deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 21:33:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

federation with AADJ

Browse Source 
updated
This commit is contained in:
Nagappan Veerappan
2021-04-21 15:54:11 -07:00
committed by GitHub
parent 5b90218121
commit 1f873c0e34
1 changed files with 6 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -51,6 +51,8 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|B | The Kerberos provider sends the signed pre-authentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ.<br>The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
!Note: You may have on-prem domain Federated with Azure AD. Once user successfully provisioned WHFB PIN/Bio on the AADJ device. Any future login of WHFB (PIN/Bio) sign-in will directly authenticate against AAD to get PRT as well as it trigger authenticate against your DC (if LOS to DC available) to get kerberos.it no longer use ADFS to authenticate for WHFB signins.
## Azure AD join authentication to Active Directory using a Certificate
![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png)
@ -61,6 +63,10 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
!Note: You may have on-prem domain Federated with Azure AD. Once user successfully provisioned WHFB PIN/Bio on. Any future login of WHFB (PIN/Bio) sign-in will directly authenticate against AAD to get PRT. as well as Authenticate against your DC (if LOS to DC available) to get kerberos as mentioned above. ADFS federation used only when Enterprise PRT calls are placed from client. you need to have device write back enabled to get "Enterprise PRT" from your federation.
## Hybrid Azure AD join authentication using a Key
![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png)