I'm looking into ways to implement passwordless login for domain administrator accounts. We're considering Windows Hello for Business with cloud Kerberos trust, but I've heard it requires user accounts to sync to the cloud. Since privileged accounts like domain admins shouldn't be synced, I'm curious if there are any other passwordless solutions that don't involve syncing these accounts or relying on a PKI. Can anyone share their thoughts or experiences?
2 Answers
Everything I’ve read suggests that FIDO2 isn’t supported for on-prem authentication unless you’re using Entra cloud Kerberos trust. Do you have any sources or documentation that confirm this? You could set up smart card authentication instead, but that requires having an on-premise PKI.
Yeah, I tried syncing passkeys with Google Password Manager and iCloud Keychain, and it worked well!
FIDO2 hardware keys are a solid choice. They work natively with on-prem Active Directory, so there’s no need for cloud dependencies. A Yubikey can handle the passwordless aspect without any complications from cloud services. If you need tracking or auditing, you might want to pair it with a PAM solution that manages your privileged sessions directly instead of logging in as the account itself.
Do FIDO2 keys allow you to sign in to domain controllers via RDP or VM console sessions?
I totally agree! Yubikeys work seamlessly across platforms, even with Macs and Linux systems, thanks to their PIV certificates.
I've seen info about synced passkeys entering general availability soon. They’re not device-bound and should simplify things if you can opt in!