As you may be already aware, support for password less with FIDO2 keys has been in preview for quite some time already for Azure AD Joined devices and browser sign-ins (see https://t.co/6HfQaQrsuR).
Well, good news as you can now also use FIDO2 keys to authenticate against Azure AD Hybrid joined device – aka Windows 10 devices joined to Active Directory domain and registered in Azure Active Directory.
You can check if a device is Azure AD or Hybrid joined by checking the Azure AD portal (https://aad.portal.azure.com/) or Azure portal (https://portal.azure.com) by accessing the Azure Active DirectoryDevicesAll Device blade
Then you need (if not yet done already) ensure the below:
- Active Directory Domain Controllers must be running Windows Server 2016 or later (fully patched)
- You must ensure you have the below patches installed
- Windows 2016: https://support.microsoft.com/help/4534307/windows-10-update-kb4534307
- Windows 2019: https://support.microsoft.com/help/4534321/windows-10-update-kb4534321
- Windows 10 Insider 1845 or later
- Azure AD Connect 1.4.32.0 (release early November 2019)
- Have enabled FIDO2 as authentication method (https://t.co/6HfQaQrsuR)
Then you enable the hybrid settings:
- From your Azure AD Connect server, create a Kerberos object using the below PowerShell commands; this will create a disabled user account called krbtgt_AzureAD located in the Users default OU
Import-Module “C:Program FilesMicrosoft Azure Active Directory ConnectAzureADKerberos\AzureAdKerberos.psd1”
$domain = “<your AD domain>”
$cloudCred = Get-Credential
$domainCred = Get-Credential
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
- You can also check the process has been completed successfully using the PowerShell command
Get-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
- If for some reason you need to remove this object, just use the command
Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
NOTE if you also use the Seamsless SSO, you are already aware you need to rotate the encryption krbtgt keys; this is the same here. Just use the command
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred –RotateServerKey
KNOWN LIMITATION/ISSUE
If your password expired, the FIDO2 authentication will fail. You need to update your password to make it working again.
That’s it folks, you have enabled FIDO2 authentication for your Active Directory domain joined Windows 10 devices