deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-23 02:37:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

updates

Browse Source
This commit is contained in:
Paolo Matarazzo 2022-12-13 09:37:02 -05:00
parent 90cf68eeb9
commit d1fafea3b6
3 changed files with 56 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -9,9 +9,9 @@ ms.topic: tutorial
--- ---
# Prepare and deploy Active Directory Federation Services # Prepare and deploy Active Directory Federation Services
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] [!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises key trust deployment model uses AD FS for *key registration* and *device registration*. Windows Hello for Business works exclusively with the Active Directory Federation Service (AD FS) role included with Windows Server. The on-premises certificate trust deployment model uses AD FS for *certificate enrollment* and *device registration*.
The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\ The following guidance describes the deployment of a new instance of AD FS using the Windows Information Database (WID) as the configuration database.\
WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\ WID is ideal for environments with no more than **30 federation servers** and no more than **100 relying party trusts**. If your environment exceeds either of these factors, or needs to provide *SAML artifact resolution*, *token replay detection*, or needs AD FS to operate as a federated provider role, then the deployment requires the use of SQL as a configuration database.\
@ -21,21 +21,6 @@ A new AD FS farm should have a minimum of two federation servers for proper load
Prepare the AD FS deployment by installing and **updating** two Windows Servers. Prepare the AD FS deployment by installing and **updating** two Windows Servers.
> [!NOTE]
> For AD FS 2019 in a Windows Hello for Business hybrid certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
> 2. Right click "Scope Descriptions" and select "Add Scope Description".
> 3. Under name type "ugs" and Click Apply > OK.
> 4. Launch PowerShell as an administrator.
> 5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
> ```PowerShell
> (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
> ```
> 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'`.
> 7. Restart the AD FS service.
> 8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business.
## Enroll for a TLS server authentication certificate ## Enroll for a TLS server authentication certificate
Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
@ -136,6 +121,20 @@ Sign-in to the federation server with *Domain Administrator* equivalent credenti
1. On the **Pre-requisite Checks** page, select **Configure** 1. On the **Pre-requisite Checks** page, select **Configure**
1. When the process completes, select **Close** 1. When the process completes, select **Close**
> [!NOTE]
> For AD FS 2019 and later in a certificate trust model, a known PRT issue exists. You may encounter this error in AD FS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:
>
> 1. Launch AD FS management console. Browse to ***Services > Scope Descriptions**
> 2. Right-click **Scope Descriptions** and select **Add Scope Description**
> 3. Under name type *ugs* and select **Apply > OK**
> 4. Launch PowerShell as an administrator and execute the following commands:
> ```PowerShell
> $id = (Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
> Set-AdfsApplicationPermission -TargetIdentifier $id -AddScope 'ugs'
> ```
> 7. Restart the AD FS service
> 8. Restart the client. User should be prompted to provision Windows Hello for Business
### Add the AD FS service account to the *Key Admins* group ### Add the AD FS service account to the *Key Admins* group
During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group. During Windows Hello for Business enrollment, the public key is registered in an attribute of the user object in Active Directory. To ensure that the AD FS service can add and remove keys are part of its normal workflow, it must be a member of the *Key Admins* global group.
@ -178,8 +177,7 @@ The Windows Hello for Business on-premises certificate-based deployment uses AD
Sign-in the AD FS server with *domain administrator* equivalent credentials. Sign-in the AD FS server with *domain administrator* equivalent credentials.
1. Open a **Windows PowerShell** prompt. Open a **Windows PowerShell** prompt and type the following command:
2. Type the following command
```PowerShell ```PowerShell
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication

2
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
View File

@ -9,6 +9,8 @@ ms.topic: tutorial
--- ---
# Validate Active Directory prerequisites # Validate Active Directory prerequisites
[!INCLUDE [hello-on-premises-cert-trust](../../includes/hello-on-premises-cert-trust.md)]
The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema. The key registration process for the on-premises deployment of Windows Hello for Business requires the Windows Server 2016 Active Directory or later schema.
