Hybrid env. Switching on Cloud Kerberos to enable WHfB, any gotcha's to watch out for?
Posted by Probably_a_Shitpost@reddit | sysadmin | View on Reddit | 16 comments
Average hybrid environment with CA policies. Going to switch user sign in from password hash sync to pass-through auth. already setup the computer object. any issues like changing the way people sign in or forcing sign outs? the enable signgle sign on box, does that need to be checked or no?
zm1868179@reddit
Cloud Kerberos doesn't really break anything and almost impossible to mess up I'm not sure why you would switch to passthrough that's going backwards in terms of modern uses and will throw more wrenches in your plan to move on to more cloud stuff later.
Probably_a_Shitpost@reddit (OP)
I'm reading that we need cert based authentication if we don't use cloud kerberos. I guess that do be the problem. Thanks for pointing me in the right direction
zm1868179@reddit
Yea with cloud trust you don't need certs at all. The old method you needed to get certs handed out to your DCs and then you had to wait for ad connect to sync properties up to azure then it would all start working.
Probably_a_Shitpost@reddit (OP)
So I enabled the pass through auth. Nothing bad happened. But I still can't get my WHfB to work. It says off VPN creds cannot be verified, but when I connect back to domain, it says that option is temporarily unavailable. I'm kind of at a loss now I checked Entra auth methods and WHfB is not an option, but I also don't see how to enable it if it's supposed to be there.
zm1868179@reddit
You shouldn't enable pass through you need to stay on hash sync. Pass through is going backwards and will cause issues with modern stuff if the domain is not reachable. The end goal is to eventually go to azure joined PCs and you don't use pass through with that.
Probably_a_Shitpost@reddit (OP)
Oh my apologies. The VPN is azure auth. It works. I mean the fingerprint sign on doesn't work. I can't seem to get WHfB to work. Without pki cloud kerberos is the answer supposedly. But I can't seem to get it to talk back to azure even though there's nothing technically stopping it and gpo is configured and intune configured same way as well. Both test devices are compliant in intune and are hybrid joined properly.
zm1868179@reddit
Cloud Kerberos trust requires the PCs to be able to reach the domain. No certs are needed
Once signed in as long as the user has line of sight to the DCs they will get a Kerberos ticket. Your DCs need to be 2016 or higher and your forest and function level needs to both be 2016 or higher for it to work.
If user accounts are part of specific groups they cannot use WHFB by default. I don't remember the groups but go to your domain controller OU and open the AzureadKerberos object and look at the password replication tab it will show the restricted groups of the users are in those groups or nested into those groups they will not get tickets and will not work.
Probably_a_Shitpost@reddit (OP)
Still no luck even redirected targeting. I'll figure it out though. Thanks for all your advice!
Probably_a_Shitpost@reddit (OP)
that didnt work. and i think i'm a dummy. i pushed the whfb gpo and intune poly to device instead of user. allwed my user to create on that device but not use
Probably_a_Shitpost@reddit (OP)
Wow I will check that tomorrow. Thanks!
Probably_a_Shitpost@reddit (OP)
Thanks I'll update when I give it a whack
VTi-R@reddit
Having spent seven hours yesterday fighting it don't forget that because the AzureADKerberos account looks like a RODC, it's not going to work for people who have a daily driver account that is an admin too.
It had been so long since I'd had such an environment I'd completely forgotten about the RODC password sync restrictions applying.
exproject@reddit
Is there a reason to switch it from hash sync to pass through auth? That's not really related to the Kerberos change.
That single sign on checkbox is I'm assuming the legacy Seamless SSO feature which was largely for older Windows devices. Win 10 and up should do SSO via the primary refresh token and you don't need to do further setup past making sure the devices are hybrid joining.
Probably_a_Shitpost@reddit (OP)
Cool thanks. I thought I read that making the pass through was required for cloud kerberos for WHfB
OmnipotentBork@reddit
cached credentials will expire and break any shared locations, make sure the SD knows about that
jeffrey_smith@reddit
Pretty simple and hard to screw it up. Should take 10 minutes another 20 minutes for the policy to come down. Remember: doesn't change how password auth works only devices setup for Windows Hello.