deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-25 11:47:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

- Major work implementing AADJ Certificate

Browse Source 
- Minor fixes in other areas
This commit is contained in:
Mike Stephens 2018-08-09 22:38:07 -07:00
parent 958307c202
commit e689b6a58d
4 changed files with 429 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS author: mikestephens-MS
ms.author: mstephen ms.author: mstephen
localizationpriority: high localizationpriority: high
ms.date: 03/26/2018 ms.date: 08/06/2018
--- ---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services # Prepare and Deploy Windows Server 2016 Active Directory Federation Services
@ -57,7 +57,7 @@ Its recommended that you mark the private key as exportable so that the same
Be sure to enroll or import the certificate into the AD FS servers computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. Be sure to enroll or import the certificate into the AD FS servers computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
### Internal Server Authentication Certificate Enrollment ### Internal Web Server Authentication Certificate Enrollment
Sign-in the federation server with domain admin equivalent credentials. Sign-in the federation server with domain admin equivalent credentials.
1. Start the Local Computer **Certificate Manager** (certlm.msc). 1. Start the Local Computer **Certificate Manager** (certlm.msc).

455
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
author: mikestephens-MS author: mikestephens-MS
ms.author: mstephen ms.author: mstephen
localizationpriority: high localizationpriority: high
ms.date: 05/05/2018 ms.date: 08/06/2018
--- ---
# Using Certificates for AADJ On-premises Single-sign On # Using Certificates for AADJ On-premises Single-sign On
@ -51,7 +51,7 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
- Encryption - Encryption
- Signature and Encryption - Signature and Encryption
If you need to deploy more than three types of certificates to the Azure AD joined device, you need another NDES server. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates. If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates.
### Network Requirements ### Network Requirements
@ -154,16 +154,15 @@ The application of the **NDES Service User Rights** Group Policy object uses sec
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO** 2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**. 3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
> [!IMPORTANT] > [!IMPORTANT]
> Just to reassure, linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object. > Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.
## Prepare Active Directory Certificate Authority ## Prepare Active Directory Certificate Authority
You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will
- Configure the certificate authority to let Intune provide validity periods - Configure the certificate authority to let Intune provide validity periods
- Create an Intune Connector client authentication certificate template - Create an NDES-Intune Authentication Certificate template
- Create an Azure AD joined Windows Hello for Business authentication certificate template - Create an Azure AD joined Windows Hello for Business authentication certificate template
- Create a Web Server certificate template
- Publish certificate templates - Publish certificate templates
### Configure the certificate authority to let Intune provide validity periods ### Configure the certificate authority to let Intune provide validity periods
@ -176,63 +175,445 @@ When deploying certificates using Microsoft Intune, you have the option of provi
1. Sign-in to the issuing certificate authority using local administrative credentials. 1. Sign-in to the issuing certificate authority using local administrative credentials.
2. Open and elevated command prompt. Type the command 2. Open and elevated command prompt. Type the command
``` ```
certutil -setreg Policy\EditFkags +EDITF_ATTRIBUTEENDDATE certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
``` ```
3. Restart the **Active Directory Certificate Services** service. 3. Restart the **Active Directory Certificate Services** service.
### Create an Intune Connector client authentication certificate template ### Create an NDES-Intune authentication certificate template
The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point. Given this certificate is enrolled on a domain joined server (the NDES server), you can configure this certificate template to build it's subject name from Active Directory NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
> [!NOTE]
> In most configurations, automatic certificate enrollment is ideal for domain joined comptuers such as the NDES server. However, the client authentication certificate is enrolled to the computer, but statically configured in the Microsoft Intune connector. Therefore, you must manually reconfigure the Intune Certificate Connector when renewing the client authentication certifcate and prevents the entire process from being automated.
Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials. Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console. 1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**. 2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Authenticated Session** template in the details pane and click **Duplicate Template**. 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows XP / Server 2003** from the **Certification Recipient** list. 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
5. On the **General** tab, type **Intune Connector Client Auth** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
**Note:** If you use different template names, youll need to remember and substitute these names in different portions of the lab. **Note:** If you use different template names, youll need to remember and substitute these names in different portions of the lab.
6. On the **Subject** tab, select the **Build from Active Directory Information**. Select **Common Name** from the **Subject name format** list. Clear all the check boxes under **Include this information in alternate subject name**. 5. On the **Subject** tab, select **Supply in the request**.
7. ON the **Cryptography** tab, validate the **Minimum key size** is **2048**. 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
8. On the **Security** tab, click **Add**. 7. On the **Security** tab, click **Add**.
9. Click **Object Types**. Select the **Computers** check box and click **OK**. 8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
10. Type the name of the NDES server in the **Enter the object names to select** text box and click **OK**. 9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
11. Click the NDES server from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Excluding the NDES server, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. 10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template ### Create an Azure AD joined Windows Hello for Business authentication certificate template
During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
### Create a Web Server certificate template Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
The NDES server needs an TLS server authentication certificate to keep it's communication private. Given that internal clients are the only consumers of this URL, you can use an server authentication certificate issued by your enterprise certificate authority. Optionally, you can use publicly trusted server authentication certificate.
If you already have a certificate template that provides server authentication, then you can skip this section.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console. 1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**. 2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs. 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
**Note:** If you use different template names, youll need to remember and substitute these names in different portions of the lab. **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Request Handling** tab, select **Allow private key to be exported**. 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. 8. On the **Subject** tab, select **Supply in the request**.
9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. 9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
10. Close the console. 10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
13. Close the console.
### Publish certificate templates ### Publish certificate templates
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
> [!Important]
> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates. You need to publish that cerificate templates to that issuing certificate authoirty. The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
## Install the Network Device Enrollment Services Role 1. Open the **Certificate Authority** management console.
2. Expand the parent node from the navigation pane.
3. Click **Certificate Templates** in the navigation pane.
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
6. Close the console.
## Install and Configure the NDES Role
This section includes the following topics:
* Install the Network Device Enrollment Service Role
* Configure the NDES service account
* Configure the NDES role and Certificate Templates
* Create a Web Application Proxy for the Internal NDES URL.
* Enroll for Web Server Certificate
* Configure the Web Server Certificate for NDES
* Verify the configuration
### Install the Network Device Enrollment Services Role
Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open **Server Manager** on the NDES server.
2. Click **Manage**. Click **Add Roles and Features**.
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
7. Click **Next** on the **Web Server Role (IIS)** page.
8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
* **Web Server > Security > Request Filtering**
* **Web Server > Application Development > ASP.NET 3.5**.
* **Web Server > Application Development > ASP.NET 4.5**. .
* **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
* **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
> [!Important]
> The .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Intenret, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
### Configure the NDES service account
This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation
#### Add the NDES service account to the IIS_USRS group
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start the **Local Users and Groups** management console (lusrmgr.msc).
2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
4. Close the management console.
#### Register a Service Principal Name on the NDES Service account
Sign-in the NDES server with a access equivalent to _Domain Admins_.
1. Open an elevated command prompt.
2. Type the following command to register the service principal name<br>
```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```<br>
where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following.<br>
```setspn -s http/ndes.corp.contoso.com contoso\ndessvc```
> [!NOTE]
> If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
#### Configure the NDES Service account for delegation
The NDES service enrolls certificates on behalf of users. Therefore, you want to limit that actions it can perform on behalf of the user. You do this through delegation.
Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers**
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**.
5. Click **Add**.
6. Click **Users or Computers...**. Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**.
7. Repeat steps 5 and 6 for each NDES server using this service account.
8. Click **Add**
9. Click **Users or computers...**. Type the name of the _issuing certificate authority_ this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services)) list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates
This task configures the NDES role and the certificate templates the NDES server issues.
#### Configure the NDES Role
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
> [!NOTE]
> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
1. Click the **Configure Active Directory Certificate Services on the destination server** link.
2, On the **Credentials** page, click **Next**.
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
6. On the **RA Information**, click **Next**.
7. On the **Cryptography for NDES** page, click **Next**.
8. Review the **Confirmation** page. Click **Configure**.
8. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES
A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
* Digital Signature
* Key Encipherment
* Key Encipherment, Digital Signature
Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP provide value to the NDES certificate template registry value name
|SCEP Profile| NDES Registry Value Name|
|:----------:|:-----------------------:|
|Digital Signature|SignatureTemplate|
|Key Encipherment|EncryptionTemplate|
|Key Encipherment<br>Digital Signature|GeneralPurposeTemplate|
Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance easy of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
Sign-in to the NDES Server with _local administrator_ equivalent credentials.
1. Open an elevated command prompt.
2. Using the table above, device which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
3. Type the following command<br>
```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```<br>
where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:<br>
```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```<br>
> [!IMPORTANT]
> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certifcates Templates** management console (certtmpl.msc).
4. Type **Y** when the command asks for permission to overwrite the existing value.
5. Close the command prompt.
### Create a Web Application Proxy for the internal NDES URL.
Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and security using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to URLs hosted by Azure AD Application Proxies.
Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
#### Download and Install the Application Proxy Connector Agent
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
> [!IMPORTANT]
> Install a minimum of two Azure Active Direcoty Proxy connectors for each NDES Application Proxy. Startegtically locate Azure AD connectors throughout your organization to ensure maximum availablity. Remember that devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
10. Repeat steps 5 - 10 for each device that will run the Azure AD Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
6. Click **Save**.
#### Create the Azure Application Proxy
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Configure an app**.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). This must match the internal DNS name of the NDES server and ensure you prefix the Url with **https**.
7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostnamne for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
> [!IMPORTANT]
> Write down the internal and external Urls. You will need this information when you enroll the NDES-Intune Authentication certificate.
8. Select **Passthrough** from the **Pre Authentication** list.
9. Select **NDES WHFB Connectors** from the **Connector Group** list.
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
11. Click **Add**.
12. Sign-out of the Azure Portal.
### Enroll the NDES-Intune Authentication certificate
This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
Sign-in the NDES server with access equivalent to _Domain Administrators_.
1. Start the Local Computer **Certificate Manager** (certlm.msc).
2. Expand the **Personal** node in the navigation pane.
3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
4. Click **Next** on the **Before You Begin** page.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png)
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal Url used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal Url used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external Url used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
9. Click **Enroll**
10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
### Configure the Web Server Role
This task configures the Web Server role on the NDES server to use the server authentication certificate.
Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. Click **Bindings...*** under **Actions**. Click **Add**.
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the web server certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**.
### Verify the configuration
This task confirms the TLS configuration for the NDES server.
Sign-in the NDES server with access equivalent to _local administrator_.
#### Disable Internet Explorer Enhanced Security Configuration
1. Open **Server Manager**. Click **Local Server** from the navigation pane.
2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**.
4. Close **Server Manager**.
#### Test the NDES web server
1. Open **Internet Explorer**.
2. In the navigation bar, type
```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
!!!! INSERT PICTURE HERE !!!!!!
## Configure Network Device Enrollment Services to work with Microsoft Intune ## Configure Network Device Enrollment Services to work with Microsoft Intune
You have successfully configured the Network Device Enrollment Services. You must know modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server to handle long URLs and, you will enroll a client authentication certificate. The Intune Certificate Connector uses the client authentication certificate to authenticate to Microsoft Intune.
## Install and Configure the Intune Certificate Connector - Configure NDES to support long URLs
- Enroll for a client authentication certificate
### Configure NDES to support long URLs
Sign-in the NDES server with access equivalent to _local administrator_.
#### Configure the Default Web Site
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
4. Select **Allow unlisted file name extensions**.
5. Select **Allow unlisted verbs**.
6. Select **Allow high-bit characters**.
7. Type **30000000** in **Maximum allowed content length (Bytes)**.
8. Type **65534** in **Maximum URL length (Bytes)**.
9. Type **65534** in **Maximum query string (Bytes)**.
10. Click **OK**. Close **Internet Information Services (IIS) Manager**.
#### Configure Parameters for HTTP.SYS
1. Open an elevated command prompt.
2. Run the following commands <br>
```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
3. Restart the NDES server.
## Download, Install and Configure the Intune Certificate Connector
The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
### Download Intune Certificate Connector
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
3. Select **Device Configuration**, and then select **Certificate Authority**.
4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
6. Sign-out of the Azure Portal.
### Install the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain admin_.
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup displays Microsoft Intune NDES Connector requires HTTP Activation, validate you started the application as the administrator, then validate HTTP Activation is enabled on the NDES server.
3. On the **Microsoft Intune** page, click **Next**.
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
5. On the **Destination Folder** page, click **Next**.
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
> [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
> [!NOTE]
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
### Configure the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_.
1. The **NDES Connector** user interface should be open from the last task.
> [!NOTE]
> If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
> [!IMPORTANT]
> THe user account must have a valid Intune licenese asssigned. If the user account does not have a valid Intune license, the sign-in fails.
4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
### Configure the NDES Connector for certificate revocation (**Optional**)
Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).
#### Enabling the NDES Service account for revocation
Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_
1. Start the **Certification Authority** management console.
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
3.Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
4. Close the **Certification Authority**
#### Enable the NDES Connector for certificate revociation
Sign-in the NDES server with access equivalent to _domain administrator_.
1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
2. Click the **Advanced** tab. Select **Specify a different account username and password**. TYpe the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
### Test the NDES Connector
Sign-in the NDES server with access equivalent to _domain admin_.
1. Open a command prompt.
2. Type the following command to confirm the NDES Connector's last connection time is current.
```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
3. Close the command prompt.
4. Open **Internet Explorer**.
5. In the navigation bar, type
```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page showing a 403 error (similar to the following should appear) in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
!!!! INSERT PICTURE HERE !!!!!!
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
3. Select **Device Configuration**, and then click **Profiles**.
4. Select **Create Profile**.
6. Sign-out of the Azure Portal.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
View File

@ -9,7 +9,7 @@ ms.pagetype: security, mobile
localizationpriority: high localizationpriority: high
author: mikestephens-MS author: mikestephens-MS
ms.author: mstephen ms.author: mstephen
ms.date: 03/26/2018 ms.date: 08/06/2018
--- ---
# Configure Windows Hello for Business: Active Directory Federation Services # Configure Windows Hello for Business: Active Directory Federation Services
@ -20,7 +20,7 @@ ms.date: 03/26/2018
>This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher. >This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
View File

@ -73,7 +73,7 @@ The certificate template is configured to supersede all the certificate template
### Enrollment Agent certificate template ### Enrollment Agent certificate template
Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
@ -159,7 +159,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
3. Click **Certificate Templates** in the navigation pane. 3. Click **Certificate Templates** in the navigation pane.
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. 5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
7. Close the console. 6. Close the console.
#### Unpublish Superseded Certificate Templates #### Unpublish Superseded Certificate Templates