Thank you legends for putting this video together! We recently deployed hybrid cloud trust, works a treat. One gotcha I came across were a few built-in AD group memberships. Once removed everything worked perfectly. 👍
Can you provide more detail on this? AD group memberships on what object? Also, did you AAD Connect sync your domain controllers? I feel like Steve was saying the only OU he sync'd was the User OU.
Awesome, these videos are invaluable when they don't have first time successes , so the troubleshooting is on the fly and more real world, thanks for making this (and all the other ) videos
@39:52 hats off to you. After resetting WHfB, it worked
Год назад+3
Thank you for this video, guys 🙂 but I have a question. What about enterprise authentication on wifi with local windows server NPS and Azure AD joined computers with hybrid cloud trust? Thanks 🙂
We would like to migrate from Whfb key trust to cloud trust. Will the creation of the new computer- and user-object have an impact/influency on the existing AZUREADSSOACC computer and krbtgt user object? I only want to be sure before implementing. I did not find any answer to it, maybe because there is no dependency between these objects. Thank you!
Great topic, helped me out very well! But do I have to execute te certutil -deletehellocontainer for all users to use this functionality on existing devices?
Thanks for the video. However, it seems to only be working for us for roughly 20 minutes before it asks for credentials again? To be specific, it's when we're connecting to a file share etc. using the DNS name of the server (the message that comes up is 'The system cannot contact a domain controller to service the authentication request), but when connecting through IP address to all servers (including all the DCs) it works every time so clearly we have visual sight and a connection to them. A sign out and sign back into the client device gets it working again with the DNS name of the servers, but we can't really be asking end users to be signing out/in every 20 minutes to keep their stuff working. Any ideas? Is there a TTL we have to set somewhere maybe?
A quick question where are then ADFS and VPN used in this scenario ? is all that is needed just Kerberos server which is created automatically in Domain Controller OU and OMA-uri settings for cloud trust pushed to the machines ?? Doesnt make much sense ? or am I missing something ? Thank you very much for any hints someone might have;)
Thanks for the video guys, I have got cloud trust working 🙂 However, we utilise DFS namespaces heavily within our AD environment. Is there a way for Windows 10 22H2 AAD joined machines with Windows hello for business enabled and Cloud Trust to access on-premises active directory DFS namespaces / shares?
Thanks for the tutorial. Appreciate leaving in the niggles along the way. Quick question. Is this suitable if you had an on-prem SQL database using windows credentials for auth? could you authenticate with the Windows Hello pin?
To channel my inner consultant, it depends upon the version of SQL, and how the authentication has been setup up on the SQL instance/database In saying that it "should" work if your using ad backed username and passwords for authentication today.
I am wondering if you guys could help me out. When setting up WHFB everything works great, but Microsoft allows for this to be bypassed with a simple change of sign on. You can require smart card logon or disable the password provider, but then new users to that computer cannot login to setup whfb. How is there not a fix to say require whfb to login to the PC and if you don’t have it setup, you are required to setup to logon. Since setting up whfb requires a MFA prompt, it would still satisfy multi-factor auth. We are not ready to go completely passwordless, but this feels like an easy fix for Microsoft to help the transition. Just don’t know what I’m missing
Would be awesome if you guys could do a video discussing MacOS and how to setup passwordless login (if possible), like whfb on Windows devices. We'd like to go down the road of passwordless but not sure how to handle such with Mac and Windows devices using Intune.
Does the Schema Master role still need to be applied to a 2016 or above server for this to work? In this scenario there is 4 domain controllers, 2 are 2012 and 2 are 2016 the schema master and PDC roles are on 2012 r2 however functional level is Windows Server 2012 R2 and the schema version is 88 ( Windows server 2019 ) in your key trust videos this seems to be a requirement but was not mentioned in this one, can this be skipped?
Thanks for this great video. But one question; Didn't you just have to wait for an ADsync to run again, instead of using certutil -deletehellocontainer for it to work??
Hi, has anyone had success in getting HfB working with Remote App? I have created a new certificate based on the Smart Card Logon which has worked for straight forward RDP, but it falls down when testing a remote app connection. "the specified username does not exist" error is received.
LOL, I've been trying to figure out for the last 20 minutes why this wasn't working for me until I realized I still had "Windows Hello for Business Certificate trust policy enabled still along with the Cloud trust policies. If both are enabled, it will enforce the Certificate trust policy.
Great video. Is it possible to still have SSO to onprem resources from an Azure only joined machine if Windows Hello for Business is not enabled or used in our organization?
Do you guys have a video that goes into hybrid versus joined? I'm trying to figure out whether or not my organization can just go straight to joined. We have a lot of on-prem resources and I can't seem to come up with a definitive answer. We are already running AAD Connect.
No we don’t. We don’t believe that there are any cases where Hybird is necessary (existing devices managed by Intune should be Hybrid but any new devices should be AADJ).
I was waiting for this one to appear ;-) great stuff as always! Now, we have a couple of web-apps (on prem) not working with this (and MS support wont aid in the support cos Cloud trust is in preview). So I went through the hassle of setting up Key trust, just to check, but no avail. Those apps still wont send me tickets (unless I provide them upn/password which pops up). Any tip on sources for troubleshooting this? edit: fileshares +other stuff is OK, so that confirms the setup is good.
Long and the short of it is that you need to ensure the web app supports Kerberos authentication if it doesn't then you'll be in the situation you are in
@@IntuneTraining In case someone else encounters this: Got to the bottom of this (with MS support). Solution: adding those on prem web apps to browser local intranet site zone/trusted site zone(with auto logon with username+pw)
Anyone else run in to this error while trying to create the Kerberos Server object? "The Azure AD Kerberos Server object in Active Directory is missing required properties. Property: UserAccount.SecondaryKrbTgtNumber Value:0"
Is it true that when using AD Connect to sync a local AD to AAD that if you use 'Exchange Online' that you must have an exchange Onprem server and must maintain EXO via the onprem exchange management tools ?
Tldr, can drop the on prem exchange server, but need to continue to manage the attributes on-prem using a new PowerShell module. practical365.com/a-new-tool-to-manage-exchange-related-attributes-without-exchange-server/
hello Sir , Just want to know if we plan to cloud Kerberos trust in our hybrid Enviromint, Do need to purchase any license for windows hello for business ,.Such as p1 or p2 subscription . Please suggest .
Well, it fixed itself after some time. Setting this up for Hybrid Azure AD joined devices is still a little complex. I had to combine Intune Account Protection policies and a GPO setting to not provision after login to get it all working.
Hi Brother, I liked your videos about WHFB; Can I request you create another WHFB videos regarding device registration, provision and "authentication" flow in detail please?
I configured this in a pilot after following this vid so thanks. However i notice my laptop still defaults to username/password, until i click 'Sign-in Options'. How do i default the sign-in method to PIN?
Do you have your policy set to NOT keep the last logged on username? If so, turn that policy off and you should see that it will default to the last used logon method.
Thank you for this great video. I've actually been trying to implement this for about a month now, but keep hitting a wall in that I get the following error message on my production environment: "That option is temporarily unavailable. For now, please use a different method to sign in." On my test environment it works perfectly and the above error happens after successful setup according to logs and shows after I restart and want to sign in. Any ideas, or is there someone that I can maybe chat to? P.S. I've logged this with Microsoft but the ticket has been pending for like 3 weeks now and this is across the board with all users on a HAADJ environment that has never been merged with AAD.
A user failed to sign into the device with the following information: Username: SYSTEM User SID: SYSTEM Credential Type: Software Key Deployment Type: Cloud Trust Software Lockout Counter: 0 Authentication Error Status: 0xC00000BB Authentication Error Substatus: 0x0 what the hell it mean
Hi Guys, thanks for the nice content :) Can i configure Hybrid Cloud Trust on Azure Virtual Desktop Multi-Session Hosts (Azure AD Joined) to SSO to OnPrem Ressources
Thank you legends for putting this video together! We recently deployed hybrid cloud trust, works a treat. One gotcha I came across were a few built-in AD group memberships. Once removed everything worked perfectly. 👍
Can you provide more detail on this? AD group memberships on what object? Also, did you AAD Connect sync your domain controllers? I feel like Steve was saying the only OU he sync'd was the User OU.
Congrats guys for this channel and for helpful videos. You rock ❤
Awesome, these videos are invaluable when they don't have first time successes , so the troubleshooting is on the fly and more real world, thanks for making this (and all the other ) videos
Why didn't I remember you guys for this long. I'll nail this tomorrow. ;)
@39:52 hats off to you. After resetting WHfB, it worked
Thank you for this video, guys 🙂 but I have a question. What about enterprise authentication on wifi with local windows server NPS and Azure AD joined computers with hybrid cloud trust? Thanks 🙂
I have same question.
When you hit the sync button "multiple times" - I realise I wasn't alone in this world LOL.
What about onprem printers? I am okay with file access.
We would like to migrate from Whfb key trust to cloud trust. Will the creation of the new computer- and user-object have an impact/influency on the existing AZUREADSSOACC computer and krbtgt user object? I only want to be sure before implementing. I did not find any answer to it, maybe because there is no dependency between these objects. Thank you!
Following
Any update??
Should work seamlessly. Just be sure to disable the key trust policy and enable the cloud trust policy
Great topic, helped me out very well! But do I have to execute te certutil -deletehellocontainer for all users to use this functionality on existing devices?
You shouldn’t have to run that but it likely can’t hurt either.
Who let the dads out?!
Thanks for the video. However, it seems to only be working for us for roughly 20 minutes before it asks for credentials again? To be specific, it's when we're connecting to a file share etc. using the DNS name of the server (the message that comes up is 'The system cannot contact a domain controller to service the authentication request), but when connecting through IP address to all servers (including all the DCs) it works every time so clearly we have visual sight and a connection to them.
A sign out and sign back into the client device gets it working again with the DNS name of the servers, but we can't really be asking end users to be signing out/in every 20 minutes to keep their stuff working. Any ideas? Is there a TTL we have to set somewhere maybe?
A quick question where are then ADFS and VPN used in this scenario ? is all that is needed just Kerberos server which is created automatically in Domain Controller OU and OMA-uri settings for cloud trust pushed to the machines ?? Doesnt make much sense ? or am I missing something ? Thank you very much for any hints someone might have;)
Thanks for the video guys, I have got cloud trust working 🙂
However, we utilise DFS namespaces heavily within our AD environment. Is there a way for Windows 10 22H2 AAD joined machines with Windows hello for business enabled and Cloud Trust to access on-premises active directory DFS namespaces / shares?
Thanks for the tutorial. Appreciate leaving in the niggles along the way.
Quick question. Is this suitable if you had an on-prem SQL database using windows credentials for auth? could you authenticate with the Windows Hello pin?
To channel my inner consultant, it depends upon the version of SQL, and how the authentication has been setup up on the SQL instance/database
In saying that it "should" work if your using ad backed username and passwords for authentication today.
I am wondering if you guys could help me out. When setting up WHFB everything works great, but Microsoft allows for this to be bypassed with a simple change of sign on. You can require smart card logon or disable the password provider, but then new users to that computer cannot login to setup whfb. How is there not a fix to say require whfb to login to the PC and if you don’t have it setup, you are required to setup to logon. Since setting up whfb requires a MFA prompt, it would still satisfy multi-factor auth. We are not ready to go completely passwordless, but this feels like an easy fix for Microsoft to help the transition. Just don’t know what I’m missing
Would be awesome if you guys could do a video discussing MacOS and how to setup passwordless login (if possible), like whfb on Windows devices. We'd like to go down the road of passwordless but not sure how to handle such with Mac and Windows devices using Intune.
Does the Schema Master role still need to be applied to a 2016 or above server for this to work?
In this scenario there is 4 domain controllers, 2 are 2012 and 2 are 2016 the schema master and PDC roles are on 2012 r2 however functional level is Windows Server 2012 R2 and the schema version is 88 ( Windows server 2019 )
in your key trust videos this seems to be a requirement but was not mentioned in this one, can this be skipped?
Thanks for this great video.
But one question;
Didn't you just have to wait for an ADsync to run again, instead of using certutil -deletehellocontainer for it to work??
Nope. Cloud trust doesn’t care about the sync cycle. That’s why it’s superior to key and cert trust.
syfuhs.net/windows-hello-cloud-trust
Hi, has anyone had success in getting HfB working with Remote App? I have created a new certificate based on the Smart Card Logon which has worked for straight forward RDP, but it falls down when testing a remote app connection. "the specified username does not exist" error is received.
can you run a vid that shows how to setup HC without AD Connect? So a new AD to a new AzureAD - or do you need to have AD Connect for the user sync?
LOL, I've been trying to figure out for the last 20 minutes why this wasn't working for me until I realized I still had "Windows Hello for Business Certificate trust policy enabled still along with the Cloud trust policies. If both are enabled, it will enforce the Certificate trust policy.
Great video. Is it possible to still have SSO to onprem resources from an Azure only joined machine if Windows Hello for Business is not enabled or used in our organization?
AzureAD Connect Cloud Sync is what we used to sync the two, and then onprem resources were accessible.
Busy setting up WHFB and I'm stuck, my AD domain name is different to my Cloud domain name, what is the PS command for this? anybody
Do you guys have a video that goes into hybrid versus joined? I'm trying to figure out whether or not my organization can just go straight to joined. We have a lot of on-prem resources and I can't seem to come up with a definitive answer. We are already running AAD Connect.
No we don’t. We don’t believe that there are any cases where Hybird is necessary (existing devices managed by Intune should be Hybrid but any new devices should be AADJ).
I was waiting for this one to appear ;-) great stuff as always! Now, we have a couple of web-apps (on prem) not working with this (and MS support wont aid in the support cos Cloud trust is in preview). So I went through the hassle of setting up Key trust, just to check, but no avail. Those apps still wont send me tickets (unless I provide them upn/password which pops up). Any tip on sources for troubleshooting this? edit: fileshares +other stuff is OK, so that confirms the setup is good.
Long and the short of it is that you need to ensure the web app supports Kerberos authentication if it doesn't then you'll be in the situation you are in
@@IntuneTraining In case someone else encounters this: Got to the bottom of this (with MS support). Solution: adding those on prem web apps to browser local intranet site zone/trusted site zone(with auto logon with username+pw)
Anyone else run in to this error while trying to create the Kerberos Server object?
"The Azure AD Kerberos Server object in Active Directory is missing required properties. Property:
UserAccount.SecondaryKrbTgtNumber Value:0"
Is it true that when using AD Connect to sync a local AD to AAD that if you use 'Exchange Online' that you must have an exchange Onprem server and must maintain EXO via the onprem exchange management tools ?
Tldr, can drop the on prem exchange server, but need to continue to manage the attributes on-prem using a new PowerShell module.
practical365.com/a-new-tool-to-manage-exchange-related-attributes-without-exchange-server/
Sup gentlemen! Happy Season QUATRO !
Did you guys test the Intune agent on Linux yet? That will be fun!
The what? What is it doing on Linux?
After deploying this I am getting " Incorrect PIN" I have tried resetting the PIN multiple times but still no luck, anyone seen anything like this?
hello Sir , Just want to know if we plan to cloud Kerberos trust in our hybrid Enviromint, Do need to purchase any license for windows hello for business ,.Such as p1 or p2 subscription . Please suggest .
Does this work for federated identities? Federated domains rather.
I'm seeing "Cloud TGT: no" when running the dsregcmd command. Any ideas?
Well, it fixed itself after some time. Setting this up for Hybrid Azure AD joined devices is still a little complex. I had to combine Intune Account Protection policies and a GPO setting to not provision after login to get it all working.
Hi Brother, I liked your videos about WHFB; Can I request you create another WHFB videos regarding device registration, provision and "authentication" flow in detail please?
I configured this in a pilot after following this vid so thanks. However i notice my laptop still defaults to username/password, until i click 'Sign-in Options'. How do i default the sign-in method to PIN?
Do you have your policy set to NOT keep the last logged on username? If so, turn that policy off and you should see that it will default to the last used logon method.
@@IntuneTraining good shout, yes we do. I'll check this out thanks 👍
@@IntuneTraining worked like a charm. Thank you 👍
it works once the once the pc is reboots it asks for creds, does this need to be done on each dc? we
Each domain but not each DC
Thank you for this great video.
I've actually been trying to implement this for about a month now, but keep hitting a wall in that I get the following error message on my production environment:
"That option is temporarily unavailable. For now, please use a different method to sign in."
On my test environment it works perfectly and the above error happens after successful setup according to logs and shows after I restart and want to sign in.
Any ideas, or is there someone that I can maybe chat to?
P.S. I've logged this with Microsoft but the ticket has been pending for like 3 weeks now and this is across the board with all users on a HAADJ environment that has never been merged with AAD.
What was the person on twitter that we should be following, you mention Steve?
@SteveSyfuhs
A user failed to sign into the device with the following information:
Username: SYSTEM
User SID: SYSTEM
Credential Type: Software Key
Deployment Type: Cloud Trust
Software Lockout Counter: 0
Authentication Error Status: 0xC00000BB
Authentication Error Substatus: 0x0
what the hell it mean
Hi Guys, thanks for the nice content :) Can i configure Hybrid Cloud Trust on Azure Virtual Desktop Multi-Session Hosts (Azure AD Joined) to SSO to OnPrem Ressources
Yes