The user's fully qualified UPN where a domain name component of the user's UPN matches the organizations internal domain's DNS namespace. This requirement is relevant in multi-forest environments as it ensures a domain controller can be located. The user's distinguished name (DN) where the domain components of the distinguished name reflect the internal DNS namespace when the SubjectAlternativeName doesn't have the fully qualified UPN required to find the domain controller. If the credentials are certificate-based, then the elements in the following table need to be configured for the certificate templates to ensure they can also be used for Kerberos client authentication. The username should also include a domain that can be reached over the connection (VPN or WiFi). Software Key Storage Provider (KSP) Certificates.TPM Key Storage Provider (KSP) Certificate.Credential requirementsįor VPN, the following types of credentials will be added to credential manager after authentication: This adds the specified domains to the Intranet Zone of the Microsoft Edge browser. Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/ as an Integer value of 1 for each of the domains that you want to SSO into from your device. The ZoneMap is controlled using a registry that can be set through MDM.īy default, single-label names such as are already in the intranet zone.įor multi-label names, such as, the ZoneMap needs to be updated. Intranet zoneįor the Intranet zone, by default it only allows single-label names, such as If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the Registry CSP. This behavior helps prevent credentials from being misused by untrusted third parties. If it does have that capability and if the resource that you're trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential is released. If the app isn't a UWP, it doesn't matter.īut, if the application is a UWP app, it evaluates at the device capability for Enterprise Authentication. This includes items such as a Universal Windows Platform (UWP) application. The local security authority looks at the device application to determine if it has the right capability. This allows WinInet to release the credentials that it gets from Credential Manager to the SSP that is requesting it.įor more information about the Enterprise Authentication capability, see App capability declarations. In Windows 10, version 21H2 and later, the session credential isn't visible in Credential Manager.įor example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |