none
Windows Hello for Business - access to on-premises resources using PIN fails RRS feed

  • Вопрос

  • Hello,

    I've set up a Windows Hello for Business infrastructure by following the Deployment Guide. Here are the details:

    • Deployment type : Hybrid key trust
    • Azure AD : Premium licenses & MFA properly configured
    • Azure AD Connect : users & devices are synced
    • AD : Windows Server 2016 DC
    • PKI : new Kerberos certificates are properly deployed on 2016 DCs

    From an Azure AD Joined machine, I can properly:

    • Enroll in Hello for Business, sign in and reset PIN
    • Have SSO to cloud resources (Office 365)
    • Have SSO to on-premises resources (filer) using the username / password logon in Windows

    However, I can't :

    • Have SSO to on-premises resources (filer) using the PIN logon in Windows

    Connectivity to a DC and DNS is properly configured

    Event IDs

    Event 360

    Windows Hello for Business provisioning will be launched. 
    Device is AAD joined ( AADJ or DJ++ ): Yes 
    User has logged on with AAD credentials: Yes 
    Windows Hello for Business policy is enabled: Yes 
    Windows Hello for Business post-logon provisioning is enabled: Yes 
    Local computer meets Windows hello for business hardware requirements: Yes 
    User is not connected to the machine via Remote Desknbsp;
    User certificate for on premise auth policy is enabled: No 
    Machine is governed by none policy. 
    See https://go.microsoft.com/fwlink/?linkid=832647 for more


    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor



    8 марта 2018 г. 19:48

Ответы

  • Found the issue. The delta CRL was not properly published to Internet.

    To make it work, make sure :

    1. Hello for Business is properly configured in your environment (key trust or certificate trust)
    2. Your PKI CRL and Delta CRL are published using HTTP on the Internet
    3. Your PKI root certificate is pushed to AADJ devices (using MDM or manually)
    4. Your 2016 DCs has the certificate for Kerberos Authentication installed
    5. You have pushed a Hello for Business configuration strategy (MDM)

    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor



    8 марта 2018 г. 23:01

Все ответы

  • Found the issue. The delta CRL was not properly published to Internet.

    To make it work, make sure :

    1. Hello for Business is properly configured in your environment (key trust or certificate trust)
    2. Your PKI CRL and Delta CRL are published using HTTP on the Internet
    3. Your PKI root certificate is pushed to AADJ devices (using MDM or manually)
    4. Your 2016 DCs has the certificate for Kerberos Authentication installed
    5. You have pushed a Hello for Business configuration strategy (MDM)

    MVP Enterprise Mobility | Microsoft P-Seller | Azure Advisor



    8 марта 2018 г. 23:01
  • Awesome, I've been scouring for people having this issue and finally came across this article. I've been trying to see if it's even possible to use the PIN to access the onprem resources. 

    Is there anyway you can elaborate on the delta CRL part? I'm not that great with certificate knowledge, are all these steps required to setup that wouldn't already be working with the way logging in with Password does? Was the delta CRL the only piece you really had to mess with? 

    Also what exactly do you mean by published to Internet? From what I understood the machine should use onprem direct link to the servers and the reason it required you to have direct line of site to the DC to work, or am I missing something here? 

    Thanks for you help! 

    14 декабря 2018 г. 14:33