deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-11 21:07:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
Paolo Matarazzo 2a74e340ca updates
2022-11-21 11:18:34 -05:00

5.3 KiB
Raw Blame History

title, description, ms.date, appliesto, ms.topic
title description ms.date appliesto ms.topic
Configuring Hybrid Azure AD joined Windows Hello for Business - Active Directory Federation Services (ADFS) Discussing the configuration of Active Directory Federation Services (ADFS) in a Hybrid deployment of Windows Hello for Business 4/30/2021
<a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10 and later</a>
article

Configure Hybrid Azure AD joined Windows Hello for Business: Active Directory Federation Services

[!INCLUDE hello-hybrid-key-trust]

Federation Services

The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.

The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.

Note

In order for AD FS to verify user certificate requests for Windows Hello for Business, it needs to be able to access the https://enterpriseregistration.windows.net endpoint.

Configure the Registration Authority

Sign-in the AD FS server with Domain Admin equivalent credentials.

  1. Open a Windows PowerShell prompt.

  2. Enter the following command:

    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true

    Note

    If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace WHFBEnrollmentAgent and WHFBAuthentication in the preceding command with the name of your certificate templates. It's important that you use the template name rather than the template display name. You can view the template name on the General tab of the certificate template by using the Certificate Template management console (certtmpl.msc). Or, you can view the template name by using the Get-CATemplate ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.

Group Memberships for the AD FS Service Account

The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.

Tip

The adfssvc account is the AD FS service account.

Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.

  1. Open Active Directory Users and Computers.
  2. Click the Users container in the navigation pane.
  3. Right-click Windows Hello for Business Users group.
  4. Click the Members tab and click Add.
  5. In the Enter the object names to select text box, type adfssvc or substitute the name of the AD FS service account in your AD FS deployment. Click OK.
  6. Click OK to return to Active Directory Users and Computers.
  7. Restart the AD FS server.

Note

For AD FS 2019, if Windows Hello for Business with a Hybrid Certificate trust is performed, a known PRT issue exists. You may encounter this error in ADFS Admin event logs: Received invalid Oauth request. The client 'NAME' is forbidden to access the resource with scope 'ugs'. To remediate this error:

  1. Launch AD FS management console. Browse to "Services > Scope Descriptions".
  2. Right click "Scope Descriptions" and select "Add Scope Description".
  3. Under name type "ugs" and Click Apply > OK.
  4. Launch PowerShell as an administrator.
  5. Get the ObjectIdentifier of the application permission with the ClientRoleIdentifier parameter equal to "38aa3b87-a06d-4817-b275-7a316988d93b":
(Get-AdfsApplicationPermission -ServerRoleIdentifiers 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' | ?{ $_.ClientRoleIdentifier -eq '38aa3b87-a06d-4817-b275-7a316988d93b' }).ObjectIdentifier
  1. Execute the command Set-AdfsApplicationPermission -TargetIdentifier <ObjectIdentifier from step 5> -AddScope 'ugs'.
  2. Restart the AD FS service.
  3. On the client: Restart the client. User should be prompted to provision Windows Hello for Business.

Section Review

[!div class="checklist"]

  • Configure the registration authority.
  • Update group memberships for the AD FS service account.

[!div class="step-by-step"] < Configure PKI > Configure policy settings >



Follow the Windows Hello for Business hybrid certificate trust deployment guide

  1. Overview
  2. Prerequisites
  3. New Installation Baseline
  4. Configure Azure Device Registration
  5. Configure Windows Hello for Business settings: AD FS (You are here)
  6. Sign-in and Provision