deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #7697 from paolomatarazzo/pm-20221228-issue-10305

Browse Source 
[VPN SSO] Documentation updates
This commit is contained in:
Stephanie Savell 2022-12-28 10:17:11 -06:00 committed by GitHub
commit f70aab43fb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 26 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,9 +1,9 @@
--- ---
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11) title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: windows-client ms.prod: windows-client
author: paolomatarazzo author: paolomatarazzo
ms.date: 03/22/2022 ms.date: 12/28/2022
manager: aaroncz manager: aaroncz
ms.author: paoloma ms.author: paoloma
ms.reviewer: pesmith ms.reviewer: pesmith
@ -18,47 +18,49 @@ ms.topic: how-to
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used: This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used:
- Connecting to a network using Wi-Fi or VPN. - Connecting to a network using Wi-Fi or VPN
- Use credentials for WiFi or VPN authentication to also authenticate requests to access a domain resource without being prompted for your domain credentials. - Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials
For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication. For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication.
The credentials that are used for the connection authentication are placed in Credential Manager as the default credentials for the logon session. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource: The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
- For VPN, the VPN stack saves its credential as the session default.
- For WiFi, Extensible Authentication Protocol (EAP) provides support.
The credentials are placed in Credential Manager as a "\*Session" credential. - For VPN, the VPN stack saves its credential as the **session default**
A "\*Session" credential implies that it is valid for the current user session. - For WiFi, Extensible Authentication Protocol (EAP) provides support
The credentials are also cleaned up when the WiFi or VPN connection is disconnected.
The credentials are placed in Credential Manager as a *session credential*:
- A *session credential* implies that it is valid for the current user session
- The credentials are cleaned up when the WiFi or VPN connection is disconnected
> [!NOTE] > [!NOTE]
> In Windows 10, version 21h2 and later, the "\*Session" credential is not visible in Credential Manager. > In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager.
For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from the Credential Manager to the SSP that is requesting it. For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations). For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations).
The local security authority will look at the device application to determine if it has the right capability. This includes items such as a Universal Windows Platform (UWP) application. The local security authority will look at the device application to determine if it has the right capability. This includes items such as a Universal Windows Platform (UWP) application.
If the app isn't a UWP, it doesn't matter. If the app isn't a UWP, it doesn't matter.
But if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication. But, if the application is a UWP app, it will evaluate at the device capability for Enterprise Authentication.
If it does have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. If it does have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
This behavior helps prevent credentials from being misused by untrusted third parties. This behavior helps prevent credentials from being misused by untrusted third parties.
## Intranet zone ## Intranet zone
For the Intranet zone, by default it only allows single-label names, such as Http://finance. For the Intranet zone, by default it only allows single-label names, such as *http://finance*.
If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](/windows/client-management/mdm/registry-csp). If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](/windows/client-management/mdm/registry-csp).
### Setting the ZoneMap ### Setting the ZoneMap
The ZoneMap is controlled using a registry that can be set through MDM. The ZoneMap is controlled using a registry that can be set through MDM.
By default, single-label names such as http://finance are already in the intranet zone. By default, single-label names such as *http://finance* are already in the intranet zone.
For multi-label names, such as http://finance.net, the ZoneMap needs to be updated. For multi-label names, such as *http://finance.net*, the ZoneMap needs to be updated.
## MDM Policy ## MDM Policy
OMA URI example: OMA URI example:
./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/`<domain name>`/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser. `./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/<domain name>` as an `Integer` value of `1` for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Microsoft Edge browser.
## Credential requirements ## Credential requirements
@ -79,10 +81,10 @@ If the credentials are certificate-based, then the elements in the following tab
| Template element | Configuration | | Template element | Configuration |
|------------------|---------------| |------------------|---------------|
| SubjectName | The users distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. | | SubjectName | The user's distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. |
| SubjectAlternativeName | The users fully qualified UPN where a domain name component of the users UPN matches the organizations internal domains DNS namespace. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | | SubjectAlternativeName | The user's fully qualified UPN where a domain name component of the user's UPN matches the organizations internal domain's DNS namespace. </br>This requirement is relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. |
| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. | | Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. |
| EnhancedKeyUsage | One or more of the following EKUs is required: </br>- Client Authentication (for the VPN) </br>- EAP Filtering OID (for Windows Hello for Business)</br>- SmartCardLogon (for Azure AD-joined devices) </br>If the domain controllers require smart card EKU either:</br>- SmartCardLogon</br>- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) <br>Otherwise:</br>- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | | EnhancedKeyUsage | One or more of the following EKUs is required: </br><ul><li>Client Authentication (for the VPN)</li><li>EAP Filtering OID (for Windows Hello for Business)</li><li>SmartCardLogon (for Azure AD-joined devices)</li></ul>If the domain controllers require smart card EKU either:<ul><li>SmartCardLogon</li><li>id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4) </li></ul>Otherwise:</br><ul><li>TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2)</li></ul> |
## NDES server configuration ## NDES server configuration