Knowledge Base

Solution

This document describes the installation and configuration steps for enabling certificate issuance through the DigiCert Autoenrollment server for Windows Hello® for Business. 

• Introduction
  • About Windows Hello for Business
  • How DigiCert Contributes in Windows Hello for Business
    • Windows Hello for Business Authentication Process
    • Windows Hello for Business Certificate Issuance Process
• Pre-requisites
  • Supported Deployment Model and Trust Type
  • Required Windows Hello for Business Setup
  • Required Autoenrollment Server Setup
• Setting Up Windows Hello for Business with Autoenrollment Server
  • Creating Certificate Profiles
  • Downloading and Importing Autoenrollment Configuration File
  • Assigning Group/User Access for Each Template
  • Issuing Domain Controller Certificates
  • Setting Up Active Directory Federation Services
  • Adding User Principal Name to Service Account
  • Provisioning
• Windows Hello for Business Authentication Certificate Lifecycle
  • Renewal
  • Expiration
  • Revocation
  • Reset
• Troubleshooting

Introduction

About Windows Hello for Business 

Windows Hello® for Business, a feature by Microsoft® starting from Windows 10, introduced password replacement with strong two-factor authentication, consisting of a new type of user credential bound to a device and accessed using a biometric or PIN. DigiCert now has an offering to issue certificates from the DigiCert PKI Platform hosted Certificate Authorities for this new user credential. 

For a detailed overview of Windows Hello for Business, please refer to the official Microsoft documentation: Windows Hello for Business Overview. 

How DigiCert Contributes in Windows Hello for Business 

Windows Hello for Business depends on multiple technology stacks, but Public Key Infrastructure (PKI) is one of its many foundations. DigiCert PKI Platform can provide all certificates which are required to enable Windows Hello for Business through our Certificate Authority, and automatically provision them via our Autoenrollment Server. 

Following table shows the type of certificates required by Windows Hello for Business.

Note: Above table only covers certificates required by Hybrid Azure AD joined Certificate Trust Deployment model which DigiCert supports currently. See below, “Supported Deployment Model and Trust Type” for more details.

Below sections describe how they are used and issued in more details. 

Windows Hello for Business Authentication Process

Windows Hello for Business enables users to use PIN or biometrics to authenticate. But PIN or biometrics are only used to access the private key stored in the device. They act as a key to open a box which stores the master key. The authentication with Active Directory and Azure solely relies on authentication request signed by this private key.

The above diagram shows the authentication process using Windows Hello for Business. After user has retrieved the Ticket Granting Ticket (TGT) and Primary Refresh Token (PRT), he/she can access any on-premise service with Kerberos Authentication using TGT and any Azure service using PRT. For more information about PRT and TGT, check the following links.

• Ticket-Granting Tickets

• Primary Refresh Token (PRT) and Azure AD

Additionally, when user authenticates with the Domain Controller, it is required that the server has the correct DC certificate. This is because the user also check if the Domain Controller can be trusted.

For more details about the authentication sequence, check the following link.

• How Windows Hello for Business works - Authentication: Hybrid Azure AD join authentication using a Certificate

Windows Hello for Business Certificate Issuance Process

Following diagram shows how the Windows Hello for Business Authentication certificate is issued to the end user using DigiCert Certificate Authority using Autoenrollment Server.

You can see from the diagram that user requests certificate through AD FS. AD FS authenticates the user and also signs the CSR (Certificate Signing Request) sent by user. This is called “Enroll on Behalf of”, since AD FS enrolls for the certificate on behalf of the user. This process requires that AD FS has its own Enrollment Agent certificate, which is automatically issued to AD FS during this process if AD FS does not have an Enrollment Agent certificate.

The request is sent to Autoenrollment Server using CMC (Certificate Management over CMS), where Autoenrollment Server checks the signature of the request. If the signature is valid, Autoenrollment Server will call the DigiCert API to issue certificate. The issued certificate will be returned to AD FS, and AD FS will return it to the user.

The issuance process explained in this section is also part of a process called “Provisioning“ in Windows Hello for Business terms, where initial certificate issuance occurs after user has successfully authenticated to both Active Directory and Azure AD using credentials or MFA (Multi-Factor Authentication).

For more details about the certificate issuance sequence, check the following link.

