deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
Justin Hall 897162ef2b restart re-org
2018-02-01 09:55:37 -08:00

4.6 KiB
Raw Blame History

title, description, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, localizationpriority, author, ms.author, ms.date
title description keywords ms.prod ms.mktglfcycl ms.sitesec ms.pagetype localizationpriority author ms.author ms.date
Configuring Hybrid Windows Hello for Business - Active Directory Federation Services (ADFS) Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business identity, PIN, biometric, Hello, passport, WHFB, adfs w10 deploy library security, mobile high mikestephens-MS mstephen 10/23/2017

Configure Windows Hello for Business: Active Directory Federation Services

Applies to

  • Windows10

Federation Services

This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.

The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.

The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.

Configure the Registration Authority

Sign-in the AD FS server with Domain Admin equivalent credentials.

  1. Open a Windows PowerShell prompt.

  2. Type the following command

    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication

The Set-AdfsCertificateAuthority cmdlet should show the following warning:

WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.

This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.

Note

If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace WHFBEnrollmentAgent and WHFBAuthentication in the above command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the General tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the Get-CATemplate ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.

Group Memberships for the AD FS Service Account

The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.

Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.

  1. Open Active Directory Users and Computers.
  2. Click the Users container in the navigation pane.
  3. Right-click Windows Hello for Business Users group
  4. Click the Members tab and click Add
  5. In the Enter the object names to select text box, type adfssvc. Click OK.
  6. Click OK to return to Active Directory Users and Computers.
  7. Restart the AD FS server.

Section Review

[!div class="checklist"]

  • Configure the registration authority
  • Update group memberships for the AD FS service account

[!div class="step-by-step"] < Configure PKI > Configure policy settings >



Follow the Windows Hello for Business hybrid certificate trust deployment guide

  1. Overview
  2. Prerequistes
  3. New Installation Baseline
  4. Configure Azure Device Registration
  5. Configure Windows Hello for Business settings: AD FS (You are here)
  6. Sign-in and Provision