deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md

Browse Source 
Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
This commit is contained in:
Nagappan Veerappan
2021-04-22 12:45:13 -07:00
committed by GitHub
parent 85d172fb43
commit 7cc89e4a49
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -64,7 +64,8 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
!Note: You may have on-prem domain Federated with Azure AD. Once user successfully provisioned WHFB PIN/Bio on. Any future login of WHFB (PIN/Bio) sign-in will directly authenticate against AAD to get PRT. as well as Authenticate against your DC (if LOS to DC available) to get kerberos as mentioned above. ADFS federation used only when Enterprise PRT calls are placed from client. you need to have device write back enabled to get "Enterprise PRT" from your federation.
> [!NOTE]
> You may have on-premises domain Federated with Azure AD. Once user successfully provisioned WHFB PIN/Bio on, any future login of WHFB (PIN/Bio) sign-in will directly authenticate against AAD to get PRT, as well as Authenticate against your DC (if LOS to DC available) to get Kerberos as mentioned above. ADFS federation used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation.