From 0698551ddba4bd99d3d06c7550a103103680f912 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Fri, 10 May 2019 12:52:08 -0500 Subject: [PATCH] Update hello-hybrid-key-trust-prereqs.md --- .../hello-hybrid-key-trust-prereqs.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 1993139da7..73a2919976 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -58,7 +58,20 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can use a 3rd Party enterprise certification authority too. The detailed requieriments for the Domain Controller certificate are shown below. + +* The certificate must have a CRL distribution-point extension that points to a valid certificate revocation list (CRL). +* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name) +* The certificate Key Usage section must contain: +Digital Signature, Key Encipherment +* Optionally, the certificate Basic Constraints section should contain: +[Subject Type=End Entity, Path Length Constraint=None] +* The certificate Enhanced Key Usage section must contain: Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1) +* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. +* The certificate template must have an extension that has the BMP data value "DomainController." +* The domain controller certificate must be installed in the local computer's certificate store + + > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: