Usuário com melhor resposta
Windows Hello for Business - access to on-premises resources using PIN fails

Pergunta
-
Hello,
I've set up a Windows Hello for Business infrastructure by following the Deployment Guide. Here are the details:
- Deployment type : Hybrid key trust
- Azure AD : Premium licenses & MFA properly configured
- Azure AD Connect : users & devices are synced
- AD : Windows Server 2016 DC
- PKI : new Kerberos certificates are properly deployed on 2016 DCs
From an Azure AD Joined machine, I can properly:
- Enroll in Hello for Business, sign in and reset PIN
- Have SSO to cloud resources (Office 365)
- Have SSO to on-premises resources (filer) using the username / password logon in Windows
However, I can't :
- Have SSO to on-premises resources (filer) using the PIN logon in Windows
Connectivity to a DC and DNS is properly configured
Event IDs
Event 360
Windows Hello for Business provisioning will be launched.
Device is AAD joined ( AADJ or DJ++ ): Yes
User has logged on with AAD credentials: Yes
Windows Hello for Business policy is enabled: Yes
Windows Hello for Business post-logon provisioning is enabled: Yes
Local computer meets Windows hello for business hardware requirements: Yes
User is not connected to the machine via Remote Desknbsp;
User certificate for on premise auth policy is enabled: No
Machine is governed by none policy.
See https://go.microsoft.com/fwlink/?linkid=832647 for more
MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor
- Editado Maxime RastelloMVP quinta-feira, 8 de março de 2018 19:51
Respostas
-
Found the issue. The delta CRL was not properly published to Internet.
To make it work, make sure :
- Hello for Business is properly configured in your environment (key trust or certificate trust)
- Your PKI CRL and Delta CRL are published using HTTP on the Internet
- Your PKI root certificate is pushed to AADJ devices (using MDM or manually)
- Your 2016 DCs has the certificate for Kerberos Authentication installed
- You have pushed a Hello for Business configuration strategy (MDM)
MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor
- Editado Maxime RastelloMVP quinta-feira, 8 de março de 2018 23:02
- Marcado como Resposta Maxime RastelloMVP quinta-feira, 8 de março de 2018 23:02
Todas as Respostas
-
Found the issue. The delta CRL was not properly published to Internet.
To make it work, make sure :
- Hello for Business is properly configured in your environment (key trust or certificate trust)
- Your PKI CRL and Delta CRL are published using HTTP on the Internet
- Your PKI root certificate is pushed to AADJ devices (using MDM or manually)
- Your 2016 DCs has the certificate for Kerberos Authentication installed
- You have pushed a Hello for Business configuration strategy (MDM)
MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor
- Editado Maxime RastelloMVP quinta-feira, 8 de março de 2018 23:02
- Marcado como Resposta Maxime RastelloMVP quinta-feira, 8 de março de 2018 23:02
-
Awesome, I've been scouring for people having this issue and finally came across this article. I've been trying to see if it's even possible to use the PIN to access the onprem resources.
Is there anyway you can elaborate on the delta CRL part? I'm not that great with certificate knowledge, are all these steps required to setup that wouldn't already be working with the way logging in with Password does? Was the delta CRL the only piece you really had to mess with?
Also what exactly do you mean by published to Internet? From what I understood the machine should use onprem direct link to the servers and the reason it required you to have direct line of site to the DC to work, or am I missing something here?
Thanks for you help!