diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 3927e2b327..21c295bad1 100644 --- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -14,29 +14,28 @@ ms.author: dansimp # How to use Single Sign-On (SSO) over VPN and Wi-Fi connections -This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. This includes: +This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used: - Connecting to a network using Wi-Fi or VPN. - Use credentials for WiFi or VPN authentication to also authenticate requests to access a domain resource without being prompted for your domain credentials. For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication. -The way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session. -Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource. -For VPN, the VPN stack saves its credential as the session default. -For WiFi, EAP does it. +The credentials that are used for the connection authentication are placed in Credential Manager as the default credentials for the logon session. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource: +- For VPN, the VPN stack saves its credential as the session default. +- For WiFi, Extensible Authentication Protocol (EAP) provides support. -The credentials are put in Credential Manager as a "\*Session" credential. +The credentials are placed in Credential Manager as a "\*Session" credential. A "\*Session" credential implies that it is valid for the current user session. The credentials are also cleaned up when the WiFi or VPN connection is disconnected. -When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](/windows/win32/wininet/wininet-reference) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. +For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from the Credential Manager to the SSP that is requesting it. For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations). -The local security authority will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. -If the app is not UWP, it does not matter. -But if it is a UWP app, it will look at the device capability for Enterprise Authentication. -If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. +The local security authority will look at the device application to determine if it has the right capability. This includes items such as a Universal Windows Platform (UWP) application. +If the app isn't a UWP, it doesn't matter. +But if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication. +If it does have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. This behavior helps prevent credentials from being misused by untrusted third parties. ## Intranet zone @@ -54,7 +53,7 @@ For multi-label names, such as http://finance.net, the ZoneMap needs to be updat OMA URI example: -./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Edge browser. +./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser. ## Credential requirements @@ -62,8 +61,8 @@ For VPN, the following types of credentials will be added to credential manager - Username and password - Certificate-based authentication: - - TPM KSP Certificate - - Software KSP Certificates + - TPM Key Storage Provider (KSP) Certificate + - Software Key Storage Provider (KSP) Certificates - Smart Card Certificate - Windows Hello for Business Certificate @@ -75,10 +74,10 @@ If the credentials are certificate-based, then the elements in the following tab | Template element | Configuration | |------------------|---------------| -| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflects the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller.
This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located. | -| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.
This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | +| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller.
This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. | +| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.
This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | | Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. | -| EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for Windows Hello for Business)
- SmartCardLogon (for Azure AD joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | +| EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for Windows Hello for Business)
- SmartCardLogon (for Azure AD joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | ## NDES server configuration @@ -89,8 +88,9 @@ For more information, see [Configure certificate infrastructure for SCEP](/mem/i You need IP connectivity to a DNS server and domain controller over the network interface so that authentication can succeed as well. -The domain controllers will need to have appropriate KDC certificates for the client to trust them as domain controllers, and since phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store. +Domain controllers must have appropriate KDC certificates for the client to trust them as domain controllers. Because phones are not domain-joined, the root CA of the KDC’s certificate must be in the Third-Party Root CA or Smart Card Trusted Roots store. -The domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. +Domain controllers must be using certificates based on the updated KDC certificate template Kerberos Authentication. This requires that all authenticating domain controllers run Windows Server 2016, or you'll need to enable strict KDC validation on domain controllers that run previous versions of Windows Server. + For more information, see [Enabling Strict KDC Validation in Windows Kerberos](https://www.microsoft.com/download/details.aspx?id=6382). \ No newline at end of file