Azure AD Kerberos for Secure On-Premises Resource Access

Azure AD Kerberos is a game-changer for secure on-premises resource access. It allows users to access on-premises resources using their Azure Active Directory (Azure AD) credentials.

With Azure AD Kerberos, you can eliminate the need for traditional Kerberos servers and reduce the complexity of your on-premises infrastructure. This is a major win for IT administrators who are tired of managing multiple identity systems.

Azure AD Kerberos supports both Windows and Linux on-premises resources, making it a versatile solution for a wide range of environments.

If you're using Azure AD Kerberos, there are specific scenarios where it shines. You can authenticate to a Kerberos-based web application hosted on a domain-joined IIS server.

In some cases, you might not have access to a domain controller, which is where Azure AD Kerberos comes in handy. You can use an Azure AD Kerberos ticket instead of an Active Directory Kerberos ticket, making it a great solution when your device is not near a domain controller.

One of the benefits of Azure AD Kerberos is that it's useful when publishing a Kerberos-based web application using Microsoft Entra Global Secure Access. This is because the client can't connect to a domain controller through the tunnel, but Azure AD Kerberos can still authenticate the user.

If you're working with multiple domains, Azure AD represents each on-premises Active Directory domain as a single KerberosDomain object. This makes it easier to manage your Kerberos setup.

Here are some specific situations where Azure AD Kerberos is particularly useful:

Note that only TCP is currently supported by the Microsoft Entra Global Secure Access client at the moment.

To enable Azure AD Kerberos authentication, you'll need to meet some prerequisites. Your web application must be configured to use Active Directory Kerberos Authentication, and users must be synced from AD to Azure AD.

The device used for app access must also be Hybrid Azure AD Joined or Azure AD Joined. Additionally, Azure AD Kerberos Trust must be configured using the Azure AD Hybrid Authentication Management PowerShell module.

To complete the setup, you'll need to activate Cloud Kerberos retrieval at user logon on the device by one of the following methods: setting Kerberos/CloudKerberosTicketRetrievalEnabled to 1 using the CSP, enabling Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon using GPO, or adding the registry key CloudKerberosTicketRetrievalEnabled with a value of 1.

To set up Azure AD Kerberos authentication, you need to meet some essential prerequisites. Your web application must be configured to use Active Directory Kerberos Authentication.

To ensure seamless integration, the device used for app access must be either Hybrid Azure AD Joined or Azure AD Joined. This is a crucial step to enable Azure AD Kerberos authentication.

Users must be synced from AD to Azure AD, which is a necessary step for the authentication process to work. This ensures that your users are properly connected to the Azure AD system.

To configure Azure AD Kerberos Trust, you'll need to use the Azure AD Hybrid Authentication Management PowerShell module. This module provides the necessary tools to set up and manage the trust.

There are three ways to activate cloud Kerberos retrieval at user logon: through a CSP, GPO, or Registry setting. Here's a brief overview of each method:

Realm configuration is a crucial step in mapping the Cloud Kerberos ticket with your on-premises web apps. To achieve this, you can use one of three methods: a Microsoft Intune Settings catalog profile, a Group Policy Object (GPO), or a command line.

To configure the host name-to-Kerberos realm mapping, you can use a Microsoft Intune Settings catalog profile. This involves creating a new Windows configuration profile using Settings Catalog and setting the Define host name-to-Kerberos realm mapping parameter.

Alternatively, you can use a Group Policy Object (GPO) to configure the host name-to-Kerberos realm mapping. This involves creating a new GPO and linking it to your workstations, then configuring the Define host name-to-Kerberos realm mapping parameter in the Computer Configuration section.

Here are the three methods to configure host name-to-Kerberos realm mapping:

Azure AD Kerberos is a powerful authentication tool that allows users to access resources without the need for traditional Active Directory credentials. It's a complex process, but I'll break it down in simple terms.

A Cloud Kerberos ticket is generated for the user when they first log on to a Windows or Windows Server machine. This ticket is stored in the user's cache and is used to authenticate with Azure AD.

To see the Kerberos tickets currently available, you can use the klist command. This command will display a list of all the tickets in the user's cache, including the Cloud Kerberos ticket.

The principle of Azure AD Kerberos is simple: it maps a Kerberos web app authentication with a Cloud Kerberos ticket using the cloud realm KERBEROS.MICROSOFTONLINE.COM. This allows users to access cloud resources without the need for traditional Active Directory credentials.

Azure AD Kerberos authentication involves several steps, including:

Here's a summary of the steps involved in Azure AD Kerberos authentication:

The Kerberos stack places the Cloud TGT in the cache, along with the realm mapping and a "KDC Proxy" map between the realm mapping and the Azure AD tenant details. This allows Kerberos to send a TGS-REQ to Azure AD.

Azure AD verifies the Cloud TGT and generates a ticket, which is then encrypted and returned to the Kerberos stack. The Kerberos stack then strips out the ticket and generates an Application Request (AP-REQ) and hands it to SMB.

SMB sends the AP-REQ to Azure Files, which decrypts the ticket and allows access to the user profile in the Azure File Share.

Deployment of Azure AD Kerberos requires two main steps: setting up Azure AD Kerberos and configuring a Windows Hello for Business policy. To start, you'll need to set up Azure AD Kerberos, which involves several steps.

To complete the deployment, you'll need to follow these two key steps: Set up Azure AD Kerberos.Configure a Windows Hello for Business policy and deploy it to the devices.

Configuring a Windows Hello for Business policy involves creating a new policy and deploying it to the devices in your organization. To create a Kerberos Server object, you'll need to use the Azure AD Kerberos PowerShell module, which involves running some PowerShell commands.

Using Microsoft Intune to deploy and manage Windows Hello for Business Cloud Kerberos Trust is a straightforward process. To get started, you'll need to create a new Windows configuration profile using the Settings Catalog.

To do this, navigate to Administrative Templates > System > Kerberos and add the setting Define host name-to-Kerberos realm mapping. This setting is crucial for the successful deployment of Windows Hello for Business Cloud Kerberos Trust.

Here are the key parameters you'll need to set for this setting:

By following these steps, you'll be able to successfully deploy and manage Windows Hello for Business Cloud Kerberos Trust using Microsoft Intune.

To create an Azure AD Kerberos Server object, you'll need to use the Azure AD Kerberos PowerShell module. You can start by opening a PowerShell prompt with the Run as administrator option.

You'll need to run some PowerShell commands to create a new Azure AD Kerberos Server object in both your on-premises Active Directory domain and Azure Active Directory tenant. You can find examples of these prompts on the page where you downloaded the module.

To begin, you'll need to use the Run as administrator option to open a PowerShell prompt. This will give you the necessary permissions to create the Azure AD Kerberos Server object.

Here's a step-by-step guide to creating the Azure AD Kerberos Server object:

Make sure to check the examples on the download page for the exact commands to use.

Rotating the server key is an essential task to ensure the security and integrity of your Azure AD Kerberos Server. Regularly rotate the Azure AD Kerberos Server encryption krbtgt keys.

It's recommended to use the same rotation schedule applied to all the other Active Directory DC krbtgt keys. This ensures consistency and makes it easier to manage.

To rotate the server key, you can use the Set-AzureADKerberosServer command with the appropriate parameters. This command can be used to rotate the server key, but it's also used to remove the Azure AD Kerberos Server in some cases.

Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey. This command is the key to rotating the server key and ensuring the security of your Azure AD Kerberos Server.

Cloud authentication is a complex process, but Azure AD Kerberos simplifies it by allowing Windows to authenticate with Azure AD and obtain a PRT and a Cloud TGT, which is then used to access cloud resources.

Azure AD Kerberos also enables the use of Kerberos over the internet through the KDC Proxy protocol, which allows Windows to request a Kerberos ticket for cloud resources without needing to contact an Active Directory domain controller.

Here are the steps Azure AD takes to verify the Cloud TGT and generate a ticket:

Cloud authentication is a game-changer for remote work and hybrid environments. Azure AD Kerberos is a key component of this process, allowing users to access cloud resources seamlessly.

Azure AD Kerberos authentication involves obtaining a PRT and a Cloud TGT, which is then used to load the user profile from the Azure Files share. This process is facilitated by FSLogix, which enables users to access their Azure Virtual Desktop session.

The Kerberos stack plays a crucial role in this process, mapping the Azure AD tenant details to the correct realm and generating a TGS-REQ to Azure AD. Azure AD then verifies the user's Cloud TGT and generates a ticket, which is encrypted and sent back to the user's device.

To implement Cloud Kerberos Trust, you need to set up Azure AD Kerberos in your hybrid environment and enable Cloud Kerberos Trust via Group Policy or Intune. This will allow users to access on-premises resources using Windows Hello for Business.

Here's a step-by-step guide to implementing Cloud Kerberos Trust:

Note that users of hybrid Azure AD joined devices must sign in with new credentials while having line of sight to a DC when signing in for the first time.