How to Deploy Cloud Kerberos in Hybrid AD

Introduction

Greetings. In this article, I will walk you through deploying Cloud Kerberos Trust in a Hybrid Active Directory environment that supports Windows Hello for Business.

Hybrid Deployment Trust Types

Organisations have different Hybrid Active Directory architecture. For example, organizations might use a hybrid approach with Password Hash Synchronization, Passthrough Authentication, or both. Some may also have ADFS deployed alongside PHS. Therefore, the question arises: which deployment trust model should an organization choose for Windows Hello for Business? What does Microsoft provide in this scenario?

Microsoft offers three deployment Trust Types to choose from based on your current Hybrid Active Directory topology.

They are Cloud Kerberos, Key and Certificate. Okay. You may have some queries: Why would I use this, Trust? With this trust enabled, users can use PIN or biometric gestures to log in to their Entra Hybrid Joined or Entra joined devices to access on-premises or Cloud resources with seamless single-Sign on feature.

Prerequisites

• Devices must be running Windows 10 version 2004 or later.
• Windows 2016/2019 Server domain controllers with the latest patches installed.
• There should be read-write domain controllers in each Active Directory site where users can authenticate with Windows Hello for Business.
• An Active Directory user who is a member of the Domain Admins group for a domain and a member of the Enterprise Admins group for a forest.
• A Microsoft Entra user who is a member of the Global Administrators role.
• Users must have the following Entra ID attributes populated through Microsoft Entra Connect:
  • onPremisesSamAccountName.
  • onPremisesDomainName.
  • onPremisesSecurityIdentifier.

Practical Example

Imagine a logistic company, myforest2.com, running a Hybrid Active Directory environment with Passthrough Authentication and Password Hash Synchronization. They already have Microsoft Intune as the Mobile Device Management and Mobile Application Management solution.

The company has now decided to roll out a Password-less authentication solution across its estate using Microsoft Windows Hello for Business. The Key requirements of the business are:

• All employees should use a PIN or biometric gestures to log in to their Windows laptops and computers to access on-premises and cloud resources.
• Employees can enrol their Own Devices. However, they should have the flexibility to use PIN, fingerprint Identification, facial recognition, or Iris recognition to verify their identity instead of typing their account password.

While Microsoft provides three deployment trust types, the Cloud Kerberos Trust is the recommended approach. It is straightforward to deploy, and there is no need to leverage public Key Infrastructure (PKI) or build a new one. Synchronizing public keys between Entra ID and on-premises Active Directory is unnecessary.

Current Hybrid Active Directory Infrastructure

Before beginning the implementation, we should examine the existing Hybrid Active Directory infrastructure used in this demonstration.

• My environment has a single forest [myforest2.com] and domain Active Directory infrastructure.
• It has two Active directory Sites, Site01 and Site02, where Site02 has a Read-Only-Domain Controller installed.
• All domain controllers running Windows 2019 Datacenter edition with the latest patch installed.
• Entra Connect Sync is deployed to integrate On-Premise AD with Entra ID.
• Passthrough -Authentication and Password Hash Synchronization are configured.
• All client machines are running with Windows 10/1 Enterprise Edition with the latest patch installed.
• The “Hybrid Azure AD Join” feature is configured to allow Active Directory Forest devices to register with Entra ID.
• Configured Microsoft Intune to allow users to register their devices.
• Microsoft Authenticator App is chosen as an authentication method.
• Configured Self-service password reset feature for all users.
• The methods “Mobile app notifications” and “Mobile app code” are available for users to reset their password.
• Users can verify their identity through “Notification through mobile app” or “Verification code from mobile app”.
• Users must confirm their provided identity information every 90 days.
• Users will be notified through their primary email address after resetting their password using the self-service password reset feature.
• Baseline conditional access policies are applied.

Implementation Steps

To deploy Cloud Kerberos Trust, we will need to follow a series of steps. These steps will help us to ensure that the deployment process is successful and efficient. To deploy Cloud Kerberos Trust, simply follow the steps outlined below.

1. Deploy Microsoft Entra Kerberos.
2. Enable and Configure Windows Hello for Business at Tenant Level.
3. Create a Settings catalog policy.
4. User experience on Entra Hybrid Joined Device.
5. Verify the device status on Entra Hybrid Joined device.
6. User experience on Entra Joined Devices.
7. Verify the device status on Entra Joined device.

Deploy Microsoft Entra Kerberos

Firstly, we need to deploy on-premises SSO for password-less security key sign-in. To do that, please follow the steps given below.

Step 1: Install the AzureADHybridAuthenticationManagement module

Log in to a domain controller, and Install the AzureADHybridAuthenticationManagement module.

• Ensure TLS 1.2 for PowerShell gallery access.
  • [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
• Install the AzureADHybridAuthenticationManagement PowerShell module.
  • Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
• You can also follow the instructions given in the video below.

Step 2: Create a Kerberos Server object

Follow the steps outlined in the below table to create a Kerberos Server Object using modern authentication.

