Kerberos Cloud Trust is a hybrid authentication protocol developed by Microsoft to enable secure and passwordless sign-ins. Kerberos Cloud Trust combines the strengths of Kerberos and Windows Hello for Business to offer a modern, secure, and user-friendly authentication solution. It is particularly useful in hybrid environments where both cloud and on-premises resources are utilized. Users authenticate securely and seamlessly both locally and in the cloud.
Here are some key points about Kerberos Cloud Trust:
Secure Authentication: Utilizes a secure ticketing system to grant users access to resources.
Integration with Windows Hello for Business: Enables passwordless sign-ins for accessing both on-premises and cloud resources.
Easy Deployment: Implementation is straightforward and does not require extensive changes to existing Kerberos or Active Directory configurations.
This blog post provides a step-by-step guide on how to set up Kerberos Cloud Trust in a hybrid environment for Microsoft Entra Joined devices, and seamlessly integrate Windows Hello for Business (WHfB).
Prerequisites and Licensing
To implement Kerberos Cloud Trust with Windows Hello for Business, the following prerequisites must be met.
Operating System
Devices must be running at least Windows 10 21H2 with KB5010415 or higher, or Windows 11 21H2 with KB5010414 or higher.
Device Registration
Devices are Microsoft Entra Joined
In this guide, the devices are managed with Microsoft Intune.
Domain Controllers
Fully patched Windows Server 2016 or newer domain controllers are required.
Directory Synchronization
Directory synchronization has been set up using Microsoft Entra Connect, ensuring error-free synchronization of user objects.
Multi-Factor Authentication (MFA)
Enabled Multi-Factor Authentication (MFA), for example, using the following guide: Enforce Multi-Factor Authentication (MFA) – cloudcoffee.ch
License
No paid license in Microsoft Azure is required for the use of Kerberos Cloud Trust and Windows Hello for Business. The free Microsoft Entra ID Free license is sufficient. However, additional features, such as automatic MDM enrollment, require a paid license.
An overview of the Microsoft 365 license packages with their features can be found at https://m365maps.com/.
Situation
After successfully sign-in to a Microsoft Entra Joined Windows device with Windows Hello for Business (WHfB), a login prompt appears when opening a network path in a hybrid environment. Windows Hello for Business (WHfB) cannot successfully authenticate for network access.
The klist command in the command prompt shows no valid Kerberos tickets.
Enable Microsoft Entra Kerberos
The following PowerShell script, when run on a Windows Server with Microsoft Entra Connect installed and logged in as a domain administrator, creates a server object in Active Directory and enables Microsoft Entra Kerberos. In the script, $userPrincipalName must be replaced with a Microsoft Entra ID user who has been assigned the role of Global Administrator.
1 2 3 4 | Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber $domain = $env:USERDNSDOMAIN $userPrincipalName = "barista@cloudcoffee.ch" Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -SetupCloudTrust |
After successfully running the PowerShell script, the newly created object is displayed using the following cmdlet:
1 | Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName |
In the OU Domain Controllers, the server object AzureADKerberos appears. This object represents a virtual Read-Only Domain Controller (RODC) responsible for communication with Microsoft Entra Kerberos.
Enable Kerberos Cloud Trust
Retrieving Kerberos Tickets in the Cloud
Retrieving Kerberos Cloud Tickets allows users to securely authenticate with various services by obtaining Kerberos tickets directly from the cloud. The configuration is done in the Microsoft Intune admin center (https://intune.microsoft.com).
Devices > Manage devices > Configuration > Create > New Policy
Select Platform Windows 10 and later (1), Profile type Templates (2), Template Custom (3), then create the policy by clicking Create (4).
Name the configuration profile (e.g., WIN-Kerberos-Cloud-Trust) and click Next.
Click Add (1) and make the following settings:
Name (2): choose a name, e.g. Cloud Kerberos Ticket Retrieval
OMA-URI (3): ./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled
Data type (4): Integer
Value (5): 1
Complete the configuration by clicking Save (6) and then click Next (7).
The assignment to devices can be customized here according to your specific needs.
Applicability rules can be created if needed.
The settings will be displayed for review once more, and the policy will be created by clicking Create.
Windows Hello Cloud Trust for On-Premises Authentication
In the next step, Windows Hello for Business will be configured for seamless authentication (SSO) in the hybrid environment. This requires an additional OMA-URI entry in the configuration policy.
Open the configuration policy you just created, referred to in this guide as WIN-Kerberos-Cloud-Trust.
Click Edit Configuration settings.
Click Add (1) and make the following settings:
Important: Replace TenantID in the OMA-URI with the Tenant ID.
Name (2): choose a name, e.g. Windows Hello Cloud Trust
OMA-URI (3): ./Device/Vendor/MSFT/PassportForWork/TENANTID/Policies/UseCloudTrustForOnPremAuth
Data type (4): Boolean
Value (5): True
Complete the configuration by clicking Save (6) and then click Next (7).
The settings will be displayed for review once more, and the policy will be created by clicking Create.
Once the configuration profile is synchronized with the device, restart the device.
Functionality Check
After restarting the device, you can enter the command klist in the command prompt. This command will list all active Kerberos tickets on the device.
Network access to the local share now works seamlessly and without user prompts (Single Sign-On, SSO).
Troubleshooting
Command Prompt
When troubleshooting Kerberos Cloud Trust and Windows Hello for Business (WHfB), the klist cloud_debug command is extremely helpful. This command is executed on the client in the command prompt and is used to display detailed debugging information. These details can be utilized to identify issues with authentication or the configuration of Windows Hello for Business (WHfB).
Event Viewer
The Event Viewer on the client provides further insights into the causes of why Kerberos Cloud Trust with Windows Hello for Business (WHfB) might not be functioning under Application and Services > Microsoft > Windows > User Device Registration.
Event ID 358 indicates that the configuration for utilizing Kerberos Cloud Trust has been successfully applied, including all relevant details.
Follow me on LinkedIn to always stay updated on my recent posts.
Was this post helpful to you? Show your enthusiasm with the delightful aroma of a freshly brewed coffee for me!