From 4a885ff7aebe59b5d26c04c47066976ae89cfde1 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 30 Jun 2020 13:56:13 -0700 Subject: [PATCH] Corrected spelling, adding end punctuation --- .../hello-hybrid-cert-whfb-settings-adfs.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index 5f9afbda34..00c8e2e6f2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -58,8 +58,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. -3. Right-click **Windows Hello for Business Users** group -4. Click the **Members** tab and click **Add** +3. Right-click **Windows Hello for Business Users** group. +4. Click the **Members** tab and click **Add**. 5. In the **Enter the object names to select** text box, type **adfssvc** or substitute the name of the AD FS service account in your AD FS deployment. Click **OK**. 6. Click **OK** to return to **Active Directory Users and Computers**. 7. Restart the AD FS server. @@ -67,12 +67,12 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva > [!NOTE] >For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error: > -> 1. Launch AD FS management console. Brose to "Services > Scope Descriptions" -> 2. Right click "Scope Descriptions" and select "Add Scope Description" -> 3. Under name type "ugs" and Click Apply > OK -> 4. Launch Powershell as Administrator +> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions". +> 2. Right click "Scope Descriptions" and select "Add Scope Description". +> 3. Under name type "ugs" and Click Apply > OK. +> 4. Launch Powershell as Administrator. > 5. Execute the command "Get-AdfsApplicationPermission". Look for the ScopeNames :{openid, aza} that has the ClientRoleIdentifier Make a note of the ObjectIdentifier. -> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs' +> 6. Execute the command "Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'. > 7. Restart the ADFS service. > 8. On the client: Restart the client. User should be prompted to provision WHFB. > 9. If the provisioning window does not pop up then need to collect NGC trace logs and further troubleshoot.