Azure AD and Windows Hello: SSO to on-premise resources

One of the main reasons people might choose a hybrid Azure AD joined configuration for their devices is that they still want to be able to access on-premises resources, for example a file server, or printers. In my opinion, hybrid join should be avoided and it is usually worth the extra work required on the infrastructure to support your devices being Azure AD joined and having no relationship to the AD domain.

In this post I’ll look at how SSO to on-premise resources actually works, when you are logged on to an Azure AD joined device, with a user account which is synced from your on-premise AD. I’ll also look at how you can configure this so that users logging on using Windows Hello for Business can also SSO.

Initial Sign-in SSO (username and password)

If the user has signed in using their Azure AD credentials, you will automatically get SSO to on-premise resources. It should “just work” with no configuration changes needed, provided that the device can contact the on-premise domain controllers and the resource you’re trying to access – whether that is through the device physically being sat on the same LAN, or via VPN, and provided that your user accounts are synchronised from that domain via Azure AD Connect. If you have multiple domains you may need to alter the domain filtering in Azure AD Connect config.

When you sign in, Azure AD sends the on-premise domain details to the device with the Primary Refresh Token (PRT). The local security authority (LSA) on that device then enabled NTLM and Kerberos authentication, which are required for accessing your on-premise resources .

Full details of how this works are on the Microsoft Docs.

WHfB based sign-in (PIN, Face ID etc)

Having this work out of the box where users sign in with their username (UPN) and password is neat, but I’d hope that on a modern deployment users are able to configure Windows Hello for Business (WHfB), as it’s a much stronger authentication method than a password. Unfortunately, you won’t be able to SSO to on-premise resources if the user logged on using WHfB without a few changes to the infrastructure configuration. This is because the WHfB key isn’t present in Active Directory, your domain controllers won’t be using the right certificates to satisfy the requirements of the device, and it’s likely your certificate revocation lists (CRLs) are not accessible from a non-domain joined device.

There is a planning guide on the Microsoft Docs covering how to set this up, however it is quite lengthy and rather involved. I’ve also found that you don’t need ADFS for this to work using the Key Trust model, the docs seem to imply that you do.

There are two types of trust we can use for setting up the WHfB deployment:

Key Trust: Requires Windows Server 2016 domain controllers, users authenticate using a key created during WHfB setup. The public key is stored in Azure AD, and is then exported through Azure AD Connect to the relevant user account’s msDS-KeyCredentialLink attribute in Active Directory.

Certificate Trust: Requires Windows Server 2008R2 domain controllers, although the schema must be at 2016 or later level. Users authenticate using a certificate. This requires a lot more work to issue user certificates, and in a federated environment you will need to enable Device Writeback.

I’ve chosen to go with the Key Trust model, for a couple of reasons. Firstly, for those of you who have been reading my blog for a while, the production network at work is set up in a way where Device Writeback can’t be enabled – multiple domains on a single forest, each domain syncs to its own Azure AD tenant. It’s also a lot less work on the certificates front to go with the key trust model, and a few other steps regarding permissions are configured automatically vs the certificate trust route.

Pre-requisites

  • Windows Server 2016 or later domain controllers
  • Azure AD Connect is running to sync your user accounts to Azure AD
  • Certification Authority is already set up, optionally with the “Certification Authority Web Enrollment” feature

Now we need to configure the environment so that the WHfB public key gets written back to AD, and so that the certificates used by the domain controllers are suitable to pass the end-user device certificate checks.

When the device attempts to authenticate to the domain, the device validates the reply from the domain controller with the following criteria (taken from the Microsoft Docs page):

  • The certificate hasn’t been revoked.
  • The domain controller has the private key for the certificate provided.
  • The root CA that issued the domain controller’s certificate is in the device’s Trusted Root Certificate Authorities.
  • Use the Kerberos Authentication certificate template instead of any other older template.
  • The domain controller’s certificate has the KDC Authentication enhanced key usage (EKU).
  • The domain controller’s certificate’s subject alternate name has a DNS Name that matches the name of the domain.
  • The domain controller’s certificate’s signature hash algorithm is sha256.
  • The domain controller’s certificate’s public key is RSA (2048 Bits).

