none
Windows Hello for Business - On Premises Certificate Trust Deployment - Multi-Factor Authentication (MFA) RRS feed

  • Question

  • Hello!
    I implementing Windows Hello for Business on-premises - On Premises Certificate Trust Deployment (Active Directory + AD FS + AD CS = without Azure AD) in my organization.
    Using the manual: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust
    I stopped at the point: Validate and Deploy Multi-factor Authentication (MFA)
    I can't understand out how to properly enable (configure) MFA using certificates?
    I try to use the instructions: https://commsverse.blog/2015/05/12/multi-factor-authentication-mfa-using-adfs-3-0-and-certificates/
    However, if i try to add a PIN code, a window from ADFS appears with a certificate selection suggestion and an error message is instantly displayed that a valid certificate was not found in the user's certificate store! But, certificates successfully appear in the user snap-in ...

    Technical information:

    ADFS: Windows 2019
    ADSC: Windows 2016
    AD(Forest/Domain/Scheme): 2016
    
    PS C:\Windows\system32> Get-AdfsSslCertificate
    HostName                           PortNumber  CertificateHash
    --------                           ----------  ---------------
    localhost                             443      C5BD0CC737A20376D5EC8B042ACE5B0430231E33
    fs.qqq.local                    443      C5BD0CC737A20376D5EC8B042ACE5B0430231E33
    certauth.fs.qqq.local           443      C5BD0CC737A20376D5EC8B042ACE5B0430231E33
    EnterpriseRegistration.qqq...     443      C5BD0CC737A20376D5EC8B042ACE5B0430231E33
    EnterpriseRegistration.www.ru      443      C5BD0CC737A20376D5EC8B042ACE5B0430231E33
    EnterpriseRegistration.eee.ru     443      C5BD0CC737A20376D5EC8B042ACE5B0430231E33
    EnterpriseRegistration.rrr...     443      C5BD0CC737A20376D5EC8B042ACE5B0430231E33
    
    PS C:\Windows\system32> Get-AdfsDeviceRegistrationUpnSuffix
    Upn             SslPort IsSetAsSslBinding IsCustom
    ---             ------- ----------------- --------
    qqq.local     443              True     True
    www.ru           443              True     True
    eee.ru          443              True     True
    rrr.ru        443              True     True
    
    PS C:\Windows\system32> Get-AdfsGlobalAuthenticationPolicy
    AdditionalAuthenticationProvider       : {CertificateAuthentication}
    DeviceAuthenticationEnabled            : True
    AllowAdditionalAuthenticationAsPrimary : False
    EnablePaginatedAuthenticationPages     : False
    DeviceAuthenticationMethod             : All
    TreatDomainJoinedDevicesAsCompliant    : False
    PrimaryIntranetAuthenticationProvider  : {FormsAuthentication, WindowsAuthentication, CertificateAuthentication, DeviceAuthentication}
    PrimaryExtranetAuthenticationProvider  : {}
    WindowsIntegratedFallbackEnabled       : True
    ClientAuthenticationMethods            : ClientSecretPostAuthentication, ClientSecretBasicAuthentication, PrivateKeyJWTBearerAuthentication, WindowsIntegratedAuthentication
    
    PS C:\Windows\system32> Get-AdfsDeviceRegistration
    DrsObjectDN                          : CN=DeviceRegistrationService,CN=Device Registration Services,CN=Device
                                           Registration Configuration,CN=Services,CN=Configuration,DC=qqq,DC=local
    DevicesPerUser                       : 100
    MaximumInactiveDays                  : 90
    DeviceObjectLocation                 : CN=RegisteredDevices,DC=qqq,DC=local
    IsAdfsServiceAuthorizationReady      : True
    IsDirectoryConfigured                : True
    IsDeviceAuthenticationReady          : True
    IssuanceAuthorizationRules           :
    IssuanceTransformRules               : @RuleName = "Pass through all claims but group SIDs"
                                           c:[Type !~ "^(?i).+(group|primarygroup)+sid$"]
                                            => issue(claim = c);
    
                                           @RuleName = "Issue Permit Device Registration claim"
                                            => issue(Type =
                                           "http://schemas.microsoft.com/authorization/claims/PermitDeviceRegistration",
                                           Value = "true");
    
