From 8134e69b71bb44fbd166c4078cda92235a6d57ba Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 7 Nov 2019 11:22:56 +0500 Subject: [PATCH 1/4] Added a Note A note is added that we need to enable PKU2U to RDP from hybrid Azure AD joined Server to Azure AD joined Windows 10 devices. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5215 --- ...on-requests-to-this-computer-to-use-online-identities.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 40dcdcacb1..631ab04324 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -30,7 +30,8 @@ Starting with Windows Server 2008 R2 and Windows 7, the Negotiate Security Su When devices are configured to accept authentication requests by using online IDs, Negoexts.dll calls the PKU2U SSP on the computer that is used to log on. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer computers. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. ->**Note:**  The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. +> [!Note] +> The ability to link online IDs can be performed by anyone with an account that has standard user’s credentials through **Credential Manager**. This policy is not configured by default on domain-joined devices. This would disallow the online identities to be able to authenticate to the domain-joined computers in Windows 7 and later. @@ -40,6 +41,9 @@ This policy is not configured by default on domain-joined devices. This would di This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. +> [!Note] +> KU2U is disabled by default on server SKUs and thus RDP from a hybrid Azure AD joined server to a Azure AD joined Windows 10 device or Hybrid Azure AD joined domain member Windows 10 device fails. To resolve this PKU2U needs to be enabled on server SKU. + - **Disabled** This will prevent online IDs from being used to authenticate the user to another computer in a peer-to-peer relationship. From be4300497a9ac3b9589db3d6b170d7692a9a0e7a Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 7 Nov 2019 21:36:11 +0500 Subject: [PATCH 2/4] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 631ab04324..5a6809de41 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -42,7 +42,7 @@ This policy is not configured by default on domain-joined devices. This would di This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!Note] -> KU2U is disabled by default on server SKUs and thus RDP from a hybrid Azure AD joined server to a Azure AD joined Windows 10 device or Hybrid Azure AD joined domain member Windows 10 device fails. To resolve this PKU2U needs to be enabled on server SKU. +> KU2U is disabled by default on server SKUs and thus RDP from a hybrid Azure AD joined server to a Azure AD joined Windows 10 device or Hybrid Azure AD joined domain member Windows 10 device fails. To resolve this, PKU2U needs to be enabled on the server SKU. - **Disabled** From baac14d30fb79f9e248649dc8dd2d7db5b62bb57 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 23 Nov 2019 11:26:03 +0500 Subject: [PATCH 3/4] Update windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 5a6809de41..8ed70efa34 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -42,7 +42,7 @@ This policy is not configured by default on domain-joined devices. This would di This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!Note] -> KU2U is disabled by default on server SKUs and thus RDP from a hybrid Azure AD joined server to a Azure AD joined Windows 10 device or Hybrid Azure AD joined domain member Windows 10 device fails. To resolve this, PKU2U needs to be enabled on the server SKU. +> KU2U is disabled by default on server SKUs and thus, RDP from a hybrid Azure AD joined server to an Azure AD joined Windows 10 device, or Hybrid Azure AD joined domain member Windows 10 device, fails. To resolve this, PKU2U needs to be enabled on the server SKU. - **Disabled** From d7809f3a725713f477ae6e8996794d9d730318b7 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 26 Nov 2019 09:48:14 -0800 Subject: [PATCH 4/4] Update network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md --- ...cation-requests-to-this-computer-to-use-online-identities.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md index 8ed70efa34..af0955f3fe 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md @@ -42,7 +42,7 @@ This policy is not configured by default on domain-joined devices. This would di This will allow authentication to successfully complete between the two (or more) computers that have established a peer relationship through the use on online IDs. The PKU2U SSP obtains a local certificate and exchanges the policy between the peer devices. When validated on the peer computer, the certificate within the metadata is sent to the logon peer for validation. It associates the user's certificate to a security token, and then the logon process completes. > [!Note] -> KU2U is disabled by default on server SKUs and thus, RDP from a hybrid Azure AD joined server to an Azure AD joined Windows 10 device, or Hybrid Azure AD joined domain member Windows 10 device, fails. To resolve this, PKU2U needs to be enabled on the server SKU. +> KU2U is disabled by default on Windows Server. Remote desktop connections from a hybrid Azure AD-joined server to an Azure AD-joined Windows 10 device, or Hybrid Azure AD-joined domain member Windows 10 device, fails. To resolve this, enable PKU2U on the Server. - **Disabled**