Issues setting up kerberos on hybrid domain controller

Question

Issues setting up kerberos on hybrid domain controller

Cloud Admin 0

Local system is setup with Azure AD Connect, Windows Hello for Business is setup and working, We are attempting to setup Kerberos authentication as well as connecting local file server to cloud services. As we setup new users we want to set them up with Microsoft accounts connected to on prem resources that are cloud synced as well as cloud group policies to slowly migrate users from on prem to cloud.

Environmental Clarification: We have a hybrid environment setup. All users are on prem and synced in Azure/Entra. All users have Entra ID accounts, the end goal is to setup a kind of File share sync from on prem to cloud for the purposes of slowly transitioning users to cloud environment management and resource access.

0 comments

1 answer

Your answer

Answer 1

Marcin Policht 87,985 MVP Volunteer Moderator

Microsoft accounts (MSAs) are personal accounts and are not suitable for enterprise identity scenarios; instead, you should be using Entra ID accounts, which are organizational identities managed through Microsoft Entra. Additionally, there are no true "cloud group policies" in the same way Group Policy Objects (GPOs) work in Active Directory; instead, policy management for cloud-based devices is handled through Microsoft Intune, using configuration profiles, ADMX-backed policies, and security baselines, which offer similar—but not identical—functionality tailored for cloud-native and Entra-joined environments.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Cloud Admin 0 Reputation points

2025-07-22T15:38:22.0966667+00:00

I should clarify the environment, we have a hybrid environment setup already. All users are on prem and synced in Azure/Entra. So all users have Entra ID accounts, the end goal is to setup a kind of File share sync from on prem to cloud for the purposes of slowly transitioning users to cloud environment management and resource access.
Marcin Policht 87,985 Reputation points MVP Volunteer Moderator

2025-07-22T17:08:35.9133333+00:00

Since your users are all Entra ID–synced and operating in a hybrid setup, the typical migration approach would involve Azure File Sync, which lets you replicate on-prem file server shares to Azure Files while maintaining local access, although you still access shares via on-premises file server.

To support access to on-premises file servers using Microsoft Entra ID user accounts, devices in your environment must be either hybrid Entra joined or fully Entra ID–joined. In a hybrid join scenario, where devices are joined to both on-prem Active Directory and Entra ID, users authenticate using traditional Kerberos through the domain controller.

If you have Entra ID–joined devices, you'll need to enable Microsoft Entra Kerberos authentication. This feature allows cloud-only devices to obtain Kerberos tickets for authenticating to on-prem file servers using Entra ID credentials. It works by creating a Key Distribution Center (KDC) proxy object in Entra ID that brokers ticket issuance for your on-prem AD domain.

For details, refer to https://learn.microsoft.com/en-us/entra/identity/devices/device-sso-to-on-premises-resources and https://practical365.com/kerberos-protected-resources-using-passwordless-authentication

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin

Share via

Issues setting up kerberos on hybrid domain controller

1 answer

Your answer