• How Windows Hello for Business works - Provisioning: Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment

Pre-requisites

Supported Deployment Model and Trust Type

When enabling Windows Hello for Business for your organization, you will need to decide which deployment model and trust type suit your organization. There are five different deployment model and trust type combinations:

• Cloud Only Deployment

• Hybrid Azure AD joined Certificate Trust Deployment

• Hybrid Azure AD joined Key Trust Deployment

• On-premises Certificate Trust Deployment

• On-premises Key Trust Deployment

Check the official Microsoft documents, Planning a Windows Hello for Business Deployment and Windows Hello for Business Deployment Prerequisite Overview for full details about which model you should and can use.

You do not need to consider about Windows Server Certificate Authority stated in the Microsoft Prerequisite document, since it will be covered by DigiCert.

Currently, DigiCert supports the Hybrid Azure AD joined Certificate Trust Deployment model but planning to support additional certificate-based trust models. DigiCert will not support any of the two Key Trust Deployment models.

Required Windows Hello for Business Setup

Following shows the steps required to set up a Windows Hello for Business solution for Hybrid Azure AD joined Certificate Trust Deployment. They are steps outlined in the official Microsoft deployment guides. The links for each step will take you to the official Microsoft documents.

1. Hybrid Certificate Trust Deployment Overview
2. Prerequisites
3. New Installation Baseline - skip “Public Key Infrastructure” section
4. Device Registration
5. Configure Windows Hello for Business settings
   • Active Directory
   • Public Key Infrastructure - replaced by this document
   • Active Directory Federation Services - “Configure the Registration Authority” section replaced by this document
   • Group Policy
6. Sign-in and Provision

You will need to complete all steps to 5-a. “Active Directory”, but in 3. “New Installation Baseline“, skip “Public Key Infrastructure” section. Also you can skip 5-b. “Public Key Infrastructure” and 5-c. “Active Directory Federation Services“, and finish 5-d. “Group Policy” first. This document replaces those sections, substituting Windows Server Certificate Authority with a DigiCert Certificate Authority.

When all the steps covered in this document are completed, you can move on to 6. “Sign-in and Provision”. If all the configurations are properly in place, provisioning should happen when user logs on to their Windows machine.

Required Autoenrollment Server Setup

To enable Windows Hello for Business certificates to be issued from a DigiCert Certificate Authority, the DigiCert Autoenrollment Server is required to be installed and configured in your enterprise Windows domain. Follow the directions in “DigiCert® Autoenrollment Server Deployment Guide” which can be downloaded from DigiCert PKI Platform & Autoenrollment Server Deployment Guides to install and configure.

All steps from the document need to be completed, and it is recommended to first check if certificates can be issued using a Non-Windows Hello for Business Certificate Profile. The issuance process for Windows Hello for Business is complicated, and it will be easier to troubleshoot by ensuring that your Autoenrollment Server can issue certificates properly before configuring for the Windows Hello for Business solution.

Setting Up Windows Hello for Business with Autoenrollment Server

Creating Certificate Profiles

You will need to create three different certificate profiles from each certificate templates described below to enable Windows Hello for Business for your organization.

Screenshot shows the profile for “Domain Controller for Windows Hello for Business”

The “DigiCert® Autoenrollment Server Deployment Guide” (downloadable from DigiCert PKI Platform & Autoenrollment Server Deployment Guides) section “Creating Autoenrollment Certificate Profile” will guide you through on how to create certificate profiles for Autoenrollment Server. When selecting certificate template, make sure to select from one of the three templates described above.

After you create the profiles, make sure to note the Certificate Profile OID for two profiles created from following templates.

1. Microsoft® Enrollment Agent
2. Windows Hello for Business Authentication
   

This information will be required later in section “Setting Up Active Directory Federation Services”.

NOTE: When creating Microsoft® Enrollment Agent template, make sure to select Yes for Allow duplicate certificates.

This is required since Active Directory Federation Service will try to issue certificate from this profile every 12 hours for status check. If duplicate certificate is not allowed, status check will fail.

NOTE: Microsoft® Enrollment Agent template Seat ID will be mapped to ‘cn’ (Common Name) by default. This should not be changed to mail when the AD FS is run by Service Accounts, since Service Accounts does not have email address.

Downloading and Importing Autoenrollment Configuration File

After you have successfully created the required three certificate profiles, you will need to download and import the Autoenrollment configuration file.