                                           @RuleName = "Issue Custom Quota to Administrators"
                                           [Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                           Value =~ "^(?i)S-1-5-21-\d{1,10}-\d{1,10}-\d{1,10}-512$"]
                                            => issue(Type =
                                           "http://schemas.microsoft.com/authorization/claims/deviceregistrationquota",
                                           Value = "2147483647");
    
                                           @RuleName = "Issue Account Store Claim"
                                           c:[Type ==
                                           "http://schemas.microsoft.com/ws/2014/01/identity/claims/accountstore"]
                                           => issue(Type =
                                           "http://schemas.microsoft.com/authorization/claims/accountStore", Issuer =
                                           c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType =
                                           c.ValueType);
    
                                           @RuleName = "Issue Inside Corp Network Claim"
                                           c:[Type == "http://schemas.microsoft.com/ws/2014/01/identity/claims/insidecorpor
                                           atenetwork"]
                                           => issue(Type =
                                           "http://schemas.microsoft.com/authorization/claims/insidecorporatenetwork",
                                           Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value,
                                           ValueType = c.ValueType);
    
                                           @RuleName = "MFA for Domain Joined Machines"
                                           c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
                                           Value =~ "515$"]
                                           => issue(Type = "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =
                                           "DJ");
    
                                           @RuleName = "Object identifier"
                                           c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value ==
                                           "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] &&
                                            c2:[Type ==
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
                                           Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(store =
                                           "Active Directory", types =
                                           ("http://schemas.microsoft.com/identity/claims/objectidentifier"), query =
                                           ";objectguid;{0}", param = c2.Value);
    
                                           @RuleName = "On-Prem Object GUID"
                                            c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =~
                                           "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] && c2:[Type
                                           ==
                                           "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
                                           Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(store =
                                           "Active Directory", types =
                                           ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"), query =
                                           ";objectguid;{0}", param = c2.Value);
    
                                           @RuleName = "Primary SID"
                                           c1:[Type == "http://schemas.microsoft.com/ws/2012/01/accounttype", Value =~
                                           "DJ", Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"]&& c2:[Type
                                           == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid", Issuer
                                           =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"] => issue(claim = c2);
    
    
    AllowedAuthenticationClassReferences : {ngcmfa, wiaormultiauthn}
    AdditionalAuthenticationRules        :
    AccessControlPolicyName              : Permit everyone and require MFA, allow automatic device registration
    AccessControlPolicyParameters        :
    ResultantPolicy                      : RequireFreshAuthentication:False
                                           IssuanceAuthorizationRules:
                                           {
                                             Permit users
                                               with 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid'
                                           claim regex matches '-515$' in the request;
    
                                             Permit users
                                               and when authentication includes MFA
                                             except
                                               with 'http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid'
                                           claim regex matches '-515$' in the request;
    
                                             Permit users
                                               with 'http://schemas.microsoft.com/claims/authnmethodsreferences' claim
                                           equals to 'http://schemas.microsoft.com/claims/wiaormultiauthn' in the request
                                           }
    									   
    PS C:\Windows\system32> Get-AdfsAdditionalAuthenticationRule
    c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
    
    c:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"]
     => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");

    Saturday, October 3, 2020 4:00 AM

Answers

  • Figured out the problem with certificates!
    If you use a corporate antivirus with a certificate substitution system (MITM) in your organization to detect threats, be sure to add your Windows Hello for Business infrastructure to the exceptions! Otherwise, nothing will work because of lack of trust!

    Additionally, there was a Windows Help for Business issue with a device registration error.
    Similarly, the corporate antivirus with (MITM) was to blame.
    Additionally, the article helped a lot: https://s4erka.wordpress.com/2018/03/06/azure-ad-device-registration-error-codes/
    Which explains how to fix the problem of registering Windows Hello for Business devices and manually attach the computer!

    psexec -i -s cmd.exe

    dsregcmd /debug /leave

    you may need to try renaming the “C:\ProgramData\Microsoft\Crypto\Keys”

    dsregcmd /debug /join

    untranslatable philosophy: "гибкие решения" едрить-колотить ...
    • Marked as answer by isKUL Tuesday, October 6, 2020 2:31 AM
    • Edited by isKUL Tuesday, October 6, 2020 3:53 AM
    Tuesday, October 6, 2020 2:31 AM