Deployment Guide: Windows Hello for Business SSO with Citrix Workspace app

Overview

Windows Hello for Business replaces passwords with strong two-factor authentication on devices. This authentication consists of a user credential tied to a device and uses a biometric or PIN. Windows Hello for Business addresses several problems with passwords, including:

• Strong passwords are difficult to remember, and usually, users reuse passwords on multiple sites.
• Server breaches can expose passwords and company or personal information.
• Passwords are subject to replay attacks.
• Users can inadvertently expose their passwords due to phishing attacks.
• With Windows Hello for Business, users can authenticate to a Microsoft account, Active Directory, Azure Active Directory account, or a third-party identity provider that supports FIDO v2.0 authentication.

The Citrix Workspace app provides instant, secure, and seamless access to all the resources your end users need to stay productive, including access to virtual desktops, virtual apps, web, and SaaS apps, and features such as embedded browsing and single sign-on (from anywhere and from any device). The Citrix Workspace app is a client application that can be deployed across devices on both cloud and on-premises environments. This Deployment Guide demonstrates the Hybrid Key trust approach for Windows Hello for Business and how to configure your Citrix environment to use Citrix Workspace app with Windows Hello for Business.

Windows Hello Installation and Configuration

Windows Hello Prerequisites

The following prerequisites must be met for a hybrid key trust deployment:

• Directories and directory synchronization
• Authentication to Azure AD
• Device registration
• Public Key Infrastructure
• Multifactor authentication
• Device management

Directories and directory synchronization

Hybrid Windows Hello for Business needs two directories:

• An on-premises Active Directory
• An Azure Active Directory tenant

Note:

For ease of Access, we follow the password Hash Sync or Azure Active Directory pass-through Authentication for non-federated Environments. For Federated Environments, we require ADFS or any third-party service.

Deploy an enterprise certification authority

Install the Active Directory Certificate Server

1. The first step to configure the Enterprise PKI on your Active Directory server. Connect to your Active Directory server, and open the Certification Authority management console.

   

2. Right-click Certificate Templates > Manage

   

3. In the Certificate Template Console, right-click the Kerberos Authentication template in the details pane and select Duplicate Template

   

4. On the Compatibility tab:

   • Clear the Show resulting changes checkbox
   • Select Windows Server 2016 from the Certification Authority list
   • Select Windows 10 / Windows Server 2016 from the Certificate Recipient list

     

   • On the General tab:
   • Type Domain Controller Authentication (Kerberos) in the Template display name
   • Adjust the validity and renewal period to meet your enterprise's needs.
   • Click OK

     

Supersede existing DC certificates

1. In the Certificate Template Console, right-click the Domain Controller Authentication (Kerberos) (or the name of the certificate template you created in the previous section) template in the details pane and select Properties.

   

2. Select the Superseded Templates tab. Click Add.

   

3. From the Add Superseded Template dialog, select the Domain Controller certificate template and click OK.

   

4. Select the Domain Controller Authentication certificate template from the Add Superseded Template dialog and click OK.

   

5. Select the Kerberos Authentication certificate template from the Add Superseded Template dialog and click OK.

   

6. Add any other enterprise certificate templates previously configured for domain controllers to the Superseded Templates tab.

7. Click OK and close the Certificate Templates console.

   

Publish the certificate template to the CA

1. Open the Certification Authority management console.

2. Select Certificate Templates in the navigation pane.

3. Right-click the Certificate Templates node. Select New > Certificate Template to issue.

   

4. In the Enable Certificates Templates window, select the Domain Controller Authentication (Kerberos) template you created in the previous steps > click OK.

