Forum Discussion
On-prem access from an aad joined device with Windows Hello for Business
Recently one of my clients asked me to setup Windows Hello for Business as part of our Modern IT Management PoC. So currently they are using convenience pin and the use case was that on their Modern ...
Yeah I got everything setup and working, it's the same issue with PIN not working, but I finally found a good explination and how to fix it in the same guide here: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base
Basically with like you said the CRL which I was confused by publishing to internet in your original statement, but it makes sense now that you can't get the default CRL because you cannot query active directory because your not authenticated yet and it requires that CRL so you publish it to internal http endpoint so it can pass that check. At least that's what it looks like, I'm working on setting that up now. Then hopefully PIN will work!
Basically with like you said the CRL which I was confused by publishing to internet in your original statement, but it makes sense now that you can't get the default CRL because you cannot query active directory because your not authenticated yet and it requires that CRL so you publish it to internal http endpoint so it can pass that check. At least that's what it looks like, I'm working on setting that up now. Then hopefully PIN will work!
Do you happen to know if renewing and rekeying ath Domain controller certificate as one of those steps adding the new CDP etc. will have any effects on current client machines etc?
Great discussion! One thing to point out that is not clearly mentioned for the Key Trust model is that you need to deploy a new certificate template to your domain controllers: the Kerberos Authentication template instead of the default Domain Controller Authentication template. It's not enough to add KDC Authentication in Intended Purposes on the old default template since this template does not have the FQDN of the domain in the certificate.
