deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 14:27:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Added note for AAD endpoint needed for ADFS to verify cert requests

Browse Source
This commit is contained in:
mapalko 2019-06-18 18:19:26 -07:00
parent 533a2e9ad3
commit 7de799f287
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
View File

@ -66,6 +66,9 @@ After a successful key registration, Windows creates a certificate request using
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
> [!NOTE]
> In order for AD FS to verify the key used in the certificate request, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center. The certificate authority validates the certificate was signed by the registration authority. On successful validation of the signature, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current users certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Windows Action Center.
<br><br> <br><br>

3
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -28,6 +28,9 @@ The Windows Server 2016 Active Directory Federation Server Certificate Registrat
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
> [!NOTE]
> In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.
### Configure the Registration Authority ### Configure the Registration Authority
Sign-in the AD FS server with *Domain Admin* equivalent credentials. Sign-in the AD FS server with *Domain Admin* equivalent credentials.