From 0698551ddba4bd99d3d06c7550a103103680f912 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Fri, 10 May 2019 12:52:08 -0500 Subject: [PATCH 01/10] Update hello-hybrid-key-trust-prereqs.md --- .../hello-hybrid-key-trust-prereqs.md | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 1993139da7..73a2919976 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -58,7 +58,20 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012. +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can use a 3rd Party enterprise certification authority too. The detailed requieriments for the Domain Controller certificate are shown below. + +* The certificate must have a CRL distribution-point extension that points to a valid certificate revocation list (CRL). +* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name) +* The certificate Key Usage section must contain: +Digital Signature, Key Encipherment +* Optionally, the certificate Basic Constraints section should contain: +[Subject Type=End Entity, Path Length Constraint=None] +* The certificate Enhanced Key Usage section must contain: Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1) +* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. +* The certificate template must have an extension that has the BMP data value "DomainController." +* The domain controller certificate must be installed in the local computer's certificate store + + > [!IMPORTANT] > For Azure AD joined device to authenticate to and use on-premises resources, ensure you: From d42a7b0c3b97ca0c8f40495219e917f95e764845 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 11:57:49 -0500 Subject: [PATCH 02/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 73a2919976..2e9bd1375c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -58,7 +58,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object. -The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can use a 3rd Party enterprise certification authority too. The detailed requieriments for the Domain Controller certificate are shown below. +The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. * The certificate must have a CRL distribution-point extension that points to a valid certificate revocation list (CRL). * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name) From 250089d828d765c881cb41693a911bf249907ea8 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 11:58:41 -0500 Subject: [PATCH 03/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 2e9bd1375c..cfa4d2724c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -60,7 +60,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. -* The certificate must have a CRL distribution-point extension that points to a valid certificate revocation list (CRL). +* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name) * The certificate Key Usage section must contain: Digital Signature, Key Encipherment From 70f35d9b556ca77586782b3fa234d89b59e7ebee Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 11:59:11 -0500 Subject: [PATCH 04/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index cfa4d2724c..8e2a006a40 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -61,7 +61,7 @@ Key trust deployments do not need client issued certificates for on-premises aut The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below. * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. -* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name) +* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain: Digital Signature, Key Encipherment * Optionally, the certificate Basic Constraints section should contain: From 6f1af988debf6ac45f39b9d2dd82f20f68fad894 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 11:59:46 -0500 Subject: [PATCH 05/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 8e2a006a40..fa127fbc9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -63,7 +63,6 @@ The minimum required enterprise certificate authority that can be used with Wind * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain: -Digital Signature, Key Encipherment * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None] * The certificate Enhanced Key Usage section must contain: Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1) From 479a1ff8734f6d075d3ef75328f6d9013145d24b Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 12:00:13 -0500 Subject: [PATCH 06/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index fa127fbc9c..5255ad8eec 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -62,7 +62,7 @@ The minimum required enterprise certificate authority that can be used with Wind * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL. * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). -* The certificate Key Usage section must contain: +* The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None] * The certificate Enhanced Key Usage section must contain: Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1) From 72371c8e34b8d360a8036c9f662f20da9f9debe2 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 12:00:31 -0500 Subject: [PATCH 07/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 5255ad8eec..dfe1bdb31d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -65,7 +65,7 @@ The minimum required enterprise certificate authority that can be used with Wind * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None] -* The certificate Enhanced Key Usage section must contain: Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1) +* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the BMP data value "DomainController." * The domain controller certificate must be installed in the local computer's certificate store From 6f42299166ef7a8eb90d449098abd5fd088c077a Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 12:00:54 -0500 Subject: [PATCH 08/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index dfe1bdb31d..c6ad8bf880 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -64,7 +64,6 @@ The minimum required enterprise certificate authority that can be used with Wind * Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name). * The certificate Key Usage section must contain Digital Signature and Key Encipherment. * Optionally, the certificate Basic Constraints section should contain: -[Subject Type=End Entity, Path Length Constraint=None] * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the BMP data value "DomainController." From dca438d5b4f8cbf5c36ad1d1d5085956a2a00dd4 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 12:01:09 -0500 Subject: [PATCH 09/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index c6ad8bf880..86afa736bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -66,7 +66,7 @@ The minimum required enterprise certificate authority that can be used with Wind * Optionally, the certificate Basic Constraints section should contain: * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. -* The certificate template must have an extension that has the BMP data value "DomainController." +* The certificate template must have an extension that has the BMP data value "DomainController". * The domain controller certificate must be installed in the local computer's certificate store From 3aa10bc1504fdadd15316df6265672b3d99120bb Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 13 May 2019 12:01:35 -0500 Subject: [PATCH 10/10] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 86afa736bf..9b3432c015 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -67,7 +67,7 @@ The minimum required enterprise certificate authority that can be used with Wind * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name. * The certificate template must have an extension that has the BMP data value "DomainController". -* The domain controller certificate must be installed in the local computer's certificate store +* The domain controller certificate must be installed in the local computer's certificate store.