From 5ea3075b0a67d9bab044443dfb48738cc2aed8c9 Mon Sep 17 00:00:00 2001 From: ChunlinXuMSFT <40968607+ChunlinXuMSFT@users.noreply.github.com> Date: Tue, 11 Feb 2025 14:25:14 +1100 Subject: [PATCH] Update faq.yml to fix wrong information cloud trust compatibility with a real RODC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit as per internal discussion and tests, we confirmed with engineering team there is a known issue between cloud trust and real RODC: 1. WHfB Cloud trust would only work with RODC if the user’s password can’t be cached by that RODC (as per the password replicdation policy). that is, RODC will to return TGT_Revoked to the client after successfully verifying the partial tgt from WHfB cloud trust client if the user is supposed to have a password cached locally on local RODC. 2. Auth can be successful if the same RODC has KDC certs and then it can failover to Key trust. --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 26e30724a9..8b205bbe9f 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -212,7 +212,7 @@ sections: This feature doesn't work in a pure on-premises AD domain services environment. - question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment? answer: | - Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work. + Windows Hello for Business cloud Kerberos trust will still work if the client directly talks with a wriable domain controller or talks with RODC which doesn't cache credential of the user who tries to sign-in as per Password Replication Policy. If the client happens to contact a local RODC and the user can cache credentials on the same RODC, Windows Hello for business cloud Kerberos trust may fail. In a production environment, most customers deploy KDC certificates to all domain controllers including RODC to support LDAP over SSL. If so, the authentication will transparently failover to Windows Hello for Business key trust authentication and user signin will still be successful. - question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust? answer: | Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when: