Search This Blog

Tuesday, February 25, 2020

Azure AD support for FIDO2 in hybrid environments

Last year we wrote about Azure AD and password-less sign-in https://blog.mindcore.dk/2019/07/azure-ad-and-password-less-sign-in.html

Now we also have support (Public preview) for this in hybrid environments, so let’s try it out.

We will use the same Yubico security NFC as last time.

image

First thing we need to be aware of is that we need version 1.4.32.0 or later of Azure AD Connect.

We can find our current version in control panel.

image

Or by using the PowerShell command.

(Get-ADSyncGlobalSettings).Parameters |?{$_.Name -eq "Microsoft.Synchronize.ServerConfigurationVersion"} | select Value

2020-02-25 11_02_33-LAB-DC01 on PCP70 - Virtual Machine Connection

In this case we need to update so get the latest version and see version history here:

https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history

2020-02-25 11_07_21-Download Microsoft Azure Active Directory Connect from Official Microsoft Downlo

Start the downloaded file.

2020-02-25 11_10_40-LAB-DC01 on PCP70 - Virtual Machine Connection

Select Upgrade.

2020-02-25 11_11_24-LAB-DC01 on PCP70 - Virtual Machine Connection

Enter your global admin credentials.

image

And upgrade, also start the synchronization process when configuration completes.

2020-02-25 11_14_50-LAB-DC01 on PCP70 - Virtual Machine Connection

Exit the upgrade program.

2020-02-25 11_16_44-LAB-DC01 on PCP70 - Virtual Machine Connection

After the upgrade completes a new subfolder is added to Microsoft Azure Active Directory Connect

C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos

2020-02-25 11_15_46-LAB-DC01 on PCP70 - Virtual Machine Connection

Now on the Azure AD Connect server we will create an Azure AD Kerberos Server object in our on-premises AD.

In an elevated PowerShell prompt, go to the folder shown above.

2020-02-25 11_18_57-LAB-DC01 on PCP70 - Virtual Machine Connection

Next import the module in the folder with the command:

Import-Module ".\AzureAdKerberos.psd1"

2020-02-25 11_19_26-LAB-DC01 on PCP70 - Virtual Machine Connection

Save our  Azure Active Directory global administrator username and password in a variable with the command:

$cloudCred = Get-Credential

image

Save our domain administrator username and password in another variable.

2020-02-25 11_21_56-LAB-DC01 on PCP70 - Virtual Machine Connection

Now create the new Azure AD Kerberos Server object in Active Directory and publish it to Azure Active Directory with the command.

Set-AzureADKerberosServer -Domain "[domain]" -CloudCredential $cloudCred -DomainCredential $domainCred

2020-02-25 11_30_13-LAB-DC01 on PCP70 - Virtual Machine Connection

We can verify what we just crated with the command:

Get-AzureADKerberosServer -Domain "[domain]" -CloudCredential $cloudCred -DomainCredential $domainCred

2020-02-25 11_31_18-LAB-DC01 on PCP70 - Virtual Machine Connection

Registration features for password-less authentication rely on the combined registration, so make sure this is activated in Azure AD.

2020-02-25 12_47_49-LAB-DC01 on PCP70 - Virtual Machine Connection

Enable FIDO2 security key authentication method, in this test it is done for all users.

2020-02-25 12_48_52-LAB-DC01 on PCP70 - Virtual Machine Connection

Now login with a test user to https://myprofile.microsoft.com/

2020-02-25 12_38_17-Sign in to your account

2020-02-25 12_38_34-Sign in to your account

Select Security info:

image

Select Add method - you need to have at least one Azure Multi-Factor Authentication method registered before security key can be added.

image

Select Security key and Add.

2020-02-25 13_03_54-My Sign-Ins

Select the security key type, here USB device.

image

Select Next.

2020-02-25 13_05_11-My Sign-Ins

Select Next again.

2020-02-25 13_06_15-Sign in to your account

Select continue.

2020-02-25 13_06_51-Sign in to your account

Insert the security key in the USB port.

2020-02-25 13_07_12-Sign in to your account

We already defined the PIN in the previous post, so we will just enter the existing PIN.

2020-02-25 13_07_49-Sign in to your account

Select Allow.

2020-02-25 13_08_11-Sign in to your account

Then give the security a Name so that we can identify it if we have more than one.

2020-02-25 13_09_03-My Sign-Ins

And finally we just have to press Done.

2020-02-25 13_09_13-My Sign-Ins

Now let’s try to sign-in to Office 365 with our security key in the new Microsoft Edge browser (chromium).

We will select Sign in with Windows Hello or a security key.

image

Enter the PIN.

2020-02-25 13_10_54-Sign in to your account

Do the required gesture for the key – here touch.

2020-02-25 13_11_12-Sign in to your account

And we are in.

image

In order to try this on Windows 10, we need to use an insider build 18945 or later.

Since this is a Hybrid Azure AD join scenario we will Enable security keys for Windows sign-in with a group policy.

This Group Policy setting requires an updated version of the credentialprovider.admx Group Policy template, for now we need to take it from the insider build and copy it to our central store.

2020-02-25 20_12_22-LAB-DC01 on PCP70 - Virtual Machine Connection

2020-02-25 20_12_55-LAB-DC01 on PCP70 - Virtual Machine Connection

The setting can be found under Computer Configuration - Administrative Templates – System – Logon - Turn on security key sign-in.

When enabled it will allow users to sign in with security keys.

2020-02-25 20_08_34-LAB-DC01 on PCP70 - Virtual Machine Connection

2020-02-25 20_11_13-LAB-DC01 on PCP70 - Virtual Machine Connection

Make sure that device is hybrid Azure AD joined (Windows 10):

image

Now let’s try to sign-in with the security key by entering the PIN for the key.

image

Touch the security key.

3

And we are at the desktop.

image

We now have a enterprise solution supporting single sign-on (SSO) to both cloud and on-premises resources, just what we have been waiting for.

No comments:

Post a Comment