If you need further guidance, you can refer to the instructions provided in the video given below.

Step 3: Enable and Configure Windows Hello for Business at the Tenant Level.

To enable and configure Windows Hello for Business at the tenant level, click on the link and follow the instructions in the video.

Step 4: Create a Settings catalog policy

In the previous section, we have enabled and configured Windows Hello for Business at the tenant level,. Now we have to move one more step forward to create a device configuration policy. In this policy, just enable the “UseCloudTrustForOnPremAuth” settings. This policy will enable Windows Hello for Business to use Microsoft Entra Kerberos to authenticate to on-premises resources. Follow the instructions in the video below to complete.

Step 5: User Enrollment experience on Entra Hybrid Joined Devices

After signing in, users are prompted to set up biometric authentication, use Windows Hello with their organization account, and complete multi-factor authentication. Then, they create and validate a PIN and Windows Hello requests an asymmetric key pair for the user. Once the key pair is acquired, Windows communicates with the IdP to register the public key and users can use their PIN to sign in and access their desktop.

Please watch this video that visualises the employee experience while enrolling Windows Hello for Business.

Step 6: Verify the device status on Entra Hybrid Joined device.

At this time, we have successfully enrolled Window Hello for Business for an user. Now he can access access On-premises and Cloud resources from the Entra Hybrid Joined device after login with PIN.

It’s time to verify the state of this device in Microsoft Entra ID. Use the dsregcmd command to verify the output and look for the below attributes.

1. NgcSet – If this attribute value set to YES, then Windows Hello Key is set for the currently logged in user.
2. OnPremTgt: If this attribute value set to YES, then the user has Cloud Kerberos ticket, to access on-premises resources on this device.
3. CloudTgt : If this attribute value set to YES, the the user has Cloud Kerberos ticket to access cloud resources on this device.

I have made a quick video that explains everything in detail. Kindly take a look.

Step 7: User Enrollment experience on Entra Joined Device.

In this section, I will show you the Windows Hello for Business enrolment experience in a BYOD device from corporate network.

As usual, I have created a short video about the end-user experience with the Entra Joined device. In this video, you will see:

• How to join the BYOD device to Microsoft Entra ID?
• How to enrol Windows Hello for Business?
• How to verify the device status using the disregard/status command?
• User experience in accessing on-premises file share

Provisioning workflow

I have tried my best to create a dialogue between different components to make it easier for you to understand how Windows Hello for Business provisioning works.

1. Cloud Experience Host: Hi Entra ID, can you provide me an access token for Azure Device Registration Service?
2. Microsoft Entra ID: Certainly. However, could you please use the MFA service to confirm your identity?
3. Cloud Experience Host: Off Course. Let me try that now. Hello, MFA service. Could you please verify my authentication?
4. MFA Service: Your second-factor authentication has been successfully verified. I’ll forward your request to Entra ID so they can generate a DRS access token.
5. Microsoft Entra ID: Hello, MFA service. I have validated your access token and am pleased to inform you that the validation process was successful. As a result, I can now provide you with a DRS access token that includes an MFA claim. With this new information, you can allow the user to enroll in biometrics if your device has this capability. If not, you can still allow them to generate a PIN.
6. Cloud Experience Host: Thank you for providing the DRS access token and MFA claim. I would like to inform you that I have completed the biometric registration process and created a PIN for the user. This information has been securely stored on this device. The user now has a private and public key, along with attestation data.
   • Hello, ADRS. I have a DRS access token, MFA claim, user’s private and public keys, along with device information. Could you please complete the key registration process for this user?
7. Azure DRS: Excellent! Your information is verified, and the user’s key information has been added. Here’s the Key ID for your reference. You can now exit the user provisioning process. I appreciate your cooperation.

Conclusion

When it comes to deploying cloud Kerberos Trust, it is important to note that this method is quite straightforward and can be easily implemented. One of the most notable advantages of using cloud Kerberos Trust is that it supports Windows Hello for Business functions. Additionally, this method enables seamless single-sign-on in Entra Hybrid Joined and Entra Joined devices. This means that users can easily access both on-premises and cloud resources without the need for multiple logins.

However, please consider below.

• This feature is not compatible with on-premises Active Directory Domain Services environment.
• Windows Hello for Business doesn’t work with Microsoft Entra Domain Services.
• Suppose the Intune tenant-wide policy is enabled and configured for your Tenant, you only need to enable the setting “Use Cloud Trust For On Prem Auth” in your device configuration policy.
• Each AD site must have at least one writeable Domain Controller.
• Windows Hello for Business cloud Kerberos trust can’t be used as a supplied credential with RDP/VDI.
• If you are a VPN user, ensure your device is authenticated to Write Only Domain Controller. If not, you may experience difficulties accessing on-premises file shares or print services.

For more information, please check out the Microsoft article.

Thank you for taking the time to read my post. If you found it interesting, you won’t want to miss out on all the excellent content I have in store for you. Be sure to hit that like & subscribe button for more exciting updates!