Configure Azure AD Connect

We need to make sure that Azure AD Connect is going to write back the user’s WHfB public key into the msDS-KeyCredentialLink attribute. On the server running AADConnect, open the Synchronisation Service console. Click on the Connectors tab, then double click on the row labelled Active Directory Domain Services. Click on the Select Attributes page and make sure that msDS-KeyCredentialLink is selected.

Screenshot of Sync Service Manager - ADDS Connector - Attributes showing msDS-KeyCredentialLink is checked
Make sure msDS-KeyCredentialLink is ticked.

Configure the CDP

So our first step is to make sure that the CRL Distribution Point (CDP) is accessible from the device. The default here is for it to be Active Directory integrated, and if you take a look through Certification Authority, right click on the CA, then Properties, then Extensions, you will see something similar to the following screenshot:

Screenshot of Extensions tab of CA properties, showing the http CRL location
Make sure that the http location is included in the CRL, and written in the CDP extension on issued certificates.

Here you need to make sure the http entry has both “Include in CRLs” and “Include in the CDP extension of issued certificates” ticked. While you can go into more depth here and get your CA to publish to a network share, and then host that on IIS (instructions for this in the Microsoft Docs), it’s not really necessary for smaller deployments and will work fine through the CertEnroll virtual directory if you have the Certification Authority Web Enrollment role installed.. Note that this does not need to be accessible to the entire Internet – just the devices you want to have SSO to on-premise resources. If your on-premise resources are behind a VPN, the CDP can also be behind the VPN.

Configure new Domain Controller certificate templates

Next we need to change the certificate template used by our domain controllers. Right click on Certificate Templates, then choose Manage Templates. Find the Kerberos Authentication template, right click it then Duplicate Template.

  • On the Compatibility tab, select (Windows 7) / Windows Server 2008 R2 for both boxes.
  • On the General tab, type a suitable name e.g. Domain Controller Authentication (Kerberos). Tick “Publish certificate in Active Directory”.
  • On the Subject Name tab, make sure this is set to build from AD, set the Subject Name format to “None”, and make sure only DNS name is ticked. These should be the default settings anyway.
  • On the Cryptography tab, change the Provider Category to “Key Storage Provider”. Make sure the algorithm is RSA, minimum key size 2048. Select “SHA256” as the Request hash.
  • On the Superseded Templates tab, add the older Domain Controller certificate templates.
  • Click OK to create the new template

Back in the Certification Authority console, right-click on Certificate Templates and click New > Certificate template to issue. Find the template you just created – Domain Controller Authentication (Kerberos) – and click OK. If it doesn’t show up, you will need to wait for replication across your AD infrastructure, also try refreshing the console.

Next is to disable the older templates, so find the following certificate templates in the console and right click > Delete:

  • Domain Controller
  • Domain Controller Authentication
  • Kerberos Authentication

Configure auto enrollment for the domain controllers

Finally we need to configure auto enrollment in Active Directory. Open Group Policy Management Console, and create a new Group Policy Object in the Domain Controllers OU (or edit an existing one, if you already have one for auto enrollment). Expand Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies and set the following two settings:

  • Certificate Services Client – Certificate Enrollment Policy: Enabled, Active Directory Enrollment
  • Certificate Services Client – Auto-Enrollment: Enabled, tick the boxes for Renew expired certificates, and Update certificates that use certificate templates

We can now wait a while, or run gpupdate on the domain controllers. Eventually you should see in the Certification Authority console, under Issued Certificates that a certificate using the new template has been issued to each of your domain controllers. Open the certificates and check that the CRL Distribution Points field, on the Details tab, includes the http address.

Screenshot of LAN-DC2 domain controller Kerberos certificate, showing the CRL Distribution Points field on Details tab
Make sure that the http CDP is included in the CRL Distribution Points field on your new DC certificates

Verify CDP is accessible

Make sure you can access this from a device which is not joined to the AD domain. There should be no authentication prompts. The default URL will be similar to:

http://ca-server.domain/CertEnroll/Ca-Name.crl

If you’re using Edge it will probably try to redirect you to https://ca-server.domain/CertEnroll/Ca-Name.crl, this can be disabled via going to edge://flags/#unsafely-treat-insecure-origin-as-secure and adding the CA server’s FQDN.

