely published to Azure AD. It is a good practice to reset the password of this and all krbtgt accounts on a regular schedule. To do this with the krbtgt_AzureAD account, use the Set-AzureADKerberosServer cmdlet with the -RotateServerKey switch.
As with the default configuration of any RODC, built-in privileged groups are not allowed to have their passwords cached on this RODC object.
What this means is that this authentication model will not apply to users who are members of the following groups:
The information here is up to date as of May 2020.
These steps allow for users to register one or more authentication methods (telephone, security key, authenticator app, etc.) and the methods for both Multi-Factor Authentication and self-service password reset (SSPR). Without this step, users will need to register for both separately, which may be confusing.
Users can access manage mode by going to https://aka.ms/mysecurityinfo. From there, users can add methods, delete, or change existing methods.
By default, FIDO2 security keys as an authentication method is not available to users of your Azure AD tenant. When enabling the option, you can choose to enable for all users or scope it to one or more groups. In the example shown, I scoped it to members of the FIDO2-Pilot-Users group
A user will first need to register a security key and add it as an authentication method in their security information page in Azure.
Before being able to log on to Windows 10 devices using FIDO2 security keys, you need to enable this functionality. There are several ways to do this. Here we will see two; you only need any one of the options.
Upon successful deployment, this sets the registry value on the device: HKLM\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey - UseSecurityKeyForSignIn (DWORD): 1
This sets the registry value: HKLM\Software\Policies\Microsoft\FIDO – EnableFIDODeviceLogon (DWORD): 1
Import-Module "C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1"
Get-Command *AzureADKerberosServer
CommandType Name Version Source
----------- ---- ------- ------
Cmdlet Get-AzureADKerberosServer 1.0.0.0 AzureAdKerberos
Cmdlet Remove-AzureADKerberosServer 1.0.0.0 AzureAdKerberos
Cmdlet Set-AzureADKerberosServer 1.0.0.0 AzureAdKerberos
Get-AzureADKerberosServer -DomainCredential $domainCred -CloudCredential $cloudCred -Domain HyperCruise.ca
Id :
UserAccount :
ComputerAccount :
DisplayName :
DomainDnsName :
KeyVersion :
KeyUpdatedOn :
KeyUpdatedFrom :
CloudDisplayName :
CloudDomainDnsName :
CloudId :
CloudKeyVersion :
CloudKeyUpdatedOn :
Set-AzureADKerberosServer -DomainCredential $domainCred -CloudCredential $cloudCred -Domain HyperCruise.ca
PS C:\Temp> Get-AzureADKerberosServer -DomainCredential $domainCred -CloudCredential $cloudCred -Domain HyperCruise.ca
Id : 22973
UserAccount : CN=krbtgt_AzureAD,CN=Users,DC=HyperCruise,DC=ca
ComputerAccount : CN=AzureADKerberos,OU=Domain Controllers,DC=HyperCruise,DC=ca
DisplayName : krbtgt_22973
DomainDnsName : HyperCruise.ca
KeyVersion : 147955
KeyUpdatedOn : 2/18/2020 7:53:12 PM
KeyUpdatedFrom : 0-ID-ADDC-01.HyperCruise.ca
CloudDisplayName : krbtgt_22973
CloudDomainDnsName : HyperCruise.ca
CloudId : 22973
CloudKeyVersion : 147955
CloudKeyUpdatedOn : 2/18/2020 7:53:12 PM
The two sections below show using screenshots for password-less sign-in using FIDO2 security keys to a Windows 10 desktop and to a web application through a browser.
Authentication grants access to on-premises active directory resources.
As mentioned earlier, if you enroll multiple identities with the same FIDO2 token:
However, this does not work for it to logon a Windows 10 PC; it does not give you an option of which identity to use. It will automatically use the last registered FIDO2 identity on the token.
Resetting your security key deletes everything from the key, resetting it to factory defaults; all data and credentials will be cleared.
Events will be logged under the Microsoft-Windows-WebAuthN/Operational log, and are quite detailed. The main events are given in the table below:
Id |
Task Category |
Description |
Level |
1003 |
WebAuthN Ctap GetAssertion |
WebAuthN Ctap GetAssertion started. |
Information |
1004 |
WebAuthN Ctap GetAssertion |
WebAuthN Ctap GetAssertion completed. |
Success |
1005 |
WebAuthN Ctap GetAssertion |
WebAuthN Ctap GetAssertion completed. |
Error |
2100 |
Ctap Command |
Ctap GetAssertion started. |
Information |
Ctap GetInfo started. |
Information |
||
Ctap MakeCredential started. |
Information |
||
Ctap NotifyStart started. |
Information |
||
Ctap NotifyStop started. |
Information |
||
2102 |
Ctap Command |
Ctap GetAssertion completed. |
Success |
Ctap GetInfo completed. |
Success |
||
Ctap MakeCredential completed. |
Success |
||
Ctap NotifyStart completed. |
Success |
||
Ctap NotifyStop completed. |
Success |
||
2103 |
Ctap Command |
Ctap GetAssertion completed. |
Error |
2104 |
Ctap Device Info |
Ctap device info. |
Information |
2220 |
Ctap Usb Add |
Ctap Usb add device. |
Information |
2222 |
Ctap Usb Changes |
Ctap Usb device changes. |
Information |
CTAP commands and description
This has been a long post, but hopefully the information in it can shed some light on how FIDO2 security keys work for SSO to on-premises and cloud resources, and make it easier to deploy this to your users.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.