Windows Hello for Business under 24.2

I'm struggling to find adequate documentation on WHfB compatibility under 24.2. I've pieced together some information from various discussions on this forum and what tidbits are mentioned in official documentation.

Most of our fleet are hybrid joined AD & AAD so that the user logs in via local AD at the login screen but is also connected to AAD automatically.

According to 24.2 documentation and release announcements, WHfB should allow Zen login under both AAD-Only and Hybrid. In my experience so far, it works under AAD-Only but not Hybrid. This may be a configuration issue but there is virtually no documentation to help guide a proper configuration.


AAD-Only device, AlternateAzureDomain NOT SET
-using a password, the AAD device will automatically authenticate Zenworks against local AD user source, not AAD. I assume this is some sort of password handoff login process and I was surprised to see it worked like this.
-WHfB login will not authenticate Zen.

AAD-Only device, AlternateAzureDomain registry value set to netbios name of my local AD
-Zen will prompt for an AAD login after reaching the desktop. This prompt clearly displays the full email address of the user it detected and directs me to log in to Azure with the same user.
-Works with WHfB or password login.

Hybrid device, AlternateAzureDomain NOT SET
-Zen only authenticates after logging in to Windows with a password.
-WHfB login results in Zen not logged in.

Hybrid device, AlternateAzureDomain registry value set to netbios name of my local AD
-Zen will prompt for AAD login, however Zen is displaying the short username, not the full email address of the user as it did on the AAD-Only device. If I proceed to log in anyway, this results in an error stating that I have logged in with the wrong account and to pick the account that matches. I suspect it is failing to detect the full AAD user name.


What does AlternateAzureDomain do? Does it help Zen locate the username to match against Azure? If so, why does this not work in a hybrid configuration? I tried domain suffix of both Azure and local AD to no avail.

Does WHfB Zen login require the use of an Azure AD user source or can it be used against a local AD source? This is never clearly stated. Documentation only says that both AAD-Only and Hybrid are supported but mentions needing a specific kind of user source.

Whenever AlternateAzureDomain is not set (or is set to a value that isn't helping), upon logging in on a hybrid device via WHfB, the zmd messages log displays a line that states that WHfB is skipped because this isn't a domain login. There are no other useful WHfB log entries with log in debug mode.

I also tried tinkering with the local AD user UPN suffix to match Azure FQDN but that makes no difference. This is a common scenario where the Azure FQDN and email domain (domain.org) doesn't match local AD FQDN and UPN suffix (domain.net), so the local AD user's UPN suffix is updated to match Azure/email (upn=user@domain.org). I almost didn't want to mention his because I didn't want to create an confusion but I tried it both ways so that probably isn't a factor.

Is there any better documentation out there or does anyone have WHfB working with Zen on hybrid devices that might share their configuration?


  • 0  

    Yes, documentation around WH4B is lacking.

    To work with an Active Directory User Source, it must be configured to user Kerberos.  WH4B, unlike most other credential providers including Windows Hello (Not 4B) pass use the credentials.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    Thanks for the reply. We're already using Kerberos. I went ahead and tested Kerberos and it works just fine in scenarios other than WHfB logins. In fact there is no sign of any Kerberos activity in any logs when using WHfB logins. (Checked ats log, local debug logs, Event viewer with kerberos logging enabled, domain controller, no new ticket shown running "klist tickets") 

    Earlier I mentioned that upon attempting WHfB login without setting AlternateAzureDomain, I saw a message in the log, so here is that:

    [DEBUG] [07/22/2024 18:57:06.186] [3084] [ZenworksWindowsService] [53] [] [WHFB] [] [Performing Hello Login for user : realm is Username:DOMAIN] [] [] [] [ZENworks Agent]
    [DEBUG] [07/22/2024 18:57:06.186] [3084] [ZenworksWindowsService] [53] [] [WHFB] [] [Skip Hello Login as is not a domain login] [] [] [] [ZENworks Agent]

    Here, DOMAIN is our netbios domain name. I have attempted setting an domain alias on the user source that matches our NetBIOS domain name but I get the same result. Documentation says domain alias only affects mobile devices anyway, but I'm just being thorough.

    Are there other registry settings or caveats to WHfB that we should employ? Why does WHfB not see this as a domain login, or what does that message indicate? 



  • 0   in reply to 

    I've reached out to you offline...

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0   in reply to   

    FYI......

    I have a Ticket Open with Dev based on a couple of customer issues.

    In short, AlternateAzureDomain is only for Azure not Domain/Hybrid setups but they will likely be adding a registry key for those setups.  In short, sometimes there is a disconnect between the expected and actual domain values so we are not detecting things properly. 

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • 0 in reply to   

    I did some digging also looking for documentation but short of the "What's New" section I didn't find anything else.  All our devices are hybrid joined AD so that the user logs in via local AD at the login screen but is also connected to AAD automatically.  Are there additional undocumented settings in ZCC that need to be made to get WH4B working.  Kerberos is configured.

    Before 24.2 I was able to use the workaround using zac zen-login in a bundle running at login.  That seems to no longer work along with manually doing the sign in from the agent icon with no password.

  • 0   in reply to 

    Open an SR and let me know the ticket #.

    Normally, working Kerberos is sufficient but there are some scenarios where and additional client patch may be required.

    It fixed one of my two customers, though one is still having Kerberos issues so until we resolve that we cannot be sure if the patch worked for them, but based on logs I believe it will.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • Suggested Answer

    0   in reply to   

    Thanks....

    I have grabbed your SR and sent you a test patch.

    What I saw in a couple of prior cases, we had an issue in which under some cases we were not properly detecting the user's UPN as part of the domain for which Kerberos was configured so we were skipping attempting to logon with the Windows Hello for Business Credential Provider.  The teste patch may resolve that.

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks