From cc5989f5a5593c9442241f7425676b7d2c0dcfe0 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Fri, 23 Apr 2021 19:07:52 -0700 Subject: [PATCH] Update windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-how-it-works-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 41ee599349..7439db90b9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -65,7 +65,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| > [!NOTE] -> You may have on-premises domain Federated with Azure AD. Once user successfully provisioned WHFB PIN/Bio on, any future login of WHFB (PIN/Bio) sign-in will directly authenticate against AAD to get PRT, as well as Authenticate against your DC (if LOS to DC available) to get Kerberos as mentioned above. ADFS federation used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. +> You may have an on-premises domain federated with Azure AD. Once you have successfully provisioned Windows Hello for Business PIN/Bio on, any future login of Windows Hello for Business (PIN/Bio) sign-in will directly authenticate against Azure AD to get PRT, as well as authenticate against your DC (if LOS to DC is available) to get Kerberos as mentioned ppreviously. AD FS federation is used only when Enterprise PRT calls are placed from the client. You need to have device write-back enabled to get "Enterprise PRT" from your federation. ## Hybrid Azure AD join authentication using a Key