Setting Up Active Directory Federation Services
After certificate templates are imported and access permission is set, you will need to configure the Registration Authority templates to use for Windows Hello for Business with AD FS. This section covers the first part of Active Directory Federation Services from the Microsoft official documentation but provides little more information about what to specify for Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication template names when using DigiCert Autoenrollment Server.
To configure the Registration Authority:
Sign in the AD FS server with
Domain Admin
equivalent credentials.Open a Windows PowerShell prompt.
Enter the following command:
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate <Windows Hello for Business Enrollment Agent Profile GUID> -WindowsHelloCertificateTemplate <Windows Hello for Business Authentication Profile GUID> -WindowsHelloCertificateProxyEnabled $true
For <Windows Hello for Business Enrollment Agent Profile GUID>, enter the Profile GUID for profile created using Microsoft® Enrollment Agent certificate template.
For <Windows Hello for Business Authentication Profile GUID>, enter the Profile GUID for profile created using Windows Hello for Business Authentication certificate template.
For example, the command you enter should look something like the following:
Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate 919b8c5a-7f7b-47ee-a06b-b020737ebc93 -WindowsHelloCertificateTemplate c6dfa503-be5a-4c07-ad22-df14432f0666 -WindowsHelloCertificateProxyEnabled $true
After the above configuration is completed, continue from “Group Memberships for the AD FS Service Account” in Active Directory Federation Services from the Microsoft official documentation.
Additionally, make sure that ‘ugs' scope is configured correctly as mentioned in the Note section of the document. This is extremely important since provisioning will not start without this ‘ugs’ scope properly configured.