Skip to content

Windows hello for business

Introduction

The purpose of this document is to provide an overview of how Windows Hello for Business (WHFB) 2016 and 2019 can be integrated with Mideye two factor authentication for ADFS 3.0/4.0. For detailed instructions, and support, please contact support@mideye.com

Prerequisites & general issues

Requirements

A Mideye Server (4.7.2). If there is a firewall between the ADFS server(s) and the Mideye Server, it must be open for two-way RADIUS traffic (UDP, standard port 1812). ADFS acts as a RADIUS client towards the Mideye Server. Hence, the ADFS server must be defined as a RADIUS client on the Mideye Server. Refer to the Mideye Server Configuration guide for information on how to define a new RADIUS client.

Mideye ADFS plugin is required on any Windows Server running ADFS 3.0 or 4.0. ADFS 2.0 is not supported. (Windows Server 2016 & 2019)

Supported deployment methods

WHFB with Mideye ADFS two factor authentication will work in the following deployment methods:

  • On Premises Key Trust Deployment
  • On Premises Certificate Trust Deployment
  • Hybrid Entra ID joined Key Trust Deployment
  • Hybrid Entra ID joined Certificate Trust Deployment

Installing Mideye MFA module on ADFS servers

Instructions how to install Mideye two factor authentication for ADFS can be found here.

Proof of Concept

Once installed and configured, when the WHFB GPO is applied to a user or computer, the following procedure will be presented to the enduser:

First time sining in when the GPO is applied, username and password is presented.

The WHFB process is initiated. The user clicks “Set up PIN”.

More than one authentication options can be presented, and in this case Strong authentication (MFA) is selected.

Username and password are being forwarded to the federation server using Mideye two factor authentication. A challenge will be presented where the OTP need to be filled in. If using Touch, the end user simply needs to accept the authentication request.

The enduser types a PIN-code that will be used for future logins and clicks OK. Next time logging on the machine, the PIN-code will be used instead of username and password.