I had the honor to deploy Windows Hello for Business several times for customers transitioning to a modern workplace using Azure AD and Microsoft Intune to manage their Windows 10 devices - combined with hybrid user identities. Now I want to share the most common hurdles and my experiences with you.

Just to make sure that you have the modern mindset - here's a little quote to reconsider your hybrid strategy (if not already done):

You don't need a Hybrid Azure AD join for your Windows 10 devices. Be brave and don't be afraid and switch to an Azure AD join. It will  simplify your device management and significantly reduce the complexity.

Why additional configuration is required

To access on premise resources  who rely on Active Directory (file shares, applications) kerberos is used as authentication protocol. If you have Azure AD connect in place and a user sign's in with his hybrid Identity using a password to a Windows 10 device which is Azure AD joined he automatically receives the required kerberos tickets if he wants to access resources.

But if the sign-in happens with Windows Hello for Business credentials (pin, biometrics) the authentication flow get's interrupted because whether the domain controller (if it's not a Windows Server 2016 DC) or the client can verify the integrity of each other.

Possible configurations

For Azure AD joined devices the following Windows Hello for Business deployment options exist:

Certificate based authentication Key based authentication
Prerequisites
  • Windows Server 2008R2 DC's
  • Enterprise CA
  • Azure AD App Proxy
  • NDES Server
  • At least one Windows Server 2016 DC
  • Enterprise CA
  • Azure AD App Proxy
Choose if
  • Already running NDES
  • Deploy Always On VPN as well
  • Use other certificates with NDES
  • Running 2016 DC's
  • Want to invest a minimal effort
Microsoft Docs

You have to chose your deployment strategy wisely - the key based authentication may look tempting but possibly you need to distribute other user-certificates as well like for WiFi authentication or an Always On VPN.

Big picture

For better understanding here's a scheme of the involved components when using Windows Hello for Business SSO with on premise resources. As mentioned before NDES is not necessary - depending on your deployment option.

Issue #1: CRL

The number one issue from my experience is always the availability of the certificate revocation list (CRL). During the authentication flow a verification get's performed:

  1. After a verification of the users pre-authentication data  the KDC (Kerberos key distribution center) which is running on a Domain Controller returns a Ticket Granting Ticket (TGT). Thereupon the client determines if he can trust the response from the KDC. This includes a check if the certificate neither has expired  nor been revoked, the certificate chain is valid  and the CRL is valid and accessible.
  2. When using certificate trust with WHFB the client sends as mentioned above in case #1 an authentication request but it includes also the user's certificate and a verification if neither the certificate has expired nor been revoked, the certificate chain is valid  and the CRL is valid and accessible. On success the KDC returns a TGT and the client will verify the response.

Requirements

The certificate revocation list must be accessible from every client involved in the authentication flow. Assuming that you have published your CRL trough IIS and Azure Application Proxy make sure that the CRL is available trough HTTP and not HTTPS.

Windows provides a very helpful an powerful tool called certutil to verify the CRL accessibility (and basically support for all operations for certificate deployments). Run it on your DC's and your Windows 10 clients to verify the accessibility. If you are running a web proxy with user authentication also check the accessibility under the SYSTEM account using PsExec.

You can check the CRL availability with:
certutil -url "%CRL URL%"
certutil -url "%Exported certificate file path%"

And here some examples:
certutil -url "http://crl.nicolonsky.ch/nt-issuing-ca"
certutil -url "c:\temp\nicolonsky-nicola.cer"

Checking the CRL retrieval with certutil

At this point I also recommend to remove unused or unavailable CRL paths like the LDAP path. This may expose sensitive on-premise Active Directory information.

Issue #2: Domain Controller Certificates

The domain controller certificates must be installed on all domain controllers which handle authentication requests. Make sure that the certificate is valid for the KDC Authentication usage and the primary DNS domain name (e.g. intra.contoso.com) is included in the SAN.

For an easier management of the Domain Controller certificates I strongly recommend to enable auto enrollment.

More log resources

The validation of the certificate chain and CRL can also be traced in the Windows eventlog. Simply enable the "Microsoft-Windows-CAPI2/Operational" log and you'll find all certificate validation based entries there.

Final thoughts

I hope this post helps you to spin up your Windows Hello for Business deployment. Have you experienced other issues during the deployment? Please leave a comment and I'll update the post accordingly.