Hey @all,
I've deployed 2 Windows Server 2016 VMs with Azure AD Connect and Hybrid Device Join. I've build a 2Tier PKI (based on 2 2k16 VMs) and followed these steps:
When I try to enroll the user certificate for WHFB I get the error
Certificate enrollment for user failed to enroll for a WHFBAuthentication certificate with request ID N/A from N/A (Failed to enroll for an NGC cert because there is NO Enterprise SSO. 0x801c03f6 (DSREG: 1014 DSREG_E_NGC_CERT_NO_ENTSSO)).
Devices are correct joined in AD and Azure AD (hybrid joined). The only thing we do not have is ADFS, I also run the command on Sub CA.
certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY
As mentioned here, WHFB with PTA should also work:
For non-federated environments, key trust deployments work in environments that have deployed Password Synchronization with Azure AD Connect and Azure Active Directory Pass-through-Authentication
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs
Any suggestions or ideas? I would be really happy to get this running.
Freundliche Grüße
Sandro Reiter
Consultant Cloud Infrastructure
