Quantcast
Channel: Directory Services forum
Viewing all articles
Browse latest Browse all 31638

Hybrid Joined Devices - Windows Hello for Business

$
0
0

Hey @all,

I've deployed 2 Windows Server 2016 VMs with Azure AD Connect and Hybrid Device Join. I've build a 2Tier PKI (based on 2 2k16 VMs) and followed these steps:

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs

When I try to enroll the user certificate for WHFB I get the error

Certificate enrollment for user failed to enroll for a WHFBAuthentication certificate with request ID N/A from N/A (Failed to enroll for an NGC cert because there is NO Enterprise SSO. 0x801c03f6 (DSREG: 1014 DSREG_E_NGC_CERT_NO_ENTSSO)).

Devices are correct joined in AD and Azure AD (hybrid joined). The only thing we do not have is ADFS, I also run the command on Sub CA.

certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY

As mentioned here, WHFB with PTA should also work:

For non-federated environments, key trust deployments work in environments that have deployed Password Synchronization with Azure AD Connect and Azure Active Directory Pass-through-Authentication

https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs

Any suggestions or ideas? I would be really happy to get this running.


Freundliche Grüße

Sandro Reiter
Consultant Cloud Infrastructure


Viewing all articles
Browse latest Browse all 31638

Trending Articles



<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>