question

Gabriel-3091 avatar image
0 Votes"
Gabriel-3091 asked Gabriel-3091 answered

Smart-card or FIDO2 key login


Hello,

So I've enabled the smart card services on Win 2k19 and installed IIS. I've also enabled the GPO for smart-card authentication and Windows Hello for Business on the server. Could someone provide a step-by-step on actually enrolling the Yubi key? I have joined the domain on a Windows 10 Enterprise laptop but it doesn't seem to want to use the Yubi key for login.

I also have a FIDO2 compatible USB key , but it seems that it's only valid for use when logging onto websites and not the computer.

I'm very new to this, so any help would be appreciated. I've tried to follow the guides from Microsoft, but my test environment is only on-premise. My production environment is Azure-AD hybrid. I'm trying to enable this ONLY for my user as a test and do not want to make GPO that affect the entire domain, which is why I setup a test server. I'm not sure how to get this done in the production environment without affecting ALL users, which is not what I am wanting to do.

The tutorials I've found from the vendor are out of date and I'm trying to get this to work for an on-premise AD configuration. I want to use either the Yubi 4 key or the FIDO2 key. The Yubi 4 key doesn't seem to be compatible with Windows Hello, but the FIDO key only works for web browser logins - not for logging into Windows.

Thanks,

Gabriel

windows-server-2019
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JennyYan-MSFT avatar image
0 Votes"
JennyYan-MSFT answered

Hi Gabriel,

It seemed like your request is related to Multi Factor Authentication which might be supported in forum "azure-ad-multi-factor-authentication" like below.
Example thread :MFA on-premise
https://docs.microsoft.com/en-us/answers/questions/10804/mfa-on-premise.html

In the meanwhile, I also did some research in order to provide more details if possible but only found the same link to be directed to either from Microsoft or from yubico key website:
1.Ingergrated with Microsoft account:
https://www.yubico.com/sg/works-with-yubikey/catalog/microsoft-accounts/
2.Sign in to your Microsoft account with Windows Hello or a security key
https://support.microsoft.com/en-us/windows/sign-in-to-your-microsoft-account-with-windows-hello-or-a-security-key-800a8c01-6b61-49f5-0660-c2159bea4d84

3.Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices
https://www.microsoft.com/en-us/microsoft-365/blog/2018/04/17/windows-hello-fido2-security-keys/

4.Secure password-less sign-in for your Microsoft account using a security key or Windows Hello
https://www.microsoft.com/en-us/microsoft-365/blog/2018/11/20/sign-in-to-your-microsoft-account-without-a-password-using-windows-hello-or-a-security-key/

Please kindly check above links and raise separate threads in to the "azure-ad-multi-factor-authentication" forum to know more details on MFA methods.



Hope this helps and please help to accept as Answer if the response is useful.

Thanks,
Jenny

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Gabriel-3091 avatar image
0 Votes"
Gabriel-3091 answered

I want to use a key to sign onto Windows - not just a browser.

I enabled MFA for my user account and it then prevented me from signing onto my Exchange server through Outlook, which is a no go.

I've tried the GPO for WHFB (Windows Hello for Business), I have MFA for FIDO2 keys enabled for my user in Azure, and all that. I've followed Microsoft Guides, Yubi guides, etc and cannot get what I would like. I either want to use the FIDO2 key or the Yubi4 key to log into the desktop - NOT the browser.

Thanks,
Gabriel

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.