{"id":1307,"date":"2022-07-15T07:00:00","date_gmt":"2022-07-15T05:00:00","guid":{"rendered":"https:\/\/scloud.work\/?p=1307"},"modified":"2023-08-18T09:16:04","modified_gmt":"2023-08-18T07:16:04","slug":"windows-hello-for-business-cloud-trust-hybrid","status":"publish","type":"post","link":"https:\/\/scloud.work\/windows-hello-for-business-cloud-trust-hybrid\/","title":{"rendered":"Windows Hello for Business - Cloud Trust - Hybrid"},"content":{"rendered":"\n
With the \"Hybrid Cloud Trust Deployment\" it is finally possible to log on to local \/ on-premises resources with Windows Hello (face, PIN, key) without much effort. This was previously only possible with great effort and in connection with a CA (Certificate Authority). <\/p>\n\n\n
<\/p>\n\n\n
First we install the module, for example on the Azure AD Connect Server. The easiest way to do this is with PowerShell (as admin):<\/p>\n\n\n
# First, ensure TLS 1.2 for PowerShell gallery access.<\/span>\n[Net.ServicePointManager<\/span>]::SecurityProtocol = [Net.ServicePointManager<\/span>]::SecurityProtocol -bor<\/span> [Net.SecurityProtocolType<\/span>]::Tls12\n\n# Install the Azure AD Kerberos PowerShell Module.<\/span>\nInstall-Module<\/span> -Name<\/span> AzureADHybridAuthenticationManagement -AllowClobber<\/span><\/code><\/span>Code language:<\/span> PowerShell<\/span> (<\/span>powershell<\/span>)<\/span><\/small><\/pre>\n\n\nSecond, we now create the Kerberos server object:<\/p>\n\n\n
$Domain<\/span> = $env:USERDNSDOMAIN<\/span>\n$CloudUPN<\/span> = Read-Host<\/span> \"A Global Administrator in your Azure AD.\"<\/span>\n$DomainCred<\/span> = Get-Credential<\/span> -Message<\/span> 'An Active Directory user who is a member of the Domain Admins group.'<\/span> # local AD Admin<\/span>\n\n# Create and publish the new Azure AD Kerberos Server object<\/span>\nSet-AzureADKerberosServer<\/span> -Domain<\/span> $Domain<\/span> -UserPrincipalName<\/span> $CloudUPN<\/span> -DomainCredential<\/span> $DomainCred<\/span>\n\n# Verify Kerberos object<\/span>\nGet-AzureADKerberosServer<\/span> -Domain<\/span> $domain<\/span> -UserPrincipalName<\/span> $CloudUPN<\/span> -DomainCredential<\/span> $domainCred<\/span>\n<\/code><\/span>Code language:<\/span> PowerShell<\/span> (<\/span>powershell<\/span>)<\/span><\/small><\/pre>\n\n\n<\/p>\n\n\n\n