Deploying the root CA certificate to the devices

The Azure AD joined devices will need to have a copy of your AD CA root certificate in their Trusted Root store. Export your root CA from the Certification Authority console by going to the CA Properties > General > Select the latest certificate > View certificate > Details > Copy to file. Save this as a Base64 encoded .CER file.

We need to deploy this – if you are using MS Endpoint Manager (aka Intune), we can do this using a configuration profile – in the Intune portal, go to Devices > Configuration profiles and click on Create profile. Select the platform (Windows 10 and later), then Profile type: Templates > Trusted certificate. If you’re trying to deploy this to other devices, the profile type may be slightly different but it should be obvious which one is a trusted certificate.

Run through the steps, uploading the CA root certificate’s .cer file you exported previously. Complete the assignments as required, and finish the wizard.

Testing

Log on to your Azure AD joined device with a synchronised user account, and set up Windows Hello for Business. Make sure that Azure AD Connect has synchronised once you’ve set this up – by default this will be every 30 minutes, you can manually force a sync by running Start-ADSyncSyncCycle -PolicyType Delta on the server running AADConnect. The obvious thing here that will need pointing out to the end user is that it can take up to 30 minutes after they’ve set up WHfB before they can access on-premise resources, as you’re waiting for the sync to write back the public key.

Now check the properties of the user account in Active Directory. You may need to turn on Advanced Features, under the View menu, to see the Attribute Editor tab. The msDS-KeyCredentialLink attribute should have a value, and on the Object tab you should see that it was recently updated.

Screenshot of user account in Active Directory, Attribute Editor tab, msDS-KeyCredentialLink attribute has a value
Make sure that msDS-KeyCredentialLink has been updated following the AADConnect Sync.

If the attribute has updated, then restart your device and sign in using WHfB. Now try accessing some on-premise resources – e.g. an SMB share or adding a shared printer. I’m not 100% certain on whether you need to use the FQDN when connecting – I tend to use it out of habit, but testing on a couple of different networks shows that you don’t necessarily need to. You should also be able to use the Remote Server Admin Tools.

Troubleshooting

I ran into a few issues when setting this up. The error you are most likely to see is the prompt for authentication:

Screenshot of Enter network credentials dialog
Double check all the steps for configuring the certificate template and CDPs if you get this error.

This doesn’t tell you much, but examining the System event log brought up a couple more errors:

Event 9, Security-Kerberos. “The client has failed to validate the domain controller certificate for LAB-DC2.lab.katystech.blog. The following error was returned from the certificate validation process: The revocation function was unable to check revocation because the revocation server was offline.”

Event 11, Security-Kerberos. “The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer. Contact your system administrator.”

The cause of this was that the system didn’t think it could contact the CDP we set up earlier. Double check that the HTTP entry is listed in the CRL Distribution Point on the certificates issued by your CA, i.e. the ones currently in use on your DCs. Make sure you can access this without authentication from the endpoint device.

In my case, I went as far as examining the IIS request log on the CA server, to see if the device was even attempting to download the CRL. It wasn’t so in the end I reset the device through Windows Settings > Update & Security > Reset. Following the reset, it all worked as expected first time so I can only suggest that the system was caching an old Domain Controller certificate, as I attempted to access on-premise resources before configuring the HTTP CDP.

 

 

Further Reading:

2 Replies to “Azure AD and Windows Hello: SSO to on-premise resources”

    1. Interesting – just tried it on my test PC and it works without the FQDN – and that’s with the connection having a completely different DNS suffix too. I’d go with the FQDN whenever you can, just in case, but looks like just using the host name is supported. I’ll give it a test when I get in to work to see if it’s a coincidence that it works, or actually will work. Presumably it’s getting fed the domain information with the Azure PRT so I guess, if the user and the resources are in the same domain, you might not need the FQDN.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.