ADFS MFA with Smartcards (Yubikey)

[derSchweiger]

Hi,

I am currently evaluating Yubikeys to see if it is possible to seamlessly integrate them into a hybrid (more on-premises, but still hybrid) Active Directory environment. Therefore, I have deployed user certificates from our on-premises PKI to these Yubikeys and the logon to the local workstations works just fine.
The next goal is to use these user certificates in combination with the Yubikeys (smartcards) to log in to ADFS. Unfortunately, this doesn't work very well - at least I couldn't get it to run at this point. My approach:

• Use the standard Active Directory login as primary factor
• Utilise your ADFS MFA plugin as second factor and trigger the biometrics MFA provider (instead of TOTP)

When trying to use the biometrics MFA provider, I can't tell Windows not to use Windows Hello for Business. As soon as I try to register the biometric device (in this case the Yubikey) it always triggers WHfB.
Is there a way to use your MFA plugin with Yubikeys without enrolling WHfB? Especially in relation to non-domain joined Windows PCs?

[redhook62]

Hi

Biometrics is based on the "open standard": WebAuthN/FIDO2, WHfB is specific to Microsoft. If you use Yubico products, it is not the smart card or user certificate part of your AD that must be used, but the FIDO part of these dongles (Yubico Security Key 4, Yubikey 4 and 5, Yubikey Bio, etc.)
If you have configured the MFA plug-in in ADDS mode, be careful in the case of joint use with WHfN not to use the Attributes model for Windows 2016, because in this case we use a multi-value AD attribute that is used primarily by WHfB.
Of course WebAuthN biometrics does not need WHfB, moreover this protocol advantageously replaces WHfB for Web authentication

[derSchweiger]

Hi @redhook62,

thank you as always for your quick response!

Biometrics is based on the "open standard": WebAuthN/FIDO2, WHfB is specific to Microsoft. If you use Yubico products, it is not the smart card or user certificate part of your AD that must be used, but the FIDO part of these dongles (Yubico Security Key 4, Yubikey 4 and 5, Yubikey Bio, etc.)

Understood and totally makes sense! Mixed that up.

If you have configured the MFA plug-in in ADDS mode, be careful in the case of joint use with WHfN not to use the Attributes model for Windows 2016, because in this case we use a multi-value AD attribute that is used primarily by WHfB.

I guess you are talking about the "msDS-KeyCredentialLink" attribute? Yes, this is only used for WHfB and ADFS MFA is configured for a different AD attribute.

Of course WebAuthN biometrics does not need WHfB, moreover this protocol advantageously replaces WHfB for Web authentication

If that's the way to get around WHfB, then that might be the right choice for me. As far as I've understood the WebAuthN configuration for your MFA plugin correctly, I need to set "None" or at least "Cross-Platform" as "Authenticator Attachment". But as soon as I set this, I receive the following error message while adding a new biometric device: Error details: Unable to read beyond the end of the stream. Same error message in the eventviewer.
Current config:

PS C:\Users\Administrator.WINDOOF> Get-MFAProvider -ProviderType Biometrics
DirectLogin                 : False
Timeout                     : 60000
TimestampDriftTolerance     : 300000
ChallengeSize               : 16
ServerDomain                : censored.dev
ServerName                  : auth
ServerIcon                  :
Origin                      : https://auth.censored.dev
PinRequirements             : Null
UseNickNames                : True
ForbiddenBrowsers           : ie;samsung;nokia
InitiatedBrowsers           : safari
NoCounterBrowsers           : safari
Enabled                     : True
EnrollWizard                : True
EnrollWizardDisabled        : False
LockUserOnDefaultProvider   : False
ForceWizard                 : Disabled
PinRequired                 : False
IsRequired                  : True
FullQualifiedImplementation :
Parameters                  :

PS C:\Users\Administrator.WINDOOF> Get-MFASecurity -Kind BIOMETRIC
AuthenticatorAttachment         : Empty
AttestationConveyancePreference : Direct
UserVerificationRequirement     : Preferred
Extensions                      : True
UserVerificationMethod          : True
RequireResidentKey              : False
ConstrainedMetadataRepository   : False

Any idea why this occurs?

[redhook62]

For a Yubikey, you need cross-platform because this key is external, put something other than "Direct"

[derSchweiger]

Yep, already tried that but receive the same error message:

PS C:\Users\Administrator.WINDOOF> Get-MFASecurity -Kind BIOMETRIC
AuthenticatorAttachment         : CrossPlatform
AttestationConveyancePreference : None
UserVerificationRequirement     : Preferred
Extensions                      : True
UserVerificationMethod          : True
RequireResidentKey              : False
ConstrainedMetadataRepository   : False

Also tried "Indirect" instead of "None" for "AttestationConveyancePreference".

As soon as I click on "Continue" while on "Enroll your biometric device":

Tried it with different browsers, as well as internal/external and different clients.

[derSchweiger]

Nevermind, seems to be related to my test environment. Have tested the same setup on another deployment and there it's just working fine!

[redhook62]

Hi,

Indeed, this seems linked to your testing platform.

Below, a WebAuthN configuration that works perfectly with Windows Hello, Yubikeys and different dongles. and without WHfB configured.