MarkDown formatting, whitespace consistency, typos

This PR is meant to make it easier for the next editor of this page to start with a known ordered content, with regards to layout formatting, general typos and MarkDown usage. Viewing this content in Rich Diff view, or without the "Hide whitespace changes" feature, might look confusing or disordered. Changes proposed: - MarkDown formatting improvements (incorrect usage/layout corrected and properly formatted) - Whitespace corrections, both for consistency, codestyle, and for easier future editing - Typo corrections and a couple of minor phrasing adjustments for readability & coherency Ref. my comments in PR #8732 and at the end of issue ticket #8548 (regarding incorrect MarkDown code block usage)
2025-06-18 11:53:37 +00:00 · 2021-01-02 07:31:44 +01:00
parent 2a3e536a5c
commit edd467581c
1 changed files with 135 additions and 107 deletions
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@ -16,9 +16,10 @@ localizationpriority: medium
 ms.date: 08/19/2018
 ms.reviewer:
 ---
 # Using Certificates for AADJ On-premises Single-sign On
-**Applies to**
+**Applies to:**
 - Windows 10
 - Azure Active Directory joined
 - Hybrid Deployment
@ -177,7 +178,7 @@ When deploying certificates using Microsoft Intune, you have the option of provi
 Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
-1. Open and elevated command prompt.  Type the command
+1. Open an elevated command prompt and type the following command:
   ```
   certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
   ```
@ -192,7 +193,10 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 2. Right-click **Certificate Templates** and click **Manage**.
 3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
 4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
-    **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+
   > [!NOTE]
   > If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
 5. On the **Subject** tab, select **Supply in the request**.
 6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
 7. On the **Security** tab, click **Add**.
@ -203,14 +207,17 @@ Sign-in to the issuing certificate authority or management workstations with _Do
 ### Create an Azure AD joined Windows Hello for Business authentication certificate template
 During Windows Hello for Business provisioning,  Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user.  This task configures the Windows Hello for Business authentication certificate template.  You use the name of the certificate template when configuring the NDES Server.
-Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
 1. Open the **Certificate Authority** management console.
 2. Right-click **Certificate Templates** and click **Manage**.
 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
 5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise's needs.
-    **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+
   > [!NOTE]
   > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
 6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.
 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
 8. On the **Subject** tab, select **Supply in the request**.
@ -271,7 +278,7 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
   ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png)
 9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
   > [!Important]
-   > The .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
+   > .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
   ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png)
 ### Configure the NDES service account
@ -280,7 +287,7 @@ This task adds the NDES service account to the local IIS_USRS group.  The task a
 #### Add the NDES service account to the IIS_USRS group
 Sign-in the NDES server with access equivalent to _local administrator_.
-1. Start the **Local Users and Groups** management console (lusrmgr.msc).
+1. Start the **Local Users and Groups** management console (`lusrmgr.msc`).
 2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
 3. In the **IIS_IUSRS Properties** dialog box, click **Add**.  Type **NDESSvc** or the name of your NDES service account.  Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
 4. Close the management console.
@ -289,10 +296,14 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 Sign-in the NDES server with a access equivalent to _Domain Admins_.
 1. Open an elevated command prompt.
-2. Type the following command to register the service principal name<br>
+2. Type the following command to register the service principal name
-```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```<br>
+   ```
-where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\).  An example of the command looks like the following.<br>
+   setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]
-```setspn -s http/ndes.corp.contoso.com contoso\ndessvc```
+   ```
   where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\).  An example of the command looks like the following:
   ```
   setspn -s http/ndes.corp.contoso.com contoso\ndessvc
   ```
 > [!NOTE]
 > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
@ -353,7 +364,7 @@ A single NDES server can request a maximum of three certificate template.  The N
 Each value maps to a registry value name in the NDES server.  The NDES server translate an incoming SCEP provide value into the correspond certificate template.  The table belows shows the SCEP profile value to the NDES certificate template registry value name
 | SCEP Profile Key usage| NDES Registry Value Name |
-|:----------:|:-----------------------:|
+| :-------------------: | :----------------------: |
 | Digital Signature | SignatureTemplate |
 | Key Encipherment | EncryptionTemplate |
 | Key Encipherment<br>Digital Signature | GeneralPurposeTemplate |
@ -366,15 +377,19 @@ Sign-in to the NDES Server with _local administrator_ equivalent credentials.
 1. Open an elevated command prompt.
 2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
-3. Type the following command<br>
+3. Type the following command:
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```<br>
+   ```
-where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices.  Example:<br>
+   reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]
-```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```<br>
+   ```
   where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices.  Example:
   ```
   reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication
   ```
 4. Type **Y** when the command asks for permission to overwrite the existing value.
 5. Close the command prompt.
 > [!IMPORTANT]
-> Use the **name** of the certificate template; not the **display name**.  The certificate template name does not include spaces.  You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc).
+> Use the **name** of the certificate template; not the **display name**.  The certificate template name does not include spaces.  You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (`certtmpl.msc`).
 ### Create a Web Application Proxy for the internal NDES URL.
 Certificate enrollment for Azure AD joined devices occurs over the Internet.  As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy.  Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
@ -395,7 +410,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
   ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
   > [!IMPORTANT]
-   > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
+   > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
@ -426,18 +441,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Under **MANAGE**, click **Application proxy**.
 4. Click **Configure an app**.
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
-6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
+6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
-7. Under **Internal Url**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
   ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
 8. Select **Passthrough** from the **Pre Authentication** list.
 9. Select **NDES WHFB Connectors** from the **Connector Group** list.
 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
 11. Click **Add**.
 12. Sign-out of the Azure Portal.
    > [!IMPORTANT]
    > Write down the internal and external URLs.  You will need this information when you enroll the NDES-Intune Authentication certificate.
 ### Enroll the NDES-Intune Authentication certificate
 This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
@ -487,7 +502,9 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 #### Test the NDES web server
 1. Open **Internet Explorer**.
 2. In the navigation bar, type
-```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
+   ```
   https://[fqdnHostName]/certsrv/mscep/mscep.dll
   ```
   where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
 A web page similar to the following should appear in your web browser.  If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
@ -521,9 +538,11 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 #### Configure Parameters for HTTP.SYS
 1. Open an elevated command prompt.
-2. Run the following commands <br>
+2. Run the following commands:
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534``` <br>
+   ```
-```reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```<br>
+   reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534
   reg add HKLM\SYSTEM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534
   ```
 3. Restart the NDES server.
 ## Download, Install and Configure the Intune Certificate Connector
@ -552,12 +571,14 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
   ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png)
 7. On the **Client certificate for Microsoft Intune** page, Click **Select**.  Select the certificate previously enrolled for the NDES server. Click **Next**.
   ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png)
   > [!NOTE]
   > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate.  However, the application rembers the selection and shows it in the next page.
 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
   ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png)
   > [!NOTE]
   > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
@ -568,6 +589,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 Sign-in the NDES server with access equivalent to _domain administrator_.
 1. The **NDES Connector** user interface should be open from the last task.
   > [!NOTE]
   > If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
@ -576,8 +598,9 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 3. Click **Sign-in**.  Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
   ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png)
   > [!IMPORTANT]
-   > The user account must have a valid Intune licenese assigned.  If the user account does not have a valid Intune license, the sign-in fails.
+   > The user account must have a valid Intune license assigned.  If the user account does not have a valid Intune license, the sign-in fails.
 4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
@ -606,13 +629,17 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 Sign-in the NDES server with access equivalent to _domain admin_.
 1. Open a command prompt.
-2. Type the following command to confirm the NDES Connector's last connection time is current.</br>
+2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```</br>
+   ```
   reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus
   ```
 3. Close the command prompt.
 4. Open **Internet Explorer**.
-5. In the navigation bar, type</br>
+5. In the navigation bar, type:
-```https://[fqdnHostName]/certsrv/mscep/mscep.dll```</br>
+   ```
-where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.</br>
+   https://[fqdnHostName]/certsrv/mscep/mscep.dll
   ```
   where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
   A web page showing a 403 error (similar to the following) should appear in your web browser.  If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
   ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
@ -646,6 +673,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
 8. Select **User** as a certificate type.
 9. Configure **Certificate validity period** to match your organization.
   > [!IMPORTANT]
   > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
@ -679,7 +707,7 @@ You have successfully completed the configuration.  Add users that need to enrol
 > [!div class="checklist"]
 > * Requirements
 > * Prepare Azure AD Connect
-> * Prepare the Network Device Enrollment Services (NDES) Service Acccount
+> * Prepare the Network Device Enrollment Services (NDES) Service Account
 > * Prepare Active Directory Certificate Authority
 > * Install and Configure the NDES Role
 > * Configure Network Device Enrollment Services to work with Microsoft Intune