From 5ea3075b0a67d9bab044443dfb48738cc2aed8c9 Mon Sep 17 00:00:00 2001 From: ChunlinXuMSFT <40968607+ChunlinXuMSFT@users.noreply.github.com> Date: Tue, 11 Feb 2025 14:25:14 +1100 Subject: [PATCH 1/3] Update faq.yml to fix wrong information cloud trust compatibility with a real RODC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit as per internal discussion and tests, we confirmed with engineering team there is a known issue between cloud trust and real RODC: 1. WHfB Cloud trust would only work with RODC if the user’s password can’t be cached by that RODC (as per the password replicdation policy). that is, RODC will to return TGT_Revoked to the client after successfully verifying the partial tgt from WHfB cloud trust client if the user is supposed to have a password cached locally on local RODC. 2. Auth can be successful if the same RODC has KDC certs and then it can failover to Key trust. --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 26e30724a9..8b205bbe9f 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -212,7 +212,7 @@ sections: This feature doesn't work in a pure on-premises AD domain services environment. - question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment? answer: | - Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exchange the partial TGT. As long as you have at least one writeable DC per site, login with cloud Kerberos trust will work. + Windows Hello for Business cloud Kerberos trust will still work if the client directly talks with a wriable domain controller or talks with RODC which doesn't cache credential of the user who tries to sign-in as per Password Replication Policy. If the client happens to contact a local RODC and the user can cache credentials on the same RODC, Windows Hello for business cloud Kerberos trust may fail. In a production environment, most customers deploy KDC certificates to all domain controllers including RODC to support LDAP over SSL. If so, the authentication will transparently failover to Windows Hello for Business key trust authentication and user signin will still be successful. - question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust? answer: | Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when: From 60df47a7bd329c5b6926e2bce7e5df77e8142d1d Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 12 Feb 2025 07:58:16 -0500 Subject: [PATCH 2/3] Clarify RODC support for cloud Kerberos trust --- .../security/identity-protection/hello-for-business/faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index 8b205bbe9f..f133b4dfd0 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -210,9 +210,9 @@ sections: - question: Does Windows Hello for Business cloud Kerberos trust work in my on-premises environment? answer: | This feature doesn't work in a pure on-premises AD domain services environment. - - question: Does Windows Hello for Business cloud Kerberos trust work in a Windows sign-in with RODC present in the hybrid environment? + - question: Does Windows Hello for Business cloud Kerberos trust work with RODC present in the hybrid environment? answer: | - Windows Hello for Business cloud Kerberos trust will still work if the client directly talks with a wriable domain controller or talks with RODC which doesn't cache credential of the user who tries to sign-in as per Password Replication Policy. If the client happens to contact a local RODC and the user can cache credentials on the same RODC, Windows Hello for business cloud Kerberos trust may fail. In a production environment, most customers deploy KDC certificates to all domain controllers including RODC to support LDAP over SSL. If so, the authentication will transparently failover to Windows Hello for Business key trust authentication and user signin will still be successful. + Windows Hello for Business cloud Kerberos trust functions correctly when the client authenticates directly to a writable domain controller or to a Read-Only Domain Controller (RODC) that doesn't cache the user's credentials, in accordance with the Password Replication Policy. If the client attempts to authenticate to an RODC that can cache the user's credentials, cloud Kerberos trust authentication might fail. To mitigate this, deploy KDC certificates to all RODCs to support Windows Hello for Business key trust authentication, which is also required for those RODCs to support LDAP over SSL. This configuration ensures that authentication can seamlessly failover to Windows Hello for Business key trust authentication, thereby guaranteeing successful user authentication. - question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust? answer: | Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when: From 494304bf56a1ebaf2543dfdd150ae62104407eb7 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Wed, 12 Feb 2025 08:01:51 -0500 Subject: [PATCH 3/3] Fix indentation in FAQ answer text --- windows/security/identity-protection/hello-for-business/faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/faq.yml b/windows/security/identity-protection/hello-for-business/faq.yml index f133b4dfd0..3a5d20bea8 100644 --- a/windows/security/identity-protection/hello-for-business/faq.yml +++ b/windows/security/identity-protection/hello-for-business/faq.yml @@ -212,7 +212,7 @@ sections: This feature doesn't work in a pure on-premises AD domain services environment. - question: Does Windows Hello for Business cloud Kerberos trust work with RODC present in the hybrid environment? answer: | - Windows Hello for Business cloud Kerberos trust functions correctly when the client authenticates directly to a writable domain controller or to a Read-Only Domain Controller (RODC) that doesn't cache the user's credentials, in accordance with the Password Replication Policy. If the client attempts to authenticate to an RODC that can cache the user's credentials, cloud Kerberos trust authentication might fail. To mitigate this, deploy KDC certificates to all RODCs to support Windows Hello for Business key trust authentication, which is also required for those RODCs to support LDAP over SSL. This configuration ensures that authentication can seamlessly failover to Windows Hello for Business key trust authentication, thereby guaranteeing successful user authentication. + Windows Hello for Business cloud Kerberos trust functions correctly when the client authenticates directly to a writable domain controller or to a Read-Only Domain Controller (RODC) that doesn't cache the user's credentials, in accordance with the Password Replication Policy. If the client attempts to authenticate to an RODC that can cache the user's credentials, cloud Kerberos trust authentication might fail. To mitigate this, deploy KDC certificates to all RODCs to support Windows Hello for Business key trust authentication, which is also required for those RODCs to support LDAP over SSL. This configuration ensures that authentication can seamlessly failover to Windows Hello for Business key trust authentication, thereby guaranteeing successful user authentication. - question: Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust? answer: | Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller when: