From 7de799f287eeb476801c30cc7397b4bd9cc6c61c Mon Sep 17 00:00:00 2001 From: mapalko Date: Tue, 18 Jun 2019 18:19:26 -0700 Subject: [PATCH] Added note for AAD endpoint needed for ADFS to verify cert requests --- .../hello-for-business/hello-hybrid-cert-whfb-provision.md | 3 +++ .../hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md | 3 +++ 2 files changed, 6 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md index 4e0e71aa57..8095b29452 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md @@ -66,6 +66,9 @@ After a successful key registration, Windows creates a certificate request using The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. +> [!NOTE] +> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint. + The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user’s certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.

diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md index da3bf064e5..c4d3011a16 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md @@ -28,6 +28,9 @@ The Windows Server 2016 Active Directory Federation Server Certificate Registrat The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. +> [!NOTE] +> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint. + ### Configure the Registration Authority Sign-in the AD FS server with *Domain Admin* equivalent credentials.