Azure AD Hybrid cloud kerberos trust - not working

GonWild 421

Hi,

https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune

I tried setting this up. It's not working as client(AAD join only) cannot get a ticket(it got the settings I set up 'Cloud trust for on-premise auth policy Enabled: True).

One domain only, Win2022 DCs.

Get-AzureADKerberosServer list half of attributes empty-->

CloudDisplayName :
CloudDomainDnsName :
CloudId :
CloudKeyVersion :
CloudKeyUpdatedOn :
CloudTrustDisplay :

Any idea?

Lu Dai-MSFT 28,356 Reputation points

2022-10-05T01:48:31.4+00:00
@GonWild Thanks for posting in our Q&A.

For this issue, we appreciate your help to collect some information:

Please make sure that the prerequisites are met.
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust?tabs=intune#prerequisites

Please check if this Cloud Kerberos Trust policy's deployment status shows success in intune portal.

Please check if the device's join type shows "Hybrid Azure AD joined" in intune portal.

If possible, please check if there is any error message in event viewer's Applications and Services Logs > Microsoft > Windows > Devicemanagement-Enterprise-Diagnostics-Provider > Admin.

If there is anything update, feel free to let us know.
GonWild 421 Reputation points

2022-10-05T07:20:53.547+00:00

thanks for your reply!

1- yes they are. User has MFA, Win10 21H2 with latest CU, Win 2022 server DC patched with sept patches, Kerberos powershell module, Intune MDM, WhfB policy deployed
2 - It reports successful deployment
3- It lists as Azure AD joined
4- yes, got quite a few of these in here:

Event id 455: MDM ConfigurationManager: Caller did not specify user to impersonate to. Targetted user sid: (NULL) Result: (Unknown Win32 Error code: 0x86000022).

And some -->
Event id 404: MDM ConfigurationManager: Command failure status. Configuration Source ID: (DD61C8BC-345A-4667-98DA-395696B7B776), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Vendor/MSFT/Policy/Config/DeviceHealthMonitoring/ConfigDeviceHealthMonitoringServiceInstance), Result: (The system cannot find the file specified.).

I tried at one point to remove the Azure Ad kerberos server (using: Remove-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred), and recreate it. Maybe that caused some hickup... ?
Lu Dai-MSFT 28,356 Reputation points

2022-10-06T03:00:14.15+00:00

@GonWild Thanks for your update.

Honestly, I didn't get any helpful information from event viewer. These event messages are general. This issue is more complex. It is related to intune, Azure AD and Windows Hello for Business. It is needed more logs to find the cause. With Q&A limitation, Q&A is not the good channel for such issue. So, it is suggested to create an online support ticket to get more accurate help. Here is the support link:
https://learn.microsoft.com/en-us/mem/get-support

Hope everything goes well with you.
GonWild 421 Reputation points

2022-10-06T06:31:02.97+00:00

This happened when I tried moving from our Hybrid Key Trust setup...shouldnt have done that :-P Will send support ticket, thank you :-)
Lu Dai-MSFT 28,356 Reputation points

2022-10-06T06:40:06.487+00:00

@GonWild OK. Hope this issue will be solved as soon as possible. : )

1 answer

GonWild 421 Reputation points

2022-11-30T07:32:33.187+00:00

In case someone else encounters this:

We managed to solve this by running the Set-AzureADKerberos server command again, using a user that was synced from on-prem, and also assigned global admin rights to our tenant.
Please sign in to rate this answer.

0 comments No comments
Sign in to comment