To do so, refer to the “DigiCert® Autoenrollment Server Deployment Guide” (downloadable from DigiCert PKI Platform & Autoenrollment Server Deployment Guides) section “Importing the Autoenrollment Configuration File”.

NOTE: If you have selected CSR as Enrollment Method for Domain Controller for Windows Hello for Business template, then while downloading the AutoEnrollment configuration file from DigiCert PKI Platform ensure to Un-Check AES based profile for Domain Controller for Windows Hello for Business template.

Assigning Group/User Access for Each Template

After you have imported the Autoenrollment configuration file into the Autoenrollment Server, you will need to assign access permissions to the imported templates. The required permission for each template is described below. Refer to the “DigiCert® Autoenrollment Server Deployment Guide” (downloadable from DigiCert PKI Platform & Autoenrollment Server Deployment Guides) section “About the Preparation of Certificate Templates” and “About the Assignment of Group/User Access to Templates“ for more details on how to configure them.

Issuing Domain Controller Certificates

There are different ways to issue Domain Controller certificates depending on the Enrollment Method chosen during the profile creation. Proceed to the appropriate section depending on the Enrollment method you have selected.

Issuing Domain Controller Certificates with CSR:

If you selected CSR as Enrollment Method, follow the steps in this section. These steps are completed on the Domain Computer where you are planning to issue the certificate to. The user who performs these steps must have administrator rights for the computer.

1. Create a text file named dccert.inf with following contents:

Make sure to edit Subject and Exportable property appropriately. Save it to a temporary location.

2. From a command prompt, run the following command to generate the CSR in .pem format. The command outputs the CSR to the file dccert.req. You can run this utility from any location. However, unless you run it from the location where you saved the dccert.inf file, you must specify the path to this file.

This command writes the dccert.req file to the directory where you ran the command. Specify the full path to a different location.

3. Copy the dccert.req file to the computer that has access to the DigiCert PKI Platform 8 Certificate Service. How to issue the certificate varies depending on which Authentication Method you chose for Domain Controller for Windows Hello for Business profile. Here, we will go through the steps using commonly used Manual approval method.

1. Access certificate service link with browser. This link should have appeared in the PKI Manager after creating the profile
2. Input required enrollment information. Following is required:
   1. Common name: Machine name of the Domain Controller
      
   2. DNS Name: Fully qualified domain name of the Domain Controller
   3. CSR: Content of dccert.req generated on the previous step

4. In PKI Manager, go to Manage users, and approve the request.

5. The certificate will be sent to the requestor. Copy the certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- and paste it into a file named dccert.pem in the Domain Controller.

6. Install the new certificate on the Domain Controller machine:

When successful, it should show the installed certificate as an output. Following shows an example:

Issuing Domain Controller Certificates with Microsoft® Autoenrollment

If you selected Microsoft® Autoenrollmentas Enrollment Method, follow the steps in this section.

After you have assigned access permissions to the Domain Controller template for the Domain Controllers, Domain Controller certificate will be issued automatically to the Domain Controllers. The timing depends on how the operating system handles them. To make sure that the certificate has been issued properly to the Domain Controllers, follow the direction below.

To check for Domain Controller certificate:

1. Sign in to the Domain Controller machine with Domain Admin equivalent credentials.
2. Open Microsoft Management Console by typing [Windows] + [R], type mmc, and click OK.
   
3. Add the Certificates Snap-in for the local computer.
   1. Open File menu, and select Add/Remove Snap-in...
      
   2. Select Certificates and click Add
      
   3. Select Computer account and click Next
      
   4. Select Local computer and click Finish
      
   5. Click OK to close the Add or Remove Snap-ins window
4. On the left pane, select Certificates (Local Computer) → Personal → Certificates and check if the Domain Controller certificate exists under here.
   

Setting Up Active Directory Federation Services

After certificate templates are imported and access permission is set, you will need to configure the Registration Authority templates to use for Windows Hello for Business with AD FS. This section covers the first part of “Active Directory Federation Services“ from the Microsoft official documentation, but provides little more information about what to specify for Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication template names when using DigiCert Autoenrollment Server.

