Share via

How to properly configure SSO using WHFB Hybrid Key Trust?

Hamato Yoshi 5 Reputation points
2023-05-30T16:09:52.1033333+00:00

I am trying to configure SSO to on-premise resources using Windows Hello For Business Hybrid Key Trust from AADJ devices with LOS from either being in the office or using a VPN.

I have updated my DC certificate template, revoked existing and reissued new DC Certs as per the documentation here. I've also included an http CDP in the CA and confirmed this is reachable from my client. The root CA cert has been deployed to AADJ devices from Intune.

I did have some issues obtaining the PRT from ADFS but after some extinsive troubleshooting, I can now rundsregcmd /status to confirm I have both the AzureAD and Enterprise PRT (full output with sanitized name and domain below).

When I try to access an on-premise resource (unc path to SYSVOL in explorer) I am prompted for my WHFB PIN and also get the pop-up 'Windows needs your current credentials'. At this point I see Event 11 from Security-Kerberos with the message 'The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer. Contact your system administrator.' I did read up on this and found some advice to include the fully distinguished name in the subject of my KDC cert (which I have done) - what's confusing me is that this error seems to point to an issue with a client side certificate ?

Also not sure if relevant but I do consistently see Event 40960 from LSA with the text 'The Security System detected an authentication error for the server cifs/myDC.mydomain.co.uk. The failure code from authentication protocol Kerberos was "The request is not supported. (0xc00000bb)"' whenever I replicate the issue.

Hoping someone here can help me or at least point me in the right direction. I am considering abandoning this and pursuing Cloud Kerberos Trust instead.

PS C:\Users\myname> dsregcmd /status

+----------------------------------------------------------------------+
| Device State                                                         |
+----------------------------------------------------------------------+

             AzureAdJoined : YES
          EnterpriseJoined : NO
              DomainJoined : NO
           Virtual Desktop : NOT SET
               Device Name : soit-62YCVV3

+----------------------------------------------------------------------+
| Device Details                                                       |
+----------------------------------------------------------------------+

                  DeviceId : 0c6ce691-01de-4efe-b55a-b920a94ed136
                Thumbprint : 6532E8F9AC349634012CCAA6CFD899B488600FA6
 DeviceCertificateValidity : [ 2023-05-11 07:49:45.000 UTC -- 2033-05-11 08:19:45.000 UTC ]
            KeyContainerId : 40cb21b1-22e3-4da9-826b-07034f7f9aac
               KeyProvider : Microsoft Platform Crypto Provider
              TpmProtected : YES
          DeviceAuthStatus : SUCCESS

+----------------------------------------------------------------------+
| Tenant Details                                                       |
+----------------------------------------------------------------------+

                TenantName : Smartodds
                  TenantId : 5668021c-34de-4215-a3e7-7791e4b6d504
               AuthCodeUrl : https://login.microsoftonline.com/5668021c-34de-4215-a3e7-7791e4b6d504/oauth2/authorize
            AccessTokenUrl : https://login.microsoftonline.com/5668021c-34de-4215-a3e7-7791e4b6d504/oauth2/token
                    MdmUrl : https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
                 MdmTouUrl : https://portal.manage.microsoft.com/TermsofUse.aspx
          MdmComplianceUrl : https://portal.manage.microsoft.com/?portalAction=Compliance
               SettingsUrl :
            JoinSrvVersion : 2.0
                JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/
                 JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net
             KeySrvVersion : 1.0
                 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/
                  KeySrvId : urn:ms-drs:enterpriseregistration.windows.net
        WebAuthNSrvVersion : 1.0
            WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/5668021c-34de-4215-a3e7-7791e4b6d504/
             WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net
    DeviceManagementSrvVer : 1.0
    DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/5668021c-34de-4215-a3e7-7791e4b6d504/
     DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net

+----------------------------------------------------------------------+
| User State                                                           |
+----------------------------------------------------------------------+

                    NgcSet : YES
                  NgcKeyId : {91130D91-CCF4-473C-A063-0A6100841E66}
                  CanReset : DestructiveOnly
           WorkplaceJoined : NO
             WamDefaultSet : YES
       WamDefaultAuthority : organizations
              WamDefaultId : https://login.microsoft.com
            WamDefaultGUID : {B16898C6-A148-4967-9171-64D755DA8520} (AzureAd)

+----------------------------------------------------------------------+
| SSO State                                                            |
+----------------------------------------------------------------------+

                AzureAdPrt : YES
      AzureAdPrtUpdateTime : 2023-05-30 14:22:39.000 UTC
      AzureAdPrtExpiryTime : 2023-06-13 14:22:38.000 UTC
       AzureAdPrtAuthority : https://login.microsoftonline.com/5668021c-34de-4215-a3e7-7791e4b6d504
             EnterprisePrt : YES
   EnterprisePrtUpdateTime : 2023-05-30 14:22:40.000 UTC
   EnterprisePrtExpiryTime : 2023-06-13 14:22:40.000 UTC
    EnterprisePrtAuthority : https://adfs.mydomain.co.uk:443/adfs
                 OnPremTgt : NO
                  CloudTgt : YES
         KerbTopLevelNames : .windows.net,.windows.net:1433,.windows.net:3342,.azure.net,.azure.net:1433,.azure.net:3342

+----------------------------------------------------------------------+
| Diagnostic Data                                                      |
+----------------------------------------------------------------------+

        AadRecoveryEnabled : NO
    Executing Account Name : mydomain\myname, ******@mydomain.co.uk
               KeySignTest : PASSED

        DisplayNameUpdated : Managed by MDM
          OsVersionUpdated : Managed by MDM
           HostNameUpdated : YES

      Last HostName Update : NONE

+----------------------------------------------------------------------+
| IE Proxy Config for Current User                                     |
+----------------------------------------------------------------------+

      Auto Detect Settings : YES
    Auto-Configuration URL :
         Proxy Server List :
         Proxy Bypass List :

+----------------------------------------------------------------------+
| WinHttp Default Proxy Config                                         |
+----------------------------------------------------------------------+

               Access Type : DIRECT

For more information, please visit https://www.microsoft.com/aadjerrors
Microsoft Security Active Directory Federation Services
Microsoft Security Windows Autopilot
Microsoft Security Microsoft Entra Microsoft Entra ID
Microsoft Security Intune Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nagappan Veerappan 651 Reputation points Microsoft Employee
    2023-09-22T15:47:51.5433333+00:00

    @Hamato Yoshi
    Hi,

    When it comes to access on-prem resource from AADJ machine. client has no way to trust your domain name to query unless it is explicitly specified on the KDC certificate of Domain controller. it's derived from cert template of "Domain Controller". if subject don't have Distinguish Name (DN) , then at least Subject Alternative Names (SAN) mentioned with domains fqdn works.

    You won't face this problem on any hybrid domain joined machines.

    This is already documented on known issue. most commonly happens with third party CA issued cert for DCs. which tend to miss the on-premise domain name on the certs.

    https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues#identify-on-premises-resource-access-issues-with-third-party-cas

    Hope this helps

    Regards

    Nagappan V

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.