Is Azure AD Domain Service required to use Azure AD Kerberos authentication?

馬場 勇真 180 Reputation points
2023-10-18T05:15:05.29+00:00

I am Japanese. Please forgive me for using a translator.

I would like to use Azure Files using Azure AD Kerberos authentication.

My question is, is it correct that I don't need to use Azure AD Domain Service?

I understand that I need to enable Azure AD Connect between my tenant and AD.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,425 questions
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments No comments
{count} votes

Accepted answer
  1. Sreeju Nair 12,666 Reputation points
    2023-10-18T06:16:17.4+00:00

    For you to use Azure Files with Kerberos authentication, you need to have AD DS, whether in on-premise or in cloud. Since it supports on premise AD DS, it is not mandatory to have Azure AD Domain Services.

    The following are the supported authentication scenarios.

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#supported-authentication-scenarios

    Azure Files supports identity-based authentication over SMB through the following methods. You can only use one method per storage account.

    • On-premises AD DS authentication: On-premises AD DS-joined or Microsoft Entra Domain Services-joined Windows machines can access Azure file shares with on-premises Active Directory credentials that are synched to Microsoft Entra ID over SMB. Your client must have line of sight to your AD DS. If you already have AD DS set up on-premises or on a VM in Azure where your devices are domain-joined to your AD, you should use AD DS for Azure file shares authentication.
    • Microsoft Entra Domain Services authentication: Cloud-based, Microsoft Entra Domain Services-joined Windows VMs can access Azure file shares with Microsoft Entra credentials. In this solution, Microsoft Entra ID runs a traditional Windows Server AD domain on behalf of the customer, which is a child of the customer’s Microsoft Entra tenant.
    • Microsoft Entra Kerberos for hybrid identities: Using Microsoft Entra ID for authenticating hybrid user identities allows Microsoft Entra users to access Azure file shares using Kerberos authentication. This means your end users can access Azure file shares over the internet without requiring a line-of-sight to domain controllers from Microsoft Entra hybrid joined and Microsoft Entra joined VMs. Cloud-only identities aren't currently supported.
    • AD Kerberos authentication for Linux clients: Linux clients can use Kerberos authentication over SMB for Azure Files using on-premises AD DS or Microsoft Entra Domain Services.

    Also refer the following URL to see how you can use on premises AD DS for Azure file shares.

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable

    Hope this helps

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. チャブーン 3,316 Reputation points MVP Volunteer Moderator
    2023-10-18T06:50:27.71+00:00

    チャブーンです。

    この件ですがAzure FilesでKerberos認証させる場合は、MSEC(Microsoft Entra Connect)で同期できていれば、大丈夫です。リクツについては、以下の資料に図説されてるので、確認してみてください。

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/forest-recovery-guide/ad-forest-recovery-perform-initial-recovery#restore-the-first-writeable-domain-controller-in-each-domain

    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.