none
Hello authentication in AD domain environment RRS feed

  • Question

  • I've seen a number of cases where after a users password expired or was changed and Windows Hello will allow the user to log in to the computer(Surface Pro4) that is also joined to the domain however of course it won't let the user access any domain resources. Windows Hello must make its own token and then uses that to start the Kerberos authentication process where its rejected because the password is expired.

    Does anyone know of a way to get this working more smoothly?

    Some extra background information - To get around this  the user needs to log out, and use the other sign in options to sign in using the new password or at this time reset it,  next they log out and log back in using Hello and it will prompt them to sign in using the new password (regardless of doing it above),  Hello will toss the user back to log in screen and have them type in the password where Hello captures it and form this point on it will work until the password expires again.

    Thursday, January 5, 2017 8:22 PM

All replies

  • I've seen a number of cases where after a users password expired or was changed and Windows Hello will allow the user to log in to the computer(Surface Pro4) that is also joined to the domain however of course it won't let the user access any domain resources.

    Hi ,

    Did  you mean Windows Hello for Business deployed in your domain?

    Because according to this reference article, when the password for that account changes, you must provide the new password on each device to continue to use Hello. But if the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. It is by design.
    Windows Hello and password changes
    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/microsoft-passport-and-password-changes?f=255&MSPPError=-2147217396

    Best regards



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, January 9, 2017 7:46 AM
    Moderator