## Create the Windows Hello for Business Users security group ## Create the Windows Hello for Business Users security group

47
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -1,13 +1,13 @@
--- ---
title: Validate and configure the Public Key Infrastructure title: Configure and validate the Public Key Infrastructure
description: Validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model. description: title: Configure and validate the Public Key Infrastructure when deploying Windows Hello for Business in a key trust model.
ms.date: 12/12/2022 ms.date: 12/12/2022
appliesto: appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a> - ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
- ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a> - ✅ <a href=https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info target=_blank>Windows Server 2016 and later</a>
ms.topic: tutorial ms.topic: tutorial
--- ---
# Validate and configure the Public Key Infrastructure # Configure and validate the Public Key Infrastructure
[!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)] [!INCLUDE [hello-on-premises-key-trust](../../includes/hello-on-premises-key-trust.md)]
@ -40,7 +40,9 @@ Sign in using *Enterprise Administrator* equivalent credentials on a Windows Ser
If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session. If you have an existing PKI, review [Certification Authority Guidance](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831574(v=ws.11)) to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831348(v=ws.11)) for instructions on how to configure your PKI using the information from your design session.
### Configure domain controller certificates <br>
<details>
<summary><b>Configure domain controller certificates</b></summary>
Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*. Clients must trust the domain controllers, and to it each domain controller must have a *Kerberos Authentication* certificate. Installing a certificate on the domain controllers enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. The certificates provide clients a root of trust external to the domain, namely the *enterprise certification authority*.
@ -75,7 +77,12 @@ Sign in to a CA or management workstations with *Domain Admintistrator* equivale
1. Select **OK** 1. Select **OK**
1. Close the console 1. Close the console
### Supersede existing domain controller certificates </details>
<br>
<details>
<summary><b>Supersede existing domain controller certificates</b></summary>
The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension. The domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template for domain controllers called *domain controller certificate*. Later releases of Windows Server provided a new certificate template called *domain controller authentication certificate*. These certificate templates were provided prior to the update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the *KDC Authentication* extension.
@ -96,7 +103,11 @@ Sign in to a CA or management workstations with *Enterprise Administrator* equiv
The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities. The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates isn't active until the certificate template is published to one or more certificate authorities.
### Configure an internal web server certificate template </details>
<br>
<details>
<summary><b>Configure an internal web server certificate template</b></summary>
Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate. Windows clients use the https protocol when communicating with Active Directory Federation Services (AD FS). To meet this need, you must issue a server authentication certificate to all the nodes in the AD FS farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running theAD FS can request the certificate.
@ -129,7 +140,11 @@ Sign in to a CA or management workstations with *Domain Administrator* equivalen
- Select **OK** - Select **OK**
1. Close the console 1. Close the console
### Unpublish Superseded Certificate Templates </details>
<br>
<details>
<summary><b>Unpublish Superseded Certificate Templates</b></summary>
The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. The certification authority only issues certificates based on published certificate templates. For security, it's a good practice to unpublish certificate templates that the CA isn't configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
@ -142,7 +157,11 @@ Sign in to the CA or management workstation with *Enterprise Administrator* equi
1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window 1. Right-click the *Domain Controller* certificate template and select **Delete**. Select **Yes** on the **Disable certificate templates** window
1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates 1. Repeat step 3 for the *Domain Controller Authentication* and *Kerberos Authentication* certificate templates
### Publish certificate templates to the CA </details>
<br>
<details>
<summary><b>Publish certificate templates to the CA</b></summary>
A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them. A certification authority can only issue certificates for certificate templates that are published to it. If you have more than one CA, and you want more CAs to issue certificates based on the certificate template, then you must publish the certificate template to them.
@ -157,7 +176,11 @@ Sign in to the CA or management workstations with **Enterprise Admin** equivalen
- To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation - To unpublish a certificate template, right-click the certificate template you want to unpublish and select **Delete**. Select **Yes** to confirm the operation
1. Close the console 1. Close the console
### Configure automatic certificate enrollment for the domain controllers </details>
<br>
<details>
<summary><b>Configure automatic certificate enrollment for the domain controllers</b></summary>
Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU). Domain controllers automatically request a certificate from the *Domain controller certificate* template. However, domain controllers are unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates, create and configure a Group Policy Object (GPO) for automatic certificate enrollment, linking the Group Policy object to the *Domain Controllers* Organizational Unit (OU).
@ -175,7 +198,11 @@ Domain controllers automatically request a certificate from the *Domain controll
1. Select **OK** 1. Select **OK**
1. Close the **Group Policy Management Editor** 1. Close the **Group Policy Management Editor**
### Deploy the domain controller auto certificate enrollment GPO </details>
<br>
<details>
<summary><b>Deploy the domain controller auto certificate enrollment GPO</b></summary>
Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials. Sign in to domain controller or management workstations with *Domain Administrator* equivalent credentials.