From 5fb75c1daef8a115df6ca7f754a20bbc045f3390 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 23 Jan 2017 19:36:44 -0800 Subject: [PATCH 1/2] added missing section on NDES and domain controller requirements --- ...ign-on-sso-over-vpn-and-wi-fi-connections.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 827fe72de7..94e4e345e8 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -74,3 +74,20 @@ If the credentials are certificate-based, then the elements in the following tab | SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.
This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | | Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. This certificate must be issued using the PassportForWork CSP. | | EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for PassportForWork)
- SmartCardLogon (for Azure AD joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | + +## NDES server configuration + +The NDES server is required to be configured so that incoming SCEP requests can be mapped to the correct template to be used. +For more information, see [Configure certificate infrastructure for SCEP](https://docs.microsoft.com/en-us/intune/deploy-use/Configure-certificate-infrastructure-for-scep). + +## Active Directory requirements + +You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well. + +The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store. + +The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. +This is because Windows 10 Mobile requires strict KDC validation to be enabled. +This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server. +For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382). + From 4f9d16f853fe972a27e18fc474c2805badc0717c Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Mon, 23 Jan 2017 19:57:40 -0800 Subject: [PATCH 2/2] revised references to Windows Hello for Business --- ...use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 94e4e345e8..d790933a66 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -68,12 +68,12 @@ The username should also include a domain that can be reached over the connectio If the credentials are certificate-based, then the elements in the following table need to be configured for the certificate templates to ensure they can also be used for Kerberos client authentication. -| TEmplate element | Configuration | +| Template element | Configuration | |------------------|---------------| | SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflects the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller.
This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located. | | SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.
This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | -| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. This certificate must be issued using the PassportForWork CSP. | -| EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for PassportForWork)
- SmartCardLogon (for Azure AD joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | +| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. | +| EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for Windows Hello for Business)
- SmartCardLogon (for Azure AD joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | ## NDES server configuration