   

5. Close the console

Configure and deploy certificates to domain controllers

Configure automatic certificate enrollment for the domain controllers

1. Open the Group Policy Management Console (gpmc.msc).

   

2. Expand the domain and select the Group Policy Object node in the navigation pane.

   

3. Right-click Group Policy object and select New.

   

4. Type Domain Controller Auto Certificate Enrollment in the name box and select OK.

   

5. Right-click the Domain Controller Auto Certificate Enrollment Group Policy object and select Edit.

   

6. Expand Policies under Computer Configurationin the navigation pane.

   

7. Expand Windows Settings > Security Settings > Public Key Policies.

   

8. In the details pane, right-click Certificate Services Client - Auto-Enrollment and select Properties.

   

9. Select Enabled from the Configuration Model list. Select the Renew expired certificates, update pending certificates, and remove revoked certificate checkbox. Select the Update certificates that use certificate templates checkbox. Click OK.

   

10. Close the Group Policy Management Editor.

Deploy the domain controller auto certificate enrollment GPO

1. In the Group Policy Management Console, expand the domain and node in the navigation pane with the Active Directory .domain name. Right-click the Domain Controllers organizational unit and select Link an existing GPO.

   

2. In the Select GPO dialog box, select Domain Controller Auto Certificate Enrollment or the name of the domain controller certificate enrollment Group Policy object you previously created. ClickOK.

   

Validate the configuration

Windows Hello for Business is a distributed system that appears complex and difficult on the surface. The key to a successful deployment is to validate phases of work before moving to the next stage. Confirm that your domain controllers enroll the correct certificates and not any superseded certificate templates. Check that each domain controller completed the certificate autoenrollment.

Use the event logs

1. 1. Sign in to domain controller or management workstations with Domain Administrator equivalent credentials. Navigate to the Application and Services > Microsoft > Windows > CertificateServices-Lifecycles-System event log using the Event Viewer.

      

2. Look for an event indicating a new certificate enrollment (autoenrollment):

3. The event details include the certificate template on which the certificate was issued.

4. The name of the certificate template used to issue the certificate must match the certificate template name included in the event.

5. The certificate thumbprint and EKUs are also included in the event.

6. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provided by the certificate template.

Configure and enroll in Windows Hello for Business - hybrid key trust

There are two ways to configure the policies

• Configure Windows Hello for Business using Microsoft Intune
• Enroll in Windows Hello for Business

Configure Windows Hello for Business using Microsoft Intune

For Azure AD joined devices and hybrid Azure AD joined devices enrolled in Intune, you can use Intune policies to manage Windows Hello for Business. There are different ways to enable and configure Windows Hello for Business in Intune: Using a policy applied at the tenant level, the tenant policy:

• Is only applied at enrollment time, and any changes to its configuration won't apply to devices already enrolled in Intune.
• Applies to all devices getting enrolled in Intune. For this reason, the policy is disabled, and Windows Hello for Business is enabled using a policy targeted to a security group.
• A device configuration policy is applied after device enrollment. Any changes to the policy will be applied to the devices during regular policy refresh intervals. There are different policy types to choose from:
  • Settings catalog
  • Security baselines
  • Custom policy, via the PassportForWork CSP
  • Account protection policy
  • Identity protection policy template

Verify the tenant-wide policy

To check the Windows Hello for Business policy applied at enrollment time:

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > Windows > Windows Enrollment.

3. Select Windows Hello for Business.

4. Verify the status of Configure Windows Hello for Business and any settings that may be configured.

   

5. Suppose that the tenant-wide policy is enabled and configured to your needs. In that case, you can skip to Enroll in Windows Hello for Business. Otherwise, follow the instructions to create a policy using an account protection policy.

Enable and configure Windows Hello for Business

To configure Windows Hello for Business using an account protection policy:

1. Go to the Microsoft Intune admin center.
2. Select Endpoint security > Account protection.
3. Select + Create Policy.
4. For Platform*, select Windows 10 and later; for Profile, select Account protection.
5. Select Create.
6. Specify a Name and, optionally, a Description > Next.
7. Under Block Windows Hello for Business, select Disabled, and multiple policies become available.

These policies are optional, but it's recommended to configure Enable to use a Trusted Platform Module (TPM) to Yes. For more information about these policies, see MDM policy settings for Windows Hello for Business.

1. Select Next.
2. Optionally, add scope tags > Next.
3. Assign the policy to a security group that contains as members the devices or users that you want to configure > Next.
4. Review the policy configuration and select Create.

