We currently have always on configured with transparent Windows pass through authentication to globalprotect. It works extremely well, the user never sees an authentication prompt other than the windows login. The machine is protected and authenticated with a certificate.
We are piloting Windows hello and finding that if you use a Windows hello authentication method at first login globalprotect will prompt for authentication.
Has anyone successfully implemented global protect always on with Windows Hello while not prompting the user for authentication on global protect? If so, I would appreciate high level over you of how you accomplished it.
These will probably be fairly obvious questions, but it’s always best to ask for clarity.
Assuming you’re using a SAML authentication profile for portal and gateway authentication?
Are you using authentication cookies so the gateway doesn’t have to do a second authentication request?
Do you have use windows SSO enabled in your Portal Agent App config? Use Default Browser isn’t necessary, if you are using one of the latest GP versions.
Keep in mind that WHfB is essentially using SAML under the covers. It’s more nuanced than that, for sure…but I’m just thinking in the context of what the GP client sees. The GP client doesn’t know there is anything special or different about it, versus a “regular” SSO/SAML auth.
Don’t know enough about your environment but if you’re using traditional AD with WHfB and having your servers handle the communication with Azure via Azure AD Connect then any sign on method other than password is local to the machine in question only. When you setup fingerprint, face ID or pin you get issued a certificate from Microsoft that is used to validate your exchange with on prem servers and then sends the data to Azure AD Connect utility.
It’s doesn’t work as expected sometimes works and some time prompt for username and password
It’s bug on MS side
But most of the time works and it’s very useful for users
Last I had heard, Windows Hello wasnt supported. This was some time ago, though. Search through the sub and you can find references.
Checking in to see if any of you all figured the best way to handle it.
Machine cert plus user auth is a form of MFA. Machine cert private keys are non-exportable and are pushed with intune after user is validated with MFA.