I setup a test environment comporting of a windows 2016 evaluation
server and a windows 10 eval too so you can tag along.
Concerning the provisioning for key trust it looks like the Enterprise
Device Registration Service is the one doing most of the work, since
there are litte if no documentation about it, I prefer on my side to
focus on the day to day auth flow.
It looks like the easiest to implement would be the certificate trust
(https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning)
since it is installed into the personal store of the user. And it is
probably very similar to a smart key process (if you can believe that
the
https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication
is true)
Vincent
On 9/30/20 1:04 AM, Mason Schmitt via samba wrote:>> I am not that experiences about it^^
>> I think that one first step would be to strip the registration (key
>> trust on my side), and once that would have been done submit the
results
>> to the samba team and see if it is worth funding/implementing.
>> As I am not part of the samba team I cannot say more.
>>
>
> It sounds like you're suggesting that you're going to strictly
focus on
> what the regular day to day authentication process looks like for WHFB. In
> other words, just the PC to AD authentication piece and not the initial
> self-registration with ADFS. My guess is that subsequent steps would be
to:
> - confirm what needs to be stored in LDAP and what format it is stored in
> - determine what registry keys and/or other configurations are changed on
> the PC, that tell Windows Logon to request a PIN for unlocking the TPM and
> then initiate the PKINIT authentication process
>
> I don't have access to a functioning WHFB environment, so I'm not
sure how
> to help right now - other than offer encouragement and ideas.
>
> --
> Mason
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.samba.org/pipermail/samba/attachments/20200930/85ca2d1b/signature.sig>