How to Setup Windows Hello for Business (Key-Trust Method!)

Windows Hello for Business (WHfB) is an awesome Microsoft technology that replaces traditional passwords with PIN and/or Biometrics and linked with a cryptographic certificate key pair. This is set up by default as part of the Out of Box Experience with Windows 10. These certificates grant single sign-on access to legacy Active Directory resources. There are a number of other benefits of why a PIN is more secure than passwords as well and I would encourage you to read more about it on Microsoft’s documentation.

WHfB not only provides a more secure way to sign in to Windows, but it enables cloud-joined Azure Active Directory (AAD) devices to access resources on the domain. For many organizations adopting modern deployment technologies like Autopilot, AAD-joined PCs (also called cloud-joined) aren’t joined to the on-premise domain. Accessing a file share, for example, would not be possible without constantly prompting the user for username and password. With WHfB, however, Windows 10 clients are now able to generate a Kerberos ticket and they now act almost like they are joined to the domain. Users will be able to access file shares, printer shares, and other resources that leverage Kerberos authentication without any prompts at all. Nice!

WHfB is relatively simple to set up but it does have quite a few pre-requisites that must be met in order for it to function properly. In this blog, I’ll be going over which type of WHfB deployment is best, all the prereqs associated, and then walking step-by-step on setting this up in your lab or production environment. Let’s begin!

What is the difference between Windows Hello and Windows Hello for Business?

You are probably familiar with Windows Hello by setting it up on your home PC. It allows you to log in to your PC with an easier PIN and/or Biometric login. For most people, this is just a convenience; it doesn’t do anything beyond that. Windows Hello for Business, on the other hand, takes that same convenience but adds an additional layer of security on top. It not only makes it simpler for end-users to log into their corporate PC, but it also provides a secure way to access corporate resources on the domain.

Additionally, we can also control WHfB with GPO or MDM policies and tools like Microsoft Endpoint Manager or VMware Workspace ONE.

Two Methods

Microsoft has implemented two different methods for Hello For Business: Cert-Trust and Key-Trust. Key-Trust is the default and is the easiest to set up. It leverages the built-in Azure AD certificate that gets deployed each time a device joins Azure AD through the Out of Box Experience (OOBE). The private key of this certificate gets saved in the Microsoft Passport for Work store and the public key gets synced to Azure AD. AAD then syncs it back to on-premises Active Directory and saves it to a user attribute called msDS-KeyCredentialLink.

Cert-Trust on the other hand, adds an additional device registration step to the process. When the device goes through OOBE, it must talk to Active Directory Federation Services (ADFS) which then registers the device to on-premise AD. This device object is then written up to Azure AD (called “Device Writeback” in Azure AD Connect). After this happens, the user certificate, which is deployed from your own Active Directory Certificate Server instead of Azure AD, is then paired up with the device. This method uses both Device + User trust whereas the Key-Trust is only at the user level (no device registration required).

Which method should I pick?

Key-Trust is the default method and is the method I recommend. It is much simpler to implement and doesn’t require any additional infrastructure or services. Cert-Trust requires ADFS and thus adds a significant layer of complexity. Consult your Microsoft resource if you are unsure of which method to choose.

I’ll be demonstrating the Key-Trust method. Even though these steps will all be done in a lab environment, you should be able to easily replicate these to a UAT or Production environment at your organization.

PreReqs and Assumptions

Here are the following prereqs and assumptions we’ll need before we get started. You’ll need to complete these or be ready for them before continuing.

  1. Active Directory Domain Services installed on a Domain Controller running Windows Server 2016 or newer.
    1. Ensure Active Directory Schema is 2016 or higher.
  2. Active Directory Certificate Services (ADCS) 2012 or newer. You can also use third-party certificate services, but I won’t be showing that here.
    • A certificate revocation list (CRL) that is accessible via HTTP. Ideally this should also be accessible on the internet.
    • Resolvable DNS for the CRL on the client.
    • A new Kerberos Authentication Template will be generated and must be installed on Domain Controllers (overwriting the previous one).
  3. Azure AD Connect Setup, configured, and syncing users from on-premise AD into AAD.
  4. Azure AD Premium P1 or P2 licensing or equivalent.
  5. Domain Controller Root Certificate deployed to clients.

