M
Mattias.N
Guest
Hi all
I am currently in the process of deploying Windows Hello For Business for our companys Windows 10 users but i am currently stuck.
I've been using the following deployment guide for my setup (http*s://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust)
I have done the following steps:
1. Domain Controllers are Windows Server 2019 with a DFL of 2016
2. Updated Azure AD Connect to the latest version and performed a directory schema refresh
3. Configured device syncronization to Azure AD
4. Issued a new Domain Controller certificate based of the Kereberos Authentication template as pointed out in the deployment guide and removed old domain certificates. (CA is deployed on a Windows Server 2012 machine)
5. Created a group policy that enables Windows Hello For Business for select users
I've deployed Win10 on a new device and synced the device to AAD then configured a PIN code for the user upon login and everything looks good in the User Device Registration log.
But when i try to log in using the newly created PIN code i get the error in style with "your credentials could not be verified" and if i look into the event log on the Domain Controller i get a 4768 Audit Failure event.
On subsequent logins after the first one i get another error in style with "An error occured and your Pin is not available (status: 0xc00000bb)" and in the event log on the Domain Controller i get a 4771 Audit Failure Event (Kerberos pre-authentication failed)
Looking at the CAPI2-log to catch any certificate problems i get the following event:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2019-12-06T07:54:17.476176000Z" />
<EventRecordID>585</EventRecordID>
<Correlation />
<Execution ProcessID="624" ThreadID="3156" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>xxxxx</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <CertGetCertificateChain>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
- <AdditionalStore>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
</AdditionalStore>
<ExtendedKeyUsage />
<Flags value="40000000" CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT="true" />
<ChainEngineInfo context="machine" />
- <CertificateChain chainRef="{93D155EE-CFAD-410C-87B2-E7F3E83FC34F}">
- <TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
- <ChainElement>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
- <TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
- <ApplicationUsage>
<Usage oid="1.3.6.1.4.1.311.20.2.2" name="Smart Card Logon" />
</ApplicationUsage>
<IssuanceUsage any="true" />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="lsass.exe" />
<CorrelationAuxInfo TaskId="{CDA0C2CE-6DC3-440E-983C-DEA9A3FFA0C9}" SeqNumber="3" />
<Result value="800B0109">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
My suspicion was that there was something wrong with my domain certificate but the serialnumber on the certificate in the log file does not corespond with any certificate on the DC. Looking at the information from the CAPI-log it looks like it is a certificate problem with the microsoft single sign-on site .. 278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05 in the log above seems to be part of the url i normally use to sign on eg: http*s://login.microsoftonline.com/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/login
I don't know why i'm receiving this certificate error and can't find any information about it, does anyone know what i need to change to make this work?
Best Regards
More...
I am currently in the process of deploying Windows Hello For Business for our companys Windows 10 users but i am currently stuck.
I've been using the following deployment guide for my setup (http*s://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust)
I have done the following steps:
1. Domain Controllers are Windows Server 2019 with a DFL of 2016
2. Updated Azure AD Connect to the latest version and performed a directory schema refresh
3. Configured device syncronization to Azure AD
4. Issued a new Domain Controller certificate based of the Kereberos Authentication template as pointed out in the deployment guide and removed old domain certificates. (CA is deployed on a Windows Server 2012 machine)
5. Created a group policy that enables Windows Hello For Business for select users
I've deployed Win10 on a new device and synced the device to AAD then configured a PIN code for the user upon login and everything looks good in the User Device Registration log.
But when i try to log in using the newly created PIN code i get the error in style with "your credentials could not be verified" and if i look into the event log on the Domain Controller i get a 4768 Audit Failure event.
On subsequent logins after the first one i get another error in style with "An error occured and your Pin is not available (status: 0xc00000bb)" and in the event log on the Domain Controller i get a 4771 Audit Failure Event (Kerberos pre-authentication failed)
Looking at the CAPI2-log to catch any certificate problems i get the following event:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" />
<EventID>11</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>11</Task>
<Opcode>2</Opcode>
<Keywords>0x4000000000000003</Keywords>
<TimeCreated SystemTime="2019-12-06T07:54:17.476176000Z" />
<EventRecordID>585</EventRecordID>
<Correlation />
<Execution ProcessID="624" ThreadID="3156" />
<Channel>Microsoft-Windows-CAPI2/Operational</Channel>
<Computer>xxxxx</Computer>
<Security UserID="S-1-5-18" />
</System>
- <UserData>
- <CertGetCertificateChain>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
- <AdditionalStore>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
</AdditionalStore>
<ExtendedKeyUsage />
<Flags value="40000000" CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT="true" />
<ChainEngineInfo context="machine" />
- <CertificateChain chainRef="{93D155EE-CFAD-410C-87B2-E7F3E83FC34F}">
- <TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="100" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
- <ChainElement>
<Certificate fileRef="8D88349BFEF462B33A4071CE8236CA309BB2277C.cer" subjectName="S-1-5-21-269500502-1034823935-1231754661-7354/ef7b9f62-cbdd-4477-a6f5-52545a50e12c/login.windows.net/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/user-email-here" />
<SignatureAlgorithm oid="1.2.840.113549.1.1.5" hashName="SHA1" publicKeyName="RSA" />
<PublicKeyAlgorithm oid="1.2.840.113549.1.1.1" publicKeyName="RSA" publicKeyLength="2048" />
- <TrustStatus>
<ErrorStatus value="20" CERT_TRUST_IS_UNTRUSTED_ROOT="true" />
<InfoStatus value="10C" CERT_TRUST_HAS_NAME_MATCH_ISSUER="true" CERT_TRUST_IS_SELF_SIGNED="true" CERT_TRUST_HAS_PREFERRED_ISSUER="true" />
</TrustStatus>
- <ApplicationUsage>
<Usage oid="1.3.6.1.4.1.311.20.2.2" name="Smart Card Logon" />
</ApplicationUsage>
<IssuanceUsage any="true" />
</ChainElement>
</CertificateChain>
<EventAuxInfo ProcessName="lsass.exe" />
<CorrelationAuxInfo TaskId="{CDA0C2CE-6DC3-440E-983C-DEA9A3FFA0C9}" SeqNumber="3" />
<Result value="800B0109">A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.</Result>
</CertGetCertificateChain>
</UserData>
</Event>
My suspicion was that there was something wrong with my domain certificate but the serialnumber on the certificate in the log file does not corespond with any certificate on the DC. Looking at the information from the CAPI-log it looks like it is a certificate problem with the microsoft single sign-on site .. 278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05 in the log above seems to be part of the url i normally use to sign on eg: http*s://login.microsoftonline.com/278b4d69-4b0a-4e05-8e6a-c1aed6ee0f05/login
I don't know why i'm receiving this certificate error and can't find any information about it, does anyone know what i need to change to make this work?
Best Regards
More...