   

Enroll in Windows Hello for Business

The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. You can determine the status of the prerequisite checks by viewing the User Device Registration admin log under Applications and Services Logs > Microsoft > Windows. This information is also available using the dsregcmd /status command from a console. For more information, see dsregcmd.

PIN Setup

The following process occurs after a user signs in to enroll in Windows Hello for Business:

1. The user is prompted with a full-screen page to use Windows Hello with the organization account. The user selects OK.
2. The enrollment flow proceeds to the multifactor authentication phase. The process informs the user of an MFA contact attempt using the configured form MFA. The provisioning process proceeds once authentication fails. A failed or timeout results in an error and asks the user to retry.
3. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device.
4. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs users they can use their PIN to sign in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory.

Configure Windows Hello for Business using group policies

You can use group policies to configure Windows Hello for Business for hybrid Azure AD joined devices. Creating a security group (for example, Windows Hello for Business Users) is suggested to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy permissions to this group to simplify the deployment by adding users.

The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory.

Note:

If you deployed Windows Hello for Business configuration using both Group Policy and Intune, Group Policy settings take precedence, and Intune settings are ignored. For more information about policy conflicts, see Policy conflicts from multiple policy sources.

Enable Windows Hello for Business group policy setting

The Enable Windows Hello for Business group policy setting is the configuration needed for Windows to determine if a user attempts to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to be enabled.

You can configure the Enable Windows Hello for Business setting for computers or users:

• Deploying this policy setting to computers (or groups of computers) results in all users that sign in to that computer attempting a Windows Hello for Business enrollment
• Deploying this policy setting to a user (or group of users) results in only that user attempting a Windows Hello for Business enrollment.

If both user and computer policy settings are deployed, the user policy setting has precedence.

Enable and configure Windows Hello for Business

1. Sign in to a domain controller or management workstation with Domain Admin equivalent credentials.
2. Start the Group Policy Management Console (gpmc.msc).
3. Expand the domain and select the Group Policy Object node in the navigation pane.
4. Right-click Group Policy object and select New.
5. Type Enable Windows Hello for Business in the name box and select OK.
6. Right-click the Enable Windows Hello for Business group policy object in the content pane and select Edit.
7. Expand Policies under User Configurationin the navigation pane.
8. Expand Administrative Templates > Windows Component, and select Windows Hello for Business.
9. In the content pane, open Use Windows Hello for Business. Select Enable > OK.
10. Close the Group Policy Management Editor.

Note:

Windows Hello for Business can be configured using different policies. These policies are optional to configure, but using a hardware security device is recommended. For more information about these policies, see Group Policy settings for Windows Hello for Business..

Configure security for GPO

The best way to deploy the Windows Hello for Business GPO is through security group filtering. Only members of the targeted security group will provision Windows Hello for Business, enabling a phased rollout.

1. Start the Group Policy Management Console (gpmc.msc).
2. Expand the domain and select the Group Policy Object node in the navigation pane.
3. Open theEnable Windows Hello for Business GPO.
4. In the Security Filtering section of the content pane, select Add. Type the name of the security group you previously created (for example, Windows Hello for Business Users) and select OK.
5. Select the Delegation tab. Select Authenticated Users > Advanced.
6. In the Group or User names list, select Authenticated Users. In the Permissions for Authenticated Users list, clear the Allow checkbox for the Apply Group Policy permission. Select OK.

Deploy the Windows Hello for Business Group Policy object

The application of the Group Policy object uses security group filtering. This solution allows linking the GPO to the domain, ensuring the GPO is scoped to all users. The security group filtering ensures that only the members of the Windows Hello for Business Users global group receive and apply the GPO, which results in the provisioning of Windows Hello for Business.

1. Start the Group Policy Management Console (gpmc.msc).
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and select Link an existing GPO.
3. In the Select GPO dialog box, select Enable Windows Hello for Business or the name of the Windows Hello for Business Group Policy object you previously created and select OK.