One final note: Microsoft refers to this implementation as “Hybrid Key-Trust”. This just refers to the back-end architecture of having both on-premise Active Directory syncing into Azure AD via AAD connect. It does not mean the Windows 10 client is actually hybrid-joined to on-premise AD plus AAD. You can view the full list MS list of prereqs here.

Quick Checklist

Before we get in too deep, here is a quick reference on the steps we’ll be going through to set up Windows Hello for Business using the Key Trust method.

The Basic Steps of a Key Trust Deployment

Verify the AAD Connect Service Account Permissions

First, you will need to ensure the service account used by AAD Connect has the correct permissions to update the msDS-KeyCredentialLink attribute on the user object. If you aren’t sure what service account is being used, here is how you check:

  1. Log in to the Azure AD Connect service and double-click on the Azure AD Connect icon on the desktop.
  2. Once the Azure AD connect wizard application launches, click on “View or Export Current Configuration” and click Next.
  1. Under Synchronized Directories, you will see the account used.

In my case, my account name is MSOL_1e05d7a78947.

Now, add this account into the KeyAdmins security group in Active Directory. This group provides the correct level of permissions needed to read and write the public key to Active Directory.

Close the Azure AD Connect wizard and perform delta sync on AAD connect after you make this change. You can do this by running the following PowerShell command from the Azure AD Connect server:

Start-ADSyncSyncCycle -PolicyType Delta

For more information on this topic, see the Microsoft documentation. Now that we have that taken care of, let’s move onto certs.

Setup CRL Distribution Point (CDP) accessible from the web

Clients will need the ability to query the certificate revocation list (CRL) in order for the authentication to happen. This may seem odd since we are not using the cert trust method, but remember that certificates are still used in the key-trust method. The domain controller is still doing authentication based on the trust between the key pair. It also needs to check to see if any domain-level certificates are revoked, including the root CA.

This CRL needs to be accessible via HTTP (not HTTPS) and ideally internet facing. Since this is primarily used to access on-premises resources you technically don’t have to make this internet-facing. Clients will need to be on the VPN in order to access internal file shares and thus will have access to an internally based CRL. However, it is best practice to put these on the internet. This may already be set up in your organization, but in case it’s not or you want to follow along in a lab here are the high-level steps:

  1. Setup an web server using IIS that has a fileshare configured. You will add this as a virtual directory in IIS. The Certificate Authority will publish the CRL there and that is also where clients will check. This will be your CPD or “Certificate Distribution Point.
  2. Create a CNAME record in DNS for that server which will house the CRL (i.e. pki.brookspeppin.local)
  3. Update the CA template to use this HTTP location for CRL
  4. Deploy (or re-deploy) your domain controller certificate as well as export the root certificate for installation on client machines.

MS has good documentation on how to properly set up a full web-based CRL and we’ll generally be following these steps.

Setup CRL Share

I’m putting the Certificate Distribution Point (CPD) on the same server as my CA, but it’s not required. Any web server will do as long as the CA has write access to it in order to create the CRL files.

  1. Create a folder on the C drive where the CRL will reside. I’m calling mine C:\CRL
  2. Right click the folder, then Properties, then Sharing tab, then Advanced Sharing. 
  3. Click Share this folder and name it. Add $ to the end if you want to make it hidden from normal file browsing.
  4. Then click Permissions.  Ensure Everyone has “Read” permissions 
  1. Then click on Add and we will need to add the CA computer object to this.
  2. Click on Object Types and ensure ​”Computers” box is checked.
  1. Search for the computer name and it should resolve. Click OK and ensure the it has Full Control. In my lab, my CA is on my Domain Controller, DC01.
  1. Click Apply and OK on Advanced Sharing.
  2. On the security tab for your share (C:\CRL), repeat the same process giving the computer object modify permissions
  1. Finally, click Add and type ANONYMOUS LOGON; Everyone
  1. Click ok. This allows anonymous access so that any clients can check the CRL.
  2. Do a quick test by browsing to that share. It should resolve and be empty.

Configure IIS for HTTP CRL Location

Now that we have finished setting up our CDP, we need to configure IIS by adding it as a virtual directory.

  1. Load the IIS console
  2. In navigation tree, expand it and browse to your Default Web Site. Right click it and click Add Virtual Directory.
  1. Under Alias, type what you want your web URL to contain. I’ve just named it “CRL”. Also, browse for the CRL folder and select it. Click OK ​to close.
  1. On the left hand navigation tree, select the new folder (named “CRL”). Double-click on the Directory Browsing icon.
  1. Click Enable on the right hand side.
  1. Go back one screen and then double-click on the Configuration Editor icon.
  1. In the drop down list, type or search for system.webServer/security/requestFiltering
  2. Change allowDoubleEscaping to be ​True. Then click Apply.  This is required in order for the client to download a CRL delta file which has a ‘+’ symbol in it.
  1. Click on Default Web Site and then under Manage Website on the right click Restart.
  1. Load up a web browser and ensure you can get to your new website: http://dc01/crl

Now this resolves because I’m doing it on the same box, but it won’t be accessible by clients until we set up DNS. We’ll do that next.

Setup DNS for the CRL

DNS may already be set up in your environment for the IIS server we just created, but if you still need to do it, follow these steps. I’ll be using Active Directory integrated DNS and setting up an alias for this called “PKI”.

  1. Launch the DNS Manager mmc.
  2. Expand the tree under Server > Forward Lookup Zones. Right-click the forward lookup zone where you want to add the Alias resource record, and then click New Alias (CNAME).
  1. In Alias name, type the alias name you would like. I’ll be using “pki”.
  2. In Fully qualified domain name (FQDN) for target host, type the FQDN of the IIS web server. Since I put it on my DC in my lab, the FQDN is “dc01.brookspeppin.local”.
  1. Click OK to save.
  2. Type in the new alias URL to ensure it resolves (Make sure it’s http:// not https://)

You can reference the Microsoft Docs for more info. Now that we have this complete, we will move onto configuring a few things on the certificate authority.

Configure CDP and AIA on the Microsoft Certificate Authority

We need to add the CDP URL to the CA itself.

  1. Log in to the CA if you are not already there.
  2. Search for and launch certsrv.mmc. Right click the CA name and click Properties.
  1. Click the Extensions tab. In the dropdown for “Select extension”, ensure you have CRL Distribution Point (CDP) selected. Before you make changes here, take a screenshot of this in case you need to revert. In the Specify locations from which users can obtain a certificate revocation list (CRL) section, remove the following enteries:
    • Entry starting with “file://\\<ServerDNSName>…”
    • Entry starting with “http://<ServerDNSName>…”
    • Entry starting with “ldap:///CN=<CATruncatedName>…”
      You should only have one left starting with “C:\Windows\System32\CertServer…”
  2. Now we need to add our new CDP URL that we configured earlier.
  3. Click Add.
  4. In Add Location, in Location, type http://[yourDNSname]/[folder]/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl
    So in my case I put “http://pki.brookspeppin.local/crl/<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl”. Update yours accordinly. The items in between the <> are variables and when the CRLs are generated they will be populated with real data. Click OK to save.
  1. At the bottom, ensure the following boxes are selected:
    • Include in CRLs. Clients use this to find the Delta CRL locations
    • Include in the CDP extension of issued certificates
  1. Click Add again.
  2. in Location, type 
    file://\\[dnsname]\[folder]\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl, (be sure to replace the value in teh brackets with your own server info). I.e. “file://\\pki.brookspeppin.local\crl$\<CaName><CRLNameSuffix><DeltaCRLAllowed>.crl” (note that I have a $ at the end since I set this up as a hiddens share)
  3. Click OK. This returns you to the CA properties dialog box.
  4. At the bottom, select the following check boxes:
    • Publish CRLs to this location
    • Publish Delta CRLs to this location
  1. Change the dropdown from “Select extension” to Authority Information Access (AIA)
  2. Repeate what you did earlier by removing the three entries:
    • Entry starting with “file://\\<ServerDNSName>…”
    • Entry starting with “http://<ServerDNSName>…”
    • Entry starting with “ldap:///CN=<CATruncatedName>…”
  3. Click Add.
  4. In the Location box type: http://[dnsname]/[folder]/<ServerDNSName>_<CaName><CertificateName>.crt, and then click OK. So for me this would be: “http://pki.brookspeppin.local/crl/<ServerDNSName>_<CaName><CertificateName>.crt”. Click OK to save.
  1. At the bottom, check the box Include in the AIA of issued certificates.
  1. Click OK to save all of these changes. You will be prompted to restart Active Directory Certificate Services. You can click No as we will be restarting the service later.

You can reference the Microsoft Docs for more info. Next, let’s move on to publishing the cert revocation list.

Publish the cert revocation list

  1. Restart your CA service from certsrv.mmc by right-clicking your CA server name, All Tasks > Stop Service. Then Start the service again.
  1. Right click Revoked Certificates > All Tasks > Publish
  1. Select New CRL and click OK.

NOTE: If you are doing all of this on the same server such as in a lab environment (DC, CA, DNS, etc) you may run into this error:

This either means the configuration on the Extensions tab is incorrect or because of a loopback problem. In my case, I had to disable loopback check on the DC. You can disable loopback by running the following PowerShell command:

New-ItemProperty HKLM:\System\CurrentControlSet\Control\Lsa -Name "DisableLoopbackCheck" -value "1" -PropertyType "DWORD"
  1. Re-publish the CRL and the error should be gone.
  2. Browse to your CDP and ensure the two CRL files are there:
    1. One ending in .crl (primary CRL)
    2. One ending in +.crl (delta CRL)
  3. Additionally, we will need to copy the CA certificate to this location as well. You can run this command (update it with your target URL)
copy C:\Windows\system32\certsrv\certenroll\*.crt \\pki.brookspeppin.local\crl$

A cert ending in .crt will be copied to your CDP. Once complete it should look like this:

  1. Finally, load pkiview.msc to verify everything is good

OK you’ve made it this far. Great job! We’re in the home stretch — only a few more things to configure.

Create a New Domain Controller Authentication (Kerberos) Certificate Template

Active Directory Schema 2016 adds some additional attributes in order to support the key-trust authentication used with Hello for Business. We will need to create an updated template and then issue them to the domain controllers. This new template will replace and supersede the old ones. Nothing is getting removed, we are just added additional authentication purposes to it (namely KDC and Smart Card Logon).

  1. On the CA server, open the Certificate Authority management console (certsrv.mmc)
  2. Right-click Certificate Templates and click Manage.
  1. In the Certificate Template Console, right-click the Kerberos Authentication template in the details pane and click Duplicate Template.
  1. On the Compatibility tab, clear the “Show resulting changes” check box. Select Windows Server 2008 R2 from the Certification Authority list. Select Windows 7 / Server 2008 R2 from the Certification Recipient list.
  1. On the General tab, type Domain Controller Authentication (Kerberos) in Template display name. Adjust the validity and renewal period as needed.
  1. On the Subject Name tab, select the Build from this Active Directory information button if it is not already selected. Select None from the Subject name format list. Select DNS name from the Include this information in alternate subject list.
  1. On the Cryptography tab, configure the following:
    • Provider Category: Key Storage Provider
    • Algorithm name: RSA
    • Minimum key size: 2048
    • Request Hash: SHA256
    • Click Apply.

Supercede Old templates

Now we need to supersede the older templates so that this new one gets automatically applied.

  1. In the Domain Contoller Authentication (Kerberos) template, click the Superseded Templates tab.
  2. Click Add.
  3. Select Domain Controller and Domain Controller Authentication (hold shift to multi-select) certificate templates and click OK.
  1. There should be three listed in the superseded list:
    • Domain Controller
    • Domain Controller Authentication
    • Kerberos Authentication
  2. Click Apply and OK.
  3. Close the Certificate Templates Console

You can read the Microsft Docs for additional information. Next, we need to publish this template so that it can be issued to Domain Controllers.

Publish the Template

  1. In the Certificate Authority management console (certsrv.mmc), right-click the Certificate Templates node. Click New, and click Certificate Template to issue.
  1. In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos) template you created in the previous steps. Click OK to publish the selected certificate templates to the certificate authority.
  1. It’s a good idea to unpublish the old, superceded templates. Select both the Domain Contoller and Domain Controller Authentication templates, right click and delete. Only the new “Domain Controller Authentication (Kerberos)” template should remain. The other templates in the list unrelated to this can also remain.

Now let’s deploy these to our domain controllers. You’ll want to do this on every domain controller.

Deploy new certificate to Domain Controller

You have two options here: manually deploy to each DC or configure group policy for automatic certificate enrollment. I’ll show you how to do it manually but in production, you’ll probably want to set up the GPO since you’ll have way more than one or two. To set up the GPO, follow the Microsoft docs here

Manual Steps

  1. Login to the DC and open the Local Computer cert store on the DC
  2. Expand Personal > Certificates. Right click the Certificates folder then All Tasks > Request new Certificate
  1. Click Next in the window
  2. Select Active Directory Enrollment Policy and Click Next.
  1. Select Domain Controller Authenticate (Kerberos). You may need to select “show all templates” for it to appear. Then click Enroll.
  1. You should see the new cert deployed and it should have “KDC Authentication” and “Smart Card Logon” added to it under the intended purposes column
  1. Select the older cert (the one that says just “Client Authentication, Server Authentication”) and delete it.
  2. Double click the newly issued cert to open it
  3. Click on Details tab
  4. Scroll down to CRL Distribution Points and ensure that it has the correct CRL information (it should show your http location)

The last step in the process is to ensure the Root CA is installed on the Windows 10 client machines. This will enable them to trust the DCs when making authentication requests.

Install ROOT CA on clients

Successful Connection

The easiest way to do this is to export the root certificate from the DC itself.

Export Root CA From DC

  1. In the certificates store, expand the “Trusted Root Certificate Authorities” node on the left and click on Certificates.
  2. Select the root certificate for you domain.
  1. Right click it > All Tasks > Export
  1. On the Export File Format, select DER encoded binary x.509 (.CER).
  1. Click next, name the file and finish the wizard to save the file.

Install Root CA on Client

For now, we will just install this manually on the client. Once you have validated the full Windows Hello for Business process, you will want to deploy this certificate automatically with a management tool such as MEM or Workspace ONE. For Workspace ONE, you can check out this video on how to deploy certs. You will want to ensure this certificate comes down automatically during the Out of Box Experience

  1. On the Windows 10 client, ensure you have fully completed the Out of Box Experience and enrolled into Windows Hello for Business.
  2. Copy the Root Certificate to the client, such as the desktop.
  3. Right-click the cert and click Install Certificate.
  4. In the Certificate Import Wizard screen, select Local Machine as the Store Location.
  1. Click Next and the Yes if prompted by UAC.
  2. Select Place all certificates in the following store. Click Browse and select Trusted Root Certification Authorities. Click Next and Finish to complete the wizard.
  1. Load up the certificate store on the client and ensure it got successfully installed
We now have all of the pieces in place. How can we check if its working?

How to Check for Successful Hello

First, ensure that you have successfully registered for Hello for Business by setting up your PIN and completing Azure MFA.

After you complete these screens, Windows Hello for Business is successfully initialized. Let’s check to see if the key is successfully registered to Azure AD.

Check for Successful Key Registration

  1. Open Event Viewer
  2. Expand Applications and Services Logs > Microsoft > Windows. Navigate to User Device Registration. Click on Admin to view the log.
  3. Look for a record with Event ID 300. You should see a “The Microsft Passport key was successfully registered with Azure AD”. This indicates that the public key was sent to Azure and AAD connect will then attempt to sync it back to on-premises Active Directory.

NOTE: The AAD Connect process, by default, is a sync every 30 min. Your organization may have changed this sync policy and so it may take longer. If you attempt to authenticate to on-premises resources such as a file share before the sync happens, you will probably see this popup:

Don’t type your username and password as that will NOT use Windows Hello for Business. Wait until the key has synchronized to AD. You can speed up the process by running a delta sync on AAD connect (see earlier in this article for the command)

You will want to validate that the user object in Active Directory has the msDS-KeyCredentialLink attribute available and that it is populated with the key. There are a couple of ways to do this.

Check via ADUC

  1. Open Active Directory Users and Computers
  2. Click View > Advanced Features
  3. Find the user object
  4. Click on Member Of tab. Double-click one of the groups to bring up the group membership page (doesn’t matter which group).
  5. While this is open, close the user properties page.
  6. Go back to the group properties page and click on the Members tab.
  7. Find the user and double click it.
  8. The attribute editor tab should be visible now. Click Attribute Editor Tab
  9. Scroll down and find the msDS-KeyCredentialLink value. It should be populated with the public key of the hello for business certificate. The private key is saved on the device in the Windows Passport store.

Check via PowerShell

An easier and quicker method is to use PowerShell. You must have the Active Directory PowerShell Module installed for this to work.

get-aduser bpeppin -Properties msDS-KeyCredentialLink

If this is empty, you will need to wait until the synchronization has been completed on AAD Connect.

Additionally, the user can have more than one entry here as well. Each time they go through the Out of Box experience and set up WHfB, a new key pair will be generated and synced back to AD.

A Successful Attempt

Once both of these things are completed, an authentication request to an on-premises file share should go through automatically without any prompting! Pretty slick. Also, if you run klist from the command prompt you will also see that a Kerberos ticket has been granted by the domain controller.

Check it out below!

Troubleshooting

If you followed this guide extremely close and were able to get this working on the first try, congratulations! You are awesome. However, due to the number of little things that need to be in place for this to work, there’s a good chance you have probably overlooked something. Since this blog is already so long, you’ll need to check out my troubleshooting Hello for Business blog for more details.

Conclusion

Wow, you made it! Well done on getting to the end. Now you know how to set up Windows Hello for Business and you should be proud. If you have been successful, let me know if the comments below! In my opinion, this is one of the coolest technologies that Microsoft has developed and is a must-have when doing Out of Box Experience. Enjoy using your PIN to access file shares.

Share on:

45 thoughts on “How to Setup Windows Hello for Business (Key-Trust Method!)”

  1. Hey fantastic article – we’ve been battling this for a while, and while we think we’ve followed these steps from other articles – we seem to get prompted for credentials after a while from a Win10 machine to an on-prem resource.
    I suspect it happens when we sign into a PC from another account, and the sync happens – it feels like that, maybe then breaks the Windows Hello from working.

    We’re trying to make this work reliably enough with Windows Hello to go passwordless. At the moment – the fact that prompts for credentials happen after a few days, it means we cant.
    Everything else seems good – The CRLs, the DCs, the klist – Just will sometimes say there’s no domain controller to authenticate us, and it then tends to stay broken until you re-autopilot the machine

    Reply
    • Robin,
      So if I understand you correctly, you are saying it works correctly for a user for a few days and then stops working? That is a bit odd. Do you have mixed domain controllers in your environment? i.e. ones that are not on 2016 schema + with updated certificates that have the KDC authentication method? It may be that the client is trying different DCs in the environment and some don’t have the newer auth method and thus will fail.

      Reply
    • Same problem with us! Several users broke today for no reason. If we get them on newly autopiloted devices they work fine. Why are these machines breaking and how do we fix one when it decides to stop SSOing?

      Reply
    • Robin – I asked some folks on Twitter if they have seen anything and a few in fact did! They said that the October 2021 cumulative patch for Windows 10 fixes it.

      Reply
      • Thanks – that’s interesting.
        It’s frustrating to be so close.

        I’ve now got a Windows 10 surface that works, and an identical Windows 11 machine – both able to sign in with FIDO2 keys over whfb and the W10 works flawlessly for on-prem access, and the Windows 11 fails saying it cant find the domain controller (but everything else would suggest it should be able to and it happily uses NTLM).

        We’ll see what the patch does.
        Thanks again for your fantastic documentation – We’ve scratched our heads over the contradictory advice given here, particularly from Microsoft for months.

        Reply
  2. oh man I need that troubleshooting blog!
    Everything appears ok,
    -Systems are registering in InTune no problem, user can enroll and are pushed through PIN (and MFA) registration
    -the users certificate syncs back into the user’s AD account attribute msDS-KeyCredentialLink
    -I can browse the certificate path on the web site on the client in Edge and manually download the crt and crl’s from IIS.
    -Client IP is set as static with DNS set to the DC (1 and only, its a test lab).
    -I tried adding the domain name into the IP4 suffix list to ensure host name and FQDN resolve (I can ping both hostname and hostname.domain
    -I have triple checked all the settings in the templates
    -I have manually imported the CA to the PC’s TRCAuth for Computer (confirmed it is in there)

    But when I try to browse a test share on the DC I get a prompt for the pin again (sub error on that window “The system cannot contact a domain controller to service the authentication request. Pleas try again later.” , then I enter the pin and it pops up with an error message that implies the domain is not available.
    Locally AD and Hybrid joined clients have no problem joining the domain and authenticating

    I did a wireshark capture and can see lots of packets going back and forth but seeing a lot of KDC_ERR_CLIENT_NAME_MISMATCH coming back from the DC. (SNameString: krbtgt)

    The DC is a clean 2019 build just for this lab/test, clients are WinXPro 21H1
    Its going to be a late night 🙁

    Reply
  3. My last post has not appeared yet but I found the issue!

    From this page:
    https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-issues

    Section: Identifying Server 2019 Key Trust Authentication Issue

    Info: The other indicator of this failure case can be identified using network traces. If network traces are captured for a key trust sign-in event, the traces will show kerberos failing with the error KDC_ERR_CLIENT_NAME_MISMATCH.

    Solution: This issue was fixed in Windows Server 2019, build 17763.316 (KB4487044). Upgrade all Windows Server 2019 domain controllers to Windows Server 2019, build 17763.316 or newer to resolve this behavior.

    Note: My Server 2019 was reporting as 1809 build 17763.107 even though it reported as having completed all available Windows Updates. I sourced KB5005568 (2021-09 CU) from https://www.catalog.update.microsoft.com/Search.aspx?q=KB5005568 and installed it manually.

    My server now reports Version 1809 build 17763.2183.

    Pretty happy to find that one.

    Cheers

    Reply
  4. Hi Brookes
    Please add the following issue to your troubleshooting blog – took me 5h to fix it.

    # Case:
    WH4B Pin login always requested the credential.
    No kerberos ticket assign when checked via klist

    New domain controller template is correctly configured.
    Focus on the template: Subject Name
    – Build from this Active Directory
    – Subnet Name format: none
    – DNS name checked

    # Identified problem:
    The template did not correctly filled out all required SUBJECT ALTERNATIVE Names.
    You need to have 3 entries in the alternative names.
    DNS=DCNAME.domainname.intern
    DNS=domainname.intern
    DNS=domainname

    # Solution:
    Modify the created template.
    Subject Name -> switch to Supply in request.
    Go to the DC and reissue the certificate.
    Fill out the 3 subject alternative names manually.
    DNS=DCNAME.domainname.intern
    DNS=domainname.intern
    DNS=domainname
    (remember: cert cannot be automatically issued in this case,
    extend validity period or set a reminder)
    Reissue the certificates to the domain controller(s).
    Delete/revoke old certificates.

    I don’t know if this is a windows server 2019 bug/issue – not verified.
    My system is up-to-date. 1809 – 17763.2114
    Compared the config with a W2k16 setup – template is the same but the issue process seems to add these 3 dns names in subject alternative names.

    cheers
    Albert

    Reply
  5. I am also struggling we put this in a few months ago and suddenly a few users can no longer SSO. How do I troubleshoot and resolve this. New devices or freshly autopiloted devices work just fine but I have multiple users now that this just breaks and stops working for.

    Can I reissue a certificate for the device or something? How do I step through the troubleshooting of this since all devices are identical with autopilot i am confused why this broke for just a handful so far.

    Reply
  6. Thanks for the Guide. I currently stuck at point “Publish the cert revocation list”

    If I try to publish it, I get “access denied” Event ID 65. I checked the permissons on the CRL Folder on C:\ but it seems to be correct. Any idea?

    Thanks

    Reply
  7. Awesome guide, but cant seem to get it going!

    User device registration log shows

    Warning event ID 360
    Windows Hello for Business provisioning will not be launched.
    Device is AAD joined ( AADJ or DJ++ ): Yes
    User has logged on with AAD credentials: Yes
    Windows Hello for Business policy is enabled: Yes
    Windows Hello for Business post-logon provisioning is enabled: No
    Local computer meets Windows hello for business hardware requirements: Yes
    User is not connected to the machine via Remote Desktop: Yes
    User certificate for on premise auth policy is enabled: Yes
    Machine is governed by enrollment authority policy.
    Cloud trust for on premise auth policy is enabled: No
    User account has Cloud TGT: Not Tested
    See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

