FIDO2 security keys (passwordless) in hybrid enviroment

Everyone know that password is weak today and passwordless is around the corner for every enterprise company’s. Together with FIDO2 it is now possible to sign-in to an Windows 10 hybrid join device. We don´t need any MFA or a complex password anymore. Just a key that you bring with you.

FIDO2 is based on public-key technology and the private-keys are securely stored on the device. It´s require a local gesture like biometric or/and pin. Private-keys are bound to a single device and never shared.

There are some requirement to get this to work.

• Devices must be running Windows 10 Insider Build 18945 or newer.
• You must have version 1.4.32.0 or later of Azure AD Connect.
• Your Windows Server domain controllers must have the following patches installed:
  • For Windows Server 2016 – https://support.microsoft.com/help/4534307/windows-10-update-kb4534307
  • For Windows Server 2019 – https://support.microsoft.com/help/4534321/windows-10-update-kb4534321

With this requirements you cannot deploy this in the current build of Windows 10 1909. You need to wait until Windows 10 2020 H1 arrives or test with Windows 10 Insider builds. In this blog post, we do not cover how to install Windows Insider version.

Tenant configuration

Configure FIDO2 in tenant

1. Sign in to the Azure portal.
2. Browse to Azure Active Directory > Security > Authentication methods > Authentication method policy (Preview).
3. Under the method FIDO2 Security Key, choose the following options:
   1. Enable – Yes or No
   2. Target – All users or Select users
4. Save the configuration.

Configure the new security info portal

1. Sign in to the Azure portal.
2. Browse to Azure Active Directory > User settings > User feature previews.
3. Under the Users can use preview features for registering and managing security info – enhanced, choose the following option:
   1. Enable – All users
4. Save the configuration.

Enable user account for FIDO2 security key

Sign-in to https://aka.ms/SetupSecurityInfo. If you not are enabled for MFA you need to add Authenticator configuration before you can add the security key.

1. Sign in to the SetupSecurityInfo.
2. Add method.
3. Select Security key
4. Select USB device, and push next
5. Push OK and enter the pincode
6. Name the key “Demo” and you are done.

SSO to on-premises resources using FIDO2 keys

The Kerberos server is required to access on-premises resources when you sign-in with FIDO2 security keys. But even all the cloud resources like Office 365 and other SAML enabled applications. The Kerberos server is integrated to AD Connect and not working with the new Cloud provisioning services yet. You setup the Kerberos server from AD Connect server.

Import-Module ".\AzureAdKerberos.psd1"

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = "alden365.se"

# Enter an Azure Active Directory global administrator username and password.
$cloudCred = Get-Credential

# Enter a domain administrator username and password.
$domainCred = Get-Credential

# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred

The issue is that you need to sign-in with Global Administrator credentials without MFA requirements because the script ask for credentials in the old basic authentication windows. You also need to create a new routine to rotating the Azure AD Kerberos Server key manually today.

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey

Configure Windows 10 sign-in lock screen

Enable sign-ins from Windows 10 lock screen can be done in serval ways.

• Enable with Intune
• Targeted Intune deployment
• Enable with a provisioning package
• Enable with Group Policy

Enable with Group Policy
1. Open Group Policy Editor on an Active Directory domain controller
2. Browse to Computer Configuration > Administrative Templates > System > Logon > Turn on security key sign-in:
3. Choose Enabled

I never get the policy to work. Even if I copy credentialprovider.admx from the Windows 10 Insider version 19577 to central store. It´s says in the Microsoft documentation that it require Windows 10 20H1 to work. I did the change manually om my test client instead.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Policies\PassportForWork\SecurityKey]
“UseSecurityKeyForSignin”=dword:00000001

Read about all the security key sign-in options on this link.
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-windows

Ttroubleshooting step

dsregcmd /status give you status if the computer is domain joined and hybrid azure ad joined.

klist show the Kerberos Ticket Granting Tickets (TGTs)

Hope this guide will help you start testing passwordless in hybrid environment. Feel free to ask if you have any questions.