MSEndpointMgr

Simplify Windows Hello for Business SSO with Cloud Kerberos Trust – Part 2

Cloud Kerberos Trust for Windows Hello for Business is the apex of single sign-on solutions for your Windows devices. in this Trilogy you can expect to learn the what, the how and the wow!

The story so far

We continue our mini series on Windows Hello for Business Cloud Kerberos Trust. In part 1 we introduced the concept of Cloud Kerberos Trust and spoke to some of the challenges it can help organisations overcome. One of the things that we love is the simplicity of configuration – both for green field tenants and for organisations already using a different trust method with Windows Hello for Business (WHfB).

Simplicity is elegance

Windows Hello for Business Cloud Kerberos Trust
Drawing by Nanna Mardahl ❤️

In this post, we will show you how to configure Cloud Kerberos Trust for your on-premises infrastructure and how to create a configuration policy for your client devices.

Enabling Azure AD Kerberos for Cloud Kerberos Trust

This is so easy. Honestly, put one hand behind you back, juggle some wet frogs and sing “I will always love you”, all at the same time, and you will still be able to configure Azure AD Kerberos too.

Enabling Azure AD Kerberos creates an “Azure AD Kerberos” server object in the domain.

This server object:

  • Appears as a Read Only Domain Controller (RODC) object, but isn’t associated with any physical servers.
  • Is only used by Azure AD to generate partial TGTs for the Active Directory domain. The same rules and restrictions used for RODCs apply to the Azure AD Kerberos Server object.

We will configure Azure AD Kerberos in our lab. Full prerequisites can be found here and the code samples are taken from the Microsoft docs here

1. Download and install the Azure AD Kerberos PowerShell module

from the PowerShell Gallery. This can be done directly on the Domain Controller or from a computer that can access the Domain Controller.

Windows Hello for Business Cloud Kerberos Trust
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber

TLS 1.2 is required to access the PowerShell Gallery. Run the following command if it is not enabled.

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

2. Run the following

# Specify the on-premises Active Directory domain. A new Azure AD
# Kerberos Server object will be created in this Active Directory domain.
$domain = $env:USERDNSDOMAIN

# Enter a UPN of an Azure Active Directory global administrator
$userPrincipalName = "[email protected]"

# Enter a domain administrator username and password.
$domainCred = Get-Credential

# Create the new Azure AD Kerberos Server object in Active Directory
# and then publish it to Azure Active Directory.
# Open an interactive sign-in prompt with given username to access the Azure AD.
Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred
Windows Hello for Business Cloud Kerberos Trust

3. Verify that the Kerberos server RODC object was created successfully.

Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName
Windows Hello for Business Cloud Kerberos Trust
Windows Hello for Business Cloud Kerberos Trust

4. Also verify that the krbtgt user account was created (it is intentionally disabled)

Windows Hello for Business Cloud Kerberos Trust

Configure Cloud Key Trust using Intune

We can either use a GPO or push a configuration from Intune. If you are interested in using a GPO, read more here. In this post we will push the configuration from Intune (this is the way).

Ensure the client devices are a minimum of Windows 10 21H2 / Windows 11 Pro or Enterprise SKU. Perhaps consider using an Intune Filter for targetting.

1. Create a configuration profile

Navigate to https://endpoint.microsoft.com and create a new Device Configuration Profile of type

Windows 10 and later > Templates > Custom

Windows Hello for Business Cloud Kerberos Trust

2. OMA-URI for Cloud Kerberos Trust enablement

Add the following settings

Name: UseCloudTrustForOnPremAuth
OMA-URI: 
./Device/Vendor/MSFT/PassportForWork/<tenant-id-guid>/Policies/UseCloudTrustForOnPremAuth
Data type: Boolean
Value: True
Windows Hello for Business Cloud Kerberos Trust

Tenant ID in the OMA-URI must be replaced with the tenant ID for your Azure AD tenant

Windows Hello for Business Cloud Kerberos Trust

3. Assignments

Assign the profile to your desired group. You can target either users or devices.

Windows Hello for Business Cloud Kerberos Trust

4. Test the policy worked

At this stage, after a synced user logs in using WHfB, verify that a partial TGT has been issued using the command:-

klist cloud_debug
Windows Hello for Business Cloud Kerberos Trust

You can also be verify in the event log if the policy has been set successfully on the client.

Windows Hello for Business Cloud Kerberos Trust

Summary

In part 2 of this mini series we looked at how to configure Cloud Kerberos Trust. In Part 3 we will dive a little deeper into some of the moving parts and help with some troubleshooting tips. Stay tuned for more fun!

(8966)

Ben Whitmore

Microsoft MVP - Enterprise Mobility, Microsoft Certified Trainer and Microsoft 365 Certified: Enterprise Administrator Expert. Community driven and passionate Customer Engineer Lead at Patch My PC with over 2 decades of experience in driving adoption and technology change within the Enterprise.

Michael Mardahl

Michael Mardahl is a seasoned IT pro with over 25 years of experience under his belt. He's a Microsoft Certified Cloud Architect at APENTO in Denmark, where he helps customers move from traditional infrastructure to the cloud while keeping security top of mind. When he's not working, Michael's either spending time with his family and friends or passionately blogging about Microsoft cloud technology. His expertise in this area has even earned him the prestigious title of Microsoft Most Valuable Professional (MVP) in both the Enterprise Mobility and Security categories. In short, Michael is the IT equivalent of a rockstar, but don't expect him to act like one - he's way too down-to-earth for that.

2 comments

  • How would you configure this for multiple domains in a forest ?
    at the forest level, or one config for each child domain ?

    • Hi Kenneth,

      You would need to configure the AzureAdKerberos connection for each domain as they have different kbrtgt encryption.

Sponsors

Subscribe

Do you want to be notified of new posts on our site?

Please enter your email address below:

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.