    Warning event ID 362
    Windows Hello for Business provisioning will not be launched.
    Device is AAD joined ( AADJ or DJ++ ): Yes
    User has logged on with AAD credentials: Yes
    Windows Hello for Business policy is enabled: Yes
    Windows Hello for Business post-logon provisioning is enabled: No
    Local computer meets Windows hello for business hardware requirements: Yes
    User is not connected to the machine via Remote Desktop: Yes
    User certificate for on premise auth policy is enabled: Yes
    Enterprise user logon certificate enrollment endpoint is ready: No
    Enterprise user logon certificate template is : Not Tested
    User has successfully authenticated to the enterprise STS: No
    Certificate enrollment method: enrollment authority

    Reply
  8. In windows 11, I have a really strange issue where when my CDP is a URL it won’t access it (nslookup the FQDN gives gorrect IP) but instead of doing http://pki.mydomain/blah if I use IP addres instead like http://10.1.0.0/blah it works!

    Microsoft are investigating this currently because I engaged them with one of my 10 tickets a year to solvew this issue. Currently to work in windows 11 I have to refrence the CDP/CRL by IP address only it’s like it is failing to do name resolution of the FQDN in the UERL.

    Reply
  9. Great post! Currently following it through & am at the request cert on the DC. I can’t export the private key for the existing client authentication cert on either DC, so can’t back it up before I delete it. What could go wrong if I delete the existing cert please?

    Reply
    • Nothing should go wrong. The new template has the exact same client authentication specs as before but just adds a couple more (the main one being KDC authentication).

      Reply
  10. Hi,

    I’m currently planning a hardware refesh project with Autopilot and Endpoint manager. If i follow this guide does this has any impact to the current workstations that are connected to the domain?

    Kind regards,

    Pieter

    Reply
    • Generally no although it depends how you handle your existing systems. If you are hybrid joining everything and enabling Hello for Business on them via GPO then they would be affected. But if you don’t do that and only enable on net-new systems, then you should be good.

      Reply
    • It will vary based on the OS version but by now you are well past the October KB and it will be rolled up into the latest cumulative update.

      Reply
  11. Hello. Thanks for the article.
    I’m stumped and would like to know what to do.

    I am getting an error when issuing a new CRL.
    Access is denied. 0x80070005 (WIN32: 5 ERROR_ACCESS_DENIED)

    I understand that I do not have permissions.
    However, I followed the steps to set up the shared folder.
    I have granted permissions to the computer object on the CA server.

    Is there anything I can do?

    IIS Server and CA Server are on the same server.

    Translated with http://www.DeepL.com/Translator (free version)

    Reply
  12. Works like a charm! I was following the blog from Katy Nicholson ( EMS MVP ) – there was some information missing. Glad I found your blog. Thanks so much!

    Reply
  13. Gooday Brooks

    Thanks for the post. Good work. I have followed your process to the “T” and cannot get msDS-KeyCredentialLink to populate on any user. I added the permissions as per your document and link and still nothing. I’m running windows 2016 Server on a lab Hyper V, that has all the services for a DC and running SCCM. Hoping you can assist. Thanks.

    Reply
    • So if you’ve verified that your schema is also on 2016, sometimes you need to run “Refresh Schema” on AAD connect (run the aad connect tool). That will update the attributes and allow the msDSKeyCredentialLink to populate and sync back to the user.

      Reply
    • Yes this will work fine but you won’t get “SSO” to those servers. You will still get prompted for credentials. There is a way to setup SSO though by deploying certs to your servers for RDP.

      Reply
  14. I’ve gotten the on premise sorted and tested well. I’m unsure how to “tie it” and setup in Azure. Can you point me in the right direction of where I can sort that please?
    Thanks

    Reply
  15. Hey Brooks

    Having issue where after autopilot it does not work straight away after following your steps. It starts to work a few hours later. If i add the certificate manually and restart it works straight away. Have you come across this issue before?

    Reply
  16. great content! i have a question regarding password changes. If a user is prompted to change their password and proceeds to do so, then WHFB pin doesnt work and throws the below error. the fix for the user is to connect to the VPN and then logging in with the pin which works?

    The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer. Contact your system administrator.

    The client has failed to validate the domain controller certificate for “”. The following error was returned from the certificate validation process: A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

    Reply

Leave a Comment