diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-key.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md similarity index 95% rename from windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-key.md rename to windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 514072694e..e1a9b2d227 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-key.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -55,7 +55,7 @@ Windows Hello for Business enforces the strict KDC validation security feature, Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. -Steps you will be performing include: +Steps you will perform include: - [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point) - [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list) @@ -170,7 +170,6 @@ The web server is ready to host the CRL distribution point. Now, configure the 7. Select the CDP you just created. ![CDP publishing location](images/aadj/cdp-extension-complete-unc.png) - 8. Select **Publish CRLs to this location**. 9. Select **Publish Delta CRLs to this location**. 10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box. @@ -217,7 +216,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point, Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails. -First, you need to export the enterprise root certificate authority certificate to a file. +Steps you will perform include: +- [Export Enterprise Root certificate](#export-enterprise-root-certificate) +- [Create and Assign a Trust Certificate Device Configuration Profile](#create-and-assign-a-trust-certificate-device-configuration-profile) ### Export Enterprise Root certificate @@ -248,10 +249,19 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png) 6. Sign out of the Microsoft Azure Portal. -## Using Certificates for On-premises Single-sign On +## Section Review +> [!div class="checklist"] +> * Configure Internet Information Services to host CRL distribution point +> * Prepare a file share to host the certificate revocation list +> * Configure the new CRL distribution point in the issuing certificate authority +> * Publish CRL +> * Reissue domain controller certificates +> * Export Enterprise Root certificate +> * Create and Assign a Trust Certificate Device Configuration Profile -If you plan to use certificates for on-premises single-sign on, then follow these **addtiional** steps to configure the environment to enroll certificates for Azure AD joined devices. + +If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). + -
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 5fd3d8d0d7..84421b72b1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -1,5 +1,5 @@ --- -title: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on +title: Using Certificates for On-premises Single-sign On single sign-on description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO, ms.prod: w10 @@ -11,9 +11,14 @@ ms.author: mstephen localizationpriority: high ms.date: 05/05/2018 --- -# Configure Certificate trust authentication to Active Directory for Azure AD joined devices +# Using Certificates for On-premises Single-sign On **Applies to** - Windows 10 - Azure Active Directory joined -- Hybrid Deployment \ No newline at end of file +- Hybrid Deployment + +If you plan to use certificates for on-premises single-sign on, then follow these **addtional** steps to configure the environment to enroll certificates for Azure AD joined devices. + +Steps you will perform include: + \ No newline at end of file diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index df9eb57406..78d823af88 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -180,9 +180,9 @@ Sign-in to the certificate authority or management workstation with _Enterprise > [!div class="checklist"] > * Domain Controller certificate template > * Configure superseded domain controller certificate templates -> * Enrollment Agent certifcate template +> * Enrollment Agent certificate template > * Windows Hello for Business Authentication certificate template -> * Mark the certifcate template as Windows Hello for Business sign-in template +> * Mark the certificate template as Windows Hello for Business sign-in template > * Publish Certificate templates to certificate authorities > * Unpublish superseded certificate templates