As organisations continue their journey toward modern authentication, many are embracing Windows Hello for Business (WHfB), a Multi-factor passwordless authentication solution from Microsoft. WHfB uses biometrics (like facial recognition or fingerprints) or a PIN to authenticate users, removing the need for traditional passwords.
However, deploying WHfB in an enterprise environment can be daunting, particularly when choosing the right integration model. Microsoft offers three main deployment models: Key Trust, Cloud Kerberos Trust, and Certificate Trust. Each model has its strengths, use cases, and infrastructure requirements.
In this post, we’ll break down the differences between these deployment models and help you decide which is best for your organisation when considering a hybrid deployment.
Key Trust Deployment
Key Trust is the most straightforward and commonly deployed method for integrating WHfB with Active Directory (AD) and Microsoft Entra ID (formerly Azure Active Directory).
How Key Trust Works
In a Key Trust deployment, a public/private key pair is generated and stored on the client device during the WHfB provisioning process. The private key is securely stored in the device’s TPM (Trusted Platform Module), while the public key is registered in AD.
When a user signs in with WHfB, they authenticate using a biometric (like facial recognition or fingerprint) or a PIN. The private key, stored in the TPM, signs a challenge, which is then verified by AD or Entra ID using the public key. If the verification is successful, a Kerberos ticket is used for authentication within on-premise AD environments.
Infrastructure Requirements
- No certificates needed: Key Trust relies on keys stored in the TPM, avoiding the complexity of managing certificates.
- Seamless integration with on-premises Active Directory: Authentication is performed using Kerberos on-prem, leveraging the existing infrastructure.
- Azure AD Connect is required to synchronize the user’s public key from Entra ID to on-prem AD.
Key Trust provides a straightforward way to deploy WHfB without requiring certificates or significant additional infrastructure. Key Trust is suited for organisations looking for a simple hybrid identity solution where the on-premises Active Directory is the primary identity provider.
Cloud Kerberos Trust Deployment
The Cloud Kerberos Trust model is a newer addition to the WHfB deployment options and is designed to simplify hybrid identity environments by leveraging Entra ID for managing Kerberos authentication.
How Cloud Kerberos Trust Works
In this model, Entra ID acts as a proxy for Kerberos authentication. When a user signs in with WHfB, Entra ID manages the authentication process. Entra uses the user’s public key to verify the authentication after which it issues Kerberos tickets for on-premises resources. Entra acts as a proxy to issue the Kerberos tickets for on-prem resources.
Infrastructure Requirements
- Kerberos tickets issued by Entra ID: This is the primary differentiator from Key Trust. In the Cloud Kerberos Trust, Entra ID handles the Kerberos ticketing, reducing the reliance on on-premises AD for initial authentication.
- No certificates or on-premises Public Key Infrastructure (PKI) required, which simplifies deployment for hybrid cloud environments.
- Azure AD Connect is still required to synchronize identities between on-premises AD and Entra ID.
If your organisation is already using Entra ID heavily, Cloud Kerberos Trust offers a more streamlined way to integrate WHfB. The Cloud Kerberos Trust is ideal for organisations with hybrid environments that want a simpler deployment model while still needing access to on-prem resources.
Certificate Trust Deployment
Certificate Trust is the most complex model and is typically used in environments with stringent security or compliance requirements that mandate certificate-based authentication.
How Certificate Trust Works
In this model, an X.509 certificate is issued to the user during the Windows Hello for Business provisioning process. This certificate is mapped to the user in the Active Directory and used for authentication. Instead of using a public/private key pair (as in Key Trust), authentication is performed using the issued certificate. This provides additional security and flexibility, especially in environments that already use PKI for other purposes.
Infrastructure Requirements
- Requires a Public Key Infrastructure (PKI): This includes a Certificate Authority (CA), typically using Active Directory Certificate Services (ADCS).
- Compatible with certificate-based services: This model is ideal for organisations that use certificates for other services, like VPNs or Wi-Fi authentication.
- Higher security: Certificates offer an additional layer of security, but they also add more complexity to manage.
This model is also suited for companies that want a more robust method of managing user identity beyond what Key Trust or Cloud Kerberos Trust can offer. This is suited for organisations that already have a PKI in place or have strict security and compliance requirements needing certificate-based authentication.
Choosing the Right Windows Hello for Business Model
Each WHfB deployment model is designed to meet specific organisational needs. Here’s a quick comparison to help guide your decision:
| Components | Key Trust | Cloud Kerberos Trust | Certificate Trust |
|---|---|---|---|
| Authentication Method | Public/Private Key | Public/Private Key | X.509 Certificate |
| AD Integration | On-prem AD with Entra ID Connect | Entra ID managing Kerberos tickets | On-prem PKI and AD |
| Infrastructure Requirements | No certificates, just Entra ID Connect | Entra ID Connect, no PKI | PKI (ADCS), Entra ID Connect |
| Kerberos Integration | On-prem Kerberos tickets | Entra ID issues Kerberos tickets | Certificate mapped to Kerberos |
| Suitability | Simple hybrid identity integration | Hybrid cloud-first environments | Environments needing full PKI |
Conclusion
Key Trust is the most widely used and easiest to deploy, offering a simple path to passwordless authentication with minimal infrastructure. If you’re looking for a cloud-first approach with less reliance on on-prem AD for authentication, Cloud Kerberos Trust is a compelling option. For those organisations with strict compliance or already using certificate-based security, Certificate Trust provides the necessary flexibility and robustness.
By understanding your organisation’s needs and existing infrastructure, you can choose the right deployment model that simplifies management while enhancing security.
Embracing Windows Hello for Business is a critical step toward building a passwordless future, and choosing the right deployment model can make a significant difference in achieving a seamless, secure authentication experience.