From 7aeb98af938358ffe9f43c55197eb556594c7812 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Wed, 3 Apr 2019 03:12:19 -0600 Subject: [PATCH 1/2] Adding the way to add the SCP --- .../hello-cert-trust-adfs.md | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 2f9757d9d9..6ced876167 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -257,6 +257,7 @@ Before you continue with the deployment, validate your deployment progress by re A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. + ### Configure Registration Authority template The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. @@ -354,12 +355,37 @@ Sign-in the AD FS server with domain administrator equivalent credentials. >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. + ### Enrollment Agent Certificate Enrollment Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. + +### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service +Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script: + +>[!TIP] Make sure to change the $enrollmentService and $configNC variables before running the script. + +```Powershell +# Replace this with your Device Registration Service endpoint +$enrollmentService = "enterpriseregistration.contoso.com" +# Replace this with your Active Directory configuration naming context +$configNC = "CN=Configuration,DC=corp,DC=contoso,DC=org" + +$de = New-Object System.DirectoryServices.DirectoryEntry +$de.Path = "LDAP://CN=Device Registration Configuration,CN=Services," + $configNC + +$deSCP = $de.Children.Add("CN=62a0ff2e-97b9-4513-943f-0d221bd30080", "serviceConnectionPoint") +$deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService) +$deSCP.CommitChanges() +``` + +>[!NOTE] You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1. +> + + ## Additional Federation Servers Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. From b0b22317298bbb4499fa2b87f879e36f6d43a183 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Thu, 11 Apr 2019 23:41:13 -0500 Subject: [PATCH 2/2] Illfated corretions @illfated corrections. Thank you --- .../hello-for-business/hello-cert-trust-adfs.md | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 6ced876167..520293ddc8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -116,7 +116,7 @@ Before you continue with the deployment, validate your deployment progress by re The service account used for the device registration server depends on the domain controllers in the environment. >[!NOTE] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. +> Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. ### Windows Server 2012 or later Domain Controllers @@ -146,7 +146,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva ## Configure the Active Directory Federation Service Role >[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. +> Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. ### Windows Server 2012 or later Domain Controllers @@ -257,7 +257,6 @@ Before you continue with the deployment, validate your deployment progress by re A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. - ### Configure Registration Authority template The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. @@ -276,7 +275,8 @@ Sign-in a certificate authority or management workstations with _domain administ 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. 6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. -> [!NOTE] + +>[!NOTE] > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. @@ -355,18 +355,17 @@ Sign-in the AD FS server with domain administrator equivalent credentials. >[!NOTE] > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - ### Enrollment Agent Certificate Enrollment Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. - ### Service Connection Point (SCP) in Active Directory for ADFS Device Registration Service Now you will add the Service connection Point to ADFS device registration Service for your Active directory by running the following script: ->[!TIP] Make sure to change the $enrollmentService and $configNC variables before running the script. +>[!TIP] +> Make sure to change the $enrollmentService and $configNC variables before running the script. ```Powershell # Replace this with your Device Registration Service endpoint @@ -382,10 +381,10 @@ $deSCP.Properties["keywords"].Add("enterpriseDrsName:" + $enrollmentService) $deSCP.CommitChanges() ``` ->[!NOTE] You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1. +>[!NOTE] +> You can save the modified script in notepad and save them as "add-scpadfs.ps1" and the way to run it is just navigating into the script path folder and running .\add-scpAdfs.ps1. > - ## Additional Federation Servers Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm.