Skip to content

Commit 054d576

Browse files
authored
Merge pull request #89670 from mardahl/patch-3
Update howto-authentication-passwordless-security-key-on-premises.md
2 parents 8bdec58 + 9d7dac7 commit 054d576

File tree

1 file changed

+29
-0
lines changed

1 file changed

+29
-0
lines changed

articles/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -98,6 +98,7 @@ Run the following steps in each domain and forest in your organization that cont
9898
1. Open a PowerShell prompt using the Run as administrator option.
9999
1. Run the following PowerShell commands to create a new Azure AD Kerberos Server object both in your on-premises Active Directory domain and in your Azure Active Directory tenant.
100100

101+
### Example 1 prompt for all credentials
101102
> [!NOTE]
102103
> Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
103104
@@ -117,6 +118,7 @@ Run the following steps in each domain and forest in your organization that cont
117118
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
118119
```
119120

121+
### Example 2 prompt for cloud credential
120122
> [!NOTE]
121123
> If you're working on a domain-joined machine with an account that has domain administrator privileges, you can skip the "-DomainCredential" parameter. If the "-DomainCredential" parameter isn't provided, the current Windows login credential is used to access your on-premises Active Directory Domain Controller.
122124
@@ -134,6 +136,7 @@ Run the following steps in each domain and forest in your organization that cont
134136
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred
135137
```
136138

139+
### Example 3 prompt for all credentials using modern authentication
137140
> [!NOTE]
138141
> If your organization protects password-based sign-in and enforces modern authentication methods such as multifactor authentication, FIDO2, or smart card technology, you must use the `-UserPrincipalName` parameter with the User Principal Name (UPN) of a global administrator.
139142
> - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
@@ -156,6 +159,26 @@ Run the following steps in each domain and forest in your organization that cont
156159
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred
157160
```
158161

162+
### Example 4 prompt for cloud credentials using modern authentication
163+
> [!NOTE]
164+
> If you are working on a domain-joined machine with an account that has domain administrator privileges and your organization protects password-based sign-in and enforces modern authentication methods such as multifactor authentication, FIDO2, or smart card technology, you must use the `-UserPrincipalName` parameter with the User Principal Name (UPN) of a global administrator. And you can skip the "-DomainCredential" parameter.
165+
> - Replace `contoso.corp.com` in the following example with your on-premises Active Directory domain name.
166+
> - Replace `[email protected]` in the following example with the UPN of a global administrator.
167+
168+
```powershell
169+
# Specify the on-premises Active Directory domain. A new Azure AD
170+
# Kerberos Server object will be created in this Active Directory domain.
171+
$domain = "contoso.corp.com"
172+
173+
# Enter a UPN of an Azure Active Directory global administrator
174+
$userPrincipalName = "[email protected]"
175+
176+
# Create the new Azure AD Kerberos Server object in Active Directory
177+
# and then publish it to Azure Active Directory.
178+
# Open an interactive sign-in prompt with given username to access the Azure AD.
179+
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName
180+
```
181+
159182
### View and verify the Azure AD Kerberos Server
160183

161184
You can view and verify the newly created Azure AD Kerberos Server by using the following command:
@@ -263,6 +286,12 @@ Make sure that enough DCs are patched to respond in time to service your resourc
263286
> [!NOTE]
264287
> The `/keylist` switch in the `nltest` command is available in client Windows 10 v2004 and later.
265288
289+
### What if I have a CloudTGT but it never gets exchange for a OnPremTGT when I am using Windows Hello for Business Cloud Trust?
290+
291+
Make sure that the user you are signed in as, is a member of the groups of users that can use FIDO2 as an authentication method, or enable it for all users.
292+
293+
> [!NOTE]
294+
> Even if you are not explicitly using a security key to sign-in to your device, the underlying technology is dependent on the FIDO2 infrastructure requirements.
266295
267296
### Do FIDO2 security keys work in a Windows login with RODC present in the hybrid environment?
268297

0 commit comments

Comments
 (0)