deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into release-mcc-ent

Browse Source
This commit is contained in:
Alma Jenks 2024-06-25 18:08:15 +00:00
commit 957b17b461
13 changed files with 52 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-adfs.md
View File

@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in a hybrid certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business hybrid certificate trust model.
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
---
@ -52,19 +52,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. Restart the AD FS server
> [!NOTE]
> For AD FS 2019 in a hybrid certificate trust model, a PRT issue exists. You may encounter this error in the AD FS Admin event logs: *Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'*. To remediate this error:
>
> 1. Launch AD FS management console and browse to **Services > Scope Descriptions**
> 1. Right click **Scope Descriptions** and select **Add Scope Description**
> 1. Under name type `ugs` and select **Apply > OK**
> 1. Launch PowerShell as an administrator
> 1. Obtain the *ObjectIdentifier* of the application permission with the `ClientRoleIdentifier` parameter equal to `38aa3b87-a06d-4817-b275-7a316988d93b`:
> ```PowerShell
> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
> ```
> 1. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
> 1. Restart the AD FS service
> 1. On the client: Restart the client. User should be prompted to provision Windows Hello for Business
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
## Section review and next steps

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-enroll.md
View File

@ -1,7 +1,7 @@
---
title: Configure and enroll in Windows Hello for Business in hybrid certificate trust model
description: Learn how to configure devices and enroll them in Windows Hello for Business in a hybrid certificate trust scenario.
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
---

4
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust-pki.md
View File

@ -1,7 +1,7 @@
---
title: Configure and validate the PKI in an hybrid certificate trust model
title: Configure and validate the PKI in a hybrid certificate trust model
description: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a hybrid certificate trust model.
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
---

2
windows/security/identity-protection/hello-for-business/deploy/hybrid-cert-trust.md
View File

@ -1,7 +1,7 @@
---
title: Windows Hello for Business hybrid certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in a hybrid certificate trust scenario.
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
---

4
windows/security/identity-protection/hello-for-business/deploy/includes/adfs-mfa.md
View File

@ -1,5 +1,5 @@
---
ms.date: 01/03/2024
ms.date: 06/23/2024
ms.topic: include
---
@ -8,6 +8,8 @@ ms.topic: include
Windows Hello for Business requires users perform multifactor authentication (MFA) prior to enroll in the service. On-premises deployments can use, as MFA option:
- certificates
> [!NOTE]
> When using this option, the certificates must be deployed to the users. For example, users can use their smart card or virtual smart card as a certificate authentication option.
- non-Microsoft authentication providers for AD FS
- custom authentication provider for AD FS

2
windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-auth.md
View File

@ -61,4 +61,4 @@ CertUtil: -dsTemplate command completed successfully."
```
>[!NOTE]
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the `Get-CATemplate` ADCS Administration Windows PowerShell cmdlet on your certification authority.
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace `WHFBAuthentication` in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc).

6
windows/security/identity-protection/hello-for-business/deploy/includes/certificate-template-enrollment-agent.md
View File

@ -3,7 +3,7 @@ ms.date: 01/03/2024
ms.topic: include
---
### Configure an enrollment agent certificate template
## Configure an enrollment agent certificate template
A certificate registration authority (CRA) is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certification authority (CA) for issuance. The CA issues the certificate, returns it to the CRA, which returns the certificate to the requesting user. Windows Hello for Business certificate trust deployments use AD FS as the CRA.
@ -12,7 +12,7 @@ The CRA enrolls for an *enrollment agent certificate*. Once the CRA verifies the
> [!IMPORTANT]
> Follow the procedures below based on the AD FS service account used in your environment.
#### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
### Create an enrollment agent certificate for Group Managed Service Accounts (GMSA)
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.
@ -32,7 +32,7 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
1. Select **OK** to finalize your changes and create the new template
1. Close the console
#### Create an enrollment agent certificate for a standard service account
### Create an enrollment agent certificate for a standard service account
Sign in to a CA or management workstations with *Domain Administrator* equivalent credentials.

35
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-adfs.md
View File

@ -1,7 +1,7 @@
---
title: Configure Active Directory Federation Services in an on-premises certificate trust model
description: Learn how to configure Active Directory Federation Services (AD FS) to support the Windows Hello for Business on-premises certificate trust model.
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
---
@ -16,20 +16,7 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
[!INCLUDE [adfs-deploy](includes/adfs-deploy.md)]
> [!NOTE]
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
> 1. Right-click **Scope Descriptions** and select **Add Scope Description**
> 1. Under name type *ugs* and select **Apply > OK**
> 1. Launch PowerShell as an administrator and execute the following commands:
>
> ```PowerShell
> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
> ```
>
> 1. Restart the AD FS service
> 1. Restart the client. User should be prompted to provision Windows Hello for Business
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. For more information about the isse and its resolution, see [Certificate trust provisioning with AD FS broken on windows server 2019](../hello-deployment-issues.md#certificate-trust-provisioning-with-ad-fs-broken-on-windows-server-2019).
## Review to validate the AD FS and Active Directory configuration
@ -40,6 +27,21 @@ Windows Hello for Business works exclusively with the Active Directory Federatio
> - Confirm you added the AD FS service account to the KeyAdmins group
> - Confirm you enabled the Device Registration service
[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
### Publish the certificate template to the CA
Sign in to the CA or management workstations with **Enterprise Admin** equivalent credentials.
1. Open the **Certification Authority** management console
1. Expand the parent node from the navigation pane
1. Select **Certificate Templates** in the navigation pane
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
1. In the **Enable Certificates Templates** window, select the *WHFB Enrollment Agent* template you created in the previous step. Select **OK** to publish the selected certificate templates to the certification authority
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console
## Configure the certificate registration authority
The Windows Hello for Business on-premises certificate-based deployment uses AD FS as the certificate registration authority (CRA). The registration authority is responsible for issuing certificates to users and devices. The registration authority is also responsible for revoking certificates when users or devices are removed from the environment.
@ -55,7 +57,7 @@ Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplat
>[!NOTE]
> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace *WHFBEnrollmentAgent* and *WHFBAuthentication* in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name by using the `Get-CATemplate` PowerShell cmdlet on a CA.
### Enrollment agent certificate enrollment
### Enrollment agent certificate lifecycle management
AD FS performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
@ -87,6 +89,7 @@ For detailed information about the certificate, use `Certutil -q -v <certificate
> [!div class="checklist"]
> Before you continue with the deployment, validate your deployment progress by reviewing the following items:
>
> - Configure an enrollment agent certificate template
> - Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template
> - Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance
> - Confirm you properly configured the Windows Hello for Business authentication certificate template

8
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust-enroll.md
View File

@ -1,5 +1,5 @@
---
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises certificate trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises certificate trust scenario
@ -73,7 +73,11 @@ After a successful key registration, Windows creates a certificate request using
The AD FS registration authority verifies the key used in the certificate request matches the key that was previously registered. On a successful match, the AD FS registration authority signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store. Once this process completes, the Windows Hello for Business provisioning workflow informs the user that they can use their PIN to sign-in through the Action Center.
The CA validates that the certificate is signed by the registration authority. On successful validation, it issues a certificate based on the request and returns the certificate to the AD FS registration authority. The registration authority returns the certificate to Windows where it then installs the certificate in the current user's certificate store.
The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=771165c0-e37f-4f9d-9e21-4f383cc6590d alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
### Sequence diagram

8
windows/security/identity-protection/hello-for-business/deploy/on-premises-cert-trust.md
View File

@ -1,13 +1,12 @@
---
title: Windows Hello for Business on-premises certificate trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, certificate trust scenario.
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
---
# On-premises certificate trust deployment guide
[!INCLUDE [apply-to-on-premises-cert-trust](includes/apply-to-on-premises-cert-trust.md)]
[!INCLUDE [requirements](includes/requirements.md)]
@ -48,8 +47,6 @@ Windows Hello for Business must have a Public Key Infrastructure (PKI) when usin
[!INCLUDE [web-server-certificate-template](includes/certificate-template-web-server.md)]
[!INCLUDE [enrollment-agent-certificate-template](includes/certificate-template-enrollment-agent.md)]
[!INCLUDE [auth-certificate-template](includes/certificate-template-auth.md)]
[!INCLUDE [unpublish-superseded-templates](includes/unpublish-superseded-templates.md)]
@ -64,7 +61,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
1. Expand the parent node from the navigation pane
1. Select **Certificate Templates** in the navigation pane
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, *WHFB Enrollment Agent* and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, *Internal Web Server*, and *WHFB Authentication* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console
@ -85,7 +82,6 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
> - Configure domain controller and web server certificate templates
> - Supersede existing domain controller certificates
> - Unpublish superseded certificate templates
> - Configure an enrollment agent certificate template
> - Publish the certificate templates to the CA
> - Deploy certificates to the domain controllers
> - Validate the domain controllers configuration

6
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust-enroll.md
View File

@ -1,5 +1,5 @@
---
ms.date: 03/12/2024
ms.date: 06/23/2024
ms.topic: tutorial
title: Configure Windows Hello for Business Policy settings in an on-premises key trust
description: Configure Windows Hello for Business Policy settings for Windows Hello for Business in an on-premises key trust scenario
@ -52,6 +52,10 @@ This information is also available using the `dsregcmd.exe /status` command from
[!INCLUDE [user-experience](includes/user-experience.md)]
The following video shows the Windows Hello for Business enrollment steps after signing in with a password, using a custom MFA adapter for AD FS.
> [!VIDEO https://learn-video.azurefd.net/vod/player?id=771165c0-e37f-4f9d-9e21-4f383cc6590d alt-text="Video showing the Windows Hello for Business enrollment steps after signing in with a password."]
### Sequence diagram
To better understand the provisioning flows, review the following sequence diagram:

4
windows/security/identity-protection/hello-for-business/deploy/on-premises-key-trust.md
View File

@ -1,7 +1,7 @@
---
title: Windows Hello for Business on-premises key trust deployment guide
description: Learn how to deploy Windows Hello for Business in an on-premises, key trust scenario.
ms.date: 03/12/2024
ms.date: 06/24/2024
ms.topic: tutorial
---
@ -57,7 +57,7 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
1. Expand the parent node from the navigation pane
1. Select **Certificate Templates** in the navigation pane
1. Right-click the **Certificate Templates** node. Select **New > Certificate Template** to issue
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)*, and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
1. In the **Enable Certificates Templates** window, select the *Domain Controller Authentication (Kerberos)* and *Internal Web Server* templates you created in the previous steps. Select **OK** to publish the selected certificate templates to the certification authority
1. If you published the *Domain Controller Authentication (Kerberos)* certificate template, then unpublish the certificate templates you included in the superseded templates list
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console

10
windows/security/identity-protection/hello-for-business/deploy/toc.yml
View File

@ -8,7 +8,7 @@ items:
- name: Cloud Kerberos trust deployment
href: hybrid-cloud-kerberos-trust.md
- name: Key trust deployment
items:
items:
- name: Requirements and validation
href: hybrid-key-trust.md
displayName: key trust
@ -19,7 +19,7 @@ items:
href: ../hello-hybrid-aadj-sso.md
displayName: key trust
- name: Certificate trust deployment
items:
items:
- name: Requirements and validation
href: hybrid-cert-trust.md
displayName: certificate trust
@ -41,7 +41,7 @@ items:
- name: On-premises deployments
items:
- name: Key trust deployment
items:
items:
- name: Requirements and validation
href: on-premises-key-trust.md
- name: Prepare and deploy Active Directory Federation Services (AD FS)
@ -49,10 +49,10 @@ items:
- name: Configure and enroll in Windows Hello for Business
href: on-premises-key-trust-enroll.md
- name: Certificate trust deployment
items:
items:
- name: Requirements and validation
href: on-premises-cert-trust.md
- name: Prepare and Deploy Active Directory Federation Services (AD FS)
- name: Prepare and deploy Active Directory Federation Services (AD FS)
href: on-premises-cert-trust-adfs.md
- name: Configure and enroll in Windows Hello for Business
href: on-premises-cert-trust-enroll.md