Add members to the targeted group

Users (or devices) must receive the Windows Hello for Business group policy settings and have permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding members to the Windows Hello for Business Users group. Users and groups who aren't members of this group won't attempt to enroll for Windows Hello for Business.

Enroll in Windows Hello for Business

The Windows Hello for Business provisioning process begins immediately after the user profile is loaded and before the user receives their desktop. For the provisioning process to begin, all prerequisite checks must pass. You can determine the status of the prerequisite checks by viewing the User Device Registration admin log under Applications and Services Logs > Microsoft > Windows. This information is also available using the dsregcmd /status command from a console. For more information, see dsregcmd.

PIN Setup

The following process occurs after a user signs in to enroll in Windows Hello for Business:

1. The user is prompted with a full-screen page to use Windows Hello with the organization account. The user selects OK.

   

2. The enrollment flow proceeds to the multifactor authentication phase. The process informs the user of an MFA contact attempt using the configured form of MFA. The provisioning process proceeds once authentication succeeds, fails, or times out. A failed or timeout MFA results in an error and asks the user to retry.

   

3. After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity policies configured on the device.

   

4. The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. When key registration completes, Windows Hello for Business provisioning informs users they can use their PIN to sign in. The user may close the provisioning application and see their desktop. While the user has completed provisioning, Azure AD Connect synchronizes the user's key to Active Directory.

   

Citrix Component Configuration

Requirements and Prerequisites

• Citrix Virtual Apps and Desktops 2305 or later
• Citrix Federated Authentication Services
• Windows 10 or Windows 11 end-user client
• Windows Hello for Business Group Policies pushed
• On-premises domain joined endpoints
• Windows Hello for Business Login

Install Citrix FAS (Federated Authentication Service)

Citrix Federated Authentication Service (FAS) s a privileged component designed to integrate with Active Directory Certificate Services. It dynamically issues certificates for users, allowing them to log on to an Active Directory environment as if they had a smart card. This allows StoreFront to use more authentication options, such as SAML (Security Assertion Markup Language) assertions. SAML is an alternative to traditional Windows user accounts on the Internet. The Windows Hello for Business deployment requires Citrix FAS to be configured within your Citrix environment. To install FAS on the StoreFront or a separate server, follow the steps in the Citrix FAS install and configure documentation.

Verify FAS

When FAS is enabled on StoreFront, every user that logs into StoreFront (local or remote) causes a user certificate to be created on the FAS server. You can see these user certificates by running the following PowerShell commands:

Add-PSSnapin Citrix.Authentication.FederatedAuthenticationService.V1 Get-FasUserCertificate -address <Sf or fas address>

Setting up the Workspace

Install the latest Workspace App for Windows on a Windows 10 or 11 device. Ensure that the machines are joined to the domain with Windows Hello for Business configured as completed earlier in the deployment guide.

Configure Windows Hello GPO

Windows Hello for Business Group Policies can be pushed from your domain or use the client-side Group Polices to enable Windows Hello on the Machines: Group Policy → Computer Configuration → Administrative Templates → Windows Components → Windows Hello For Business → Enable. The users will be provisioned to set up a PIN on their next Windows login.

Set up Pin

Set up the PIN and ensure that the login is via Windows Hello User. You must log in with your PIN to Windows on your next login. Open the Registry Editor on the endpoint, navigate to HKEY_LOCAL_MACHINE\Software{Wow6432}\Citrix\AuthManager\protocols\integratedwindows* and set the SSONCheckEnabled string to False if you have not installed the single sign-on component.

Note:

This registry key prevents the Citrix Workspace app authentication manager from checking for the single sign-on component and allows the Citrix Workspace app to authenticate to StoreFront.

Validate Login

1. Launch the Citrix Workspace app.

   

2. Add the StoreFront URL.
3. Ensure that you aren’t prompted for credentials.

4. Make sure on the home page of self-serve. You see the Welcome User of the Windows Hello for Business user.

   

Launch Desktop VDA

Launch the Windows VDA and ensure that there’s SSO on the desktop. Open the Event Viewer and navigate to Windows → Application Logs, and ensure the following entry is present to confirm that the user is a federated login using FAS.