To configure the Registration Authority:

1. Sign-in the AD FS server with Domain Admin equivalent credentials.
2. Open a Windows PowerShell prompt.
3. Enter the following command:
   
   Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate <Windows Hello for Business Enrollment Agent OID> -WindowsHelloCertificateTemplate <Windows Hello for Business Authentication OID> -WindowsHelloCertificateProxyEnabled $true
   
   
   For <Windows Hello for Business Enrollment Agent OID>, enter the OID for profile created using Microsoft® Enrollment Agent certificate template. For <Windows Hello for Business Authentication OID>, enter the OID for profile created using Windows Hello for Business Authentication certificate template. For example, it will look something like the following:
   
   Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate 2.16.840.1.113733.1.16.1.2.15.1.1.163810091 -WindowsHelloCertificateTemplate 2.16.840.1.113733.1.16.1.2.4.2.1.163810095 -WindowsHelloCertificateProxyEnabled $true

After above configuration is completed, continue from “Group Memberships for the AD FS Service Account” in “Active Directory Federation Services“ from the Microsoft official documentation. Additionally, make sure that ‘ugs' scope is configured correctly as mentioned in the Note section of the document. This is extremely important since provisioning will not start without this ‘ugs’ scope properly configured.

Adding User Principal Name to Service Account

This section will guide you on how to add User Principal Name (UPN) to Service Account. You will need to follow the direction here if your AD FS is configured to run using a Service Account. You can check whether AD FS is using Service Account by using the Services Tool (open Start Menu and type services). If Log On As for Active Directory Federation Services ends with '$' (dollar sign), this indicates that your AD FS is running using a Service Account.

UPN is required to identify the end entity of the issued certificate, but since Service Account does not have UPN by default, it is required that this information is filled out before issuing Enrollment Agent certificate to the Service Account.

To add UPN to Service Account:

1. Open Active Directory Users and Computers from Windows Administrative Tools.
2. Click View menu and enable Advanced Features by selecting the option. This will enable editing the attribute of the Service Account.
   
3. In the tree window at the left, collapse the domain in which the Service Account exists, and select Managed Service Accounts. Right-click the Service Account configured for AD FS and select Properties.
   
4. In the Properties dialog, select the Attribute Editor tab, scroll down and select userPrincipalName. Click Edit.
   
5. In the String Attribute Editor dialog, enter userPrincipalName of the Service Account. UPN will need to be in the format, <cn of the Service Account>$@<domain name>. For this example, the cn (or the shown name) of the Service Account is “gmsa_adfs”, and domain is “whfb.pkidev.bbtest.net”. Resulting UPN for this example will be “gmsa_adfs$@whfb.pkidev.bbest.net”.
   
6. Click “OK” twice to apply the change and close the dialogs.

Provisioning

After all configurations have been set and user logs on to their device, user should be prompted to provision Windows Hello for Business. Refer to “Sign-in and Provision” from the Microsoft official documentation for details.

Windows Hello for Business Authentication Certificate Lifecycle

Renewal

Renewal of the certificate will occur in the background automatically when the certificate nears the expiration period. But for the certificate to renew, it requires that user to be logged in to the machine. If the user misses the renewal period for some reason, certificate will reach expiration.

During Windows Hello for Business Authentication certificate renewal, only the certificate information is updated (such as validity notBefore and notAfter) and asymmetric keys are not regenerated.

Expiration

When the automatic renewal does not occur during the renewal period for some reason, certificate will expire. But users should be able to log on to their machine using the Windows Hello credential for the first time after certificate reaches the expiration. After successful login, the operating system will try to re-issue the certificate in the background. If the user logs out of the machine before this takes place, user will not be able to login using their Windows Hello credential, with screen like below.

User will need to login using Active Directory credential if this happens, but Windows Hello credential should be re-issued after sometime automatically after successful login.

During re-issuance, only the certificate information is updated (such as validity notBefore and notAfter) and asymmetric keys are not regenerated.

Revocation

When Windows Hello for Business Authentication certificate is revoked, user will not be able to login using their Windows Hello credential, with screen like below.

The timing that OS identifies that the certificate is revoked depends on the update time of CRL or OCSP, so it may not be reflected immediately after the certificate is revoked.

User will need to reset Windows Hello credential by such method as using “I forgot my PIN” in the login screen. See below “Reset” for more details.

Reset

When user resets their Windows Hello credential such as using “I forgot my PIN” in the login screen, user will be re-provisioned and certificate will be issued again. Asymmetric keys will be regenerated and new certificate will be issued.

Troubleshooting

Refer to the following documents for troubleshooting.

• Windows Hello for Business Deployment Known Issues

• Windows Hello errors during PIN creation