This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 97%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFR%3C/text%3E%3C/svg%3E)
Hello everyone,
I am currently using the default Azure DNS as the DNS server within an Azure Virtual Network. The network is connected to AVD Multi-Session Hosts that are Azure AD Joined. The virtual network is peered with another network, in which a classic Active Directory Domain Services VM domain-demo.de is located. To authenticate against the Azure AD Joined AVD Session Hosts, a hybrid user is used, which is synchronized from the Active Directory domain domain-demo.de via Cloud Sync.
I am looking for guidance on how to properly configure DNS, so that Azure AD Joined VMs can resolve the domain-demo.de domain correctly, and obtain a correct Kerberos ticket via LSA to authenticate against classic file shares, etc.
I have attempted to create an Azure Private DNS Zone (domain-demo.de) and linked it to the virtual network of the session hosts. Within the DNS zone, I created the following SRV records (_kerberos._tcp, _ldap._tcp) and an A-record for the DC's name along with its IP address. Unfortunately, this configuration did not result in the desired outcome.
Could you please provide some advice or steps on how to achieve this DNS configuration? Thank you in advance for your help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 0%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Hi @Florian Ried , your use case is Hybrid DNS resolution. You need a DNS forwarder from Azure towards on-prem domain. You can use Azure DNS Private Resolver and set the DNS Forwarding Ruleset to use Domain Controller of domain-demo.de
Please do some due diligence on Azure DNS Private Resolver pricing to avoid an unexpected bill.
Thanks for your awesome tip! I've successfully set up an Azure Private DNS Resolver with an Outbound Connection and a Rule Set for domain-demo. The clients are now able to resolve the domain-demo domain name without any issues.
So, I've connected to a network drive and now I'm getting a login window where I have to enter my user information. After retyping my username and password, I land on the CIFS share. However, SSO isn't working yet. The file share that I've created is located directly on the DC for testing purposes. I've enabled Kerberos logging on the client and I'm seeing some warnings and errors after attempting to access it.
I'm not sure what other configurations I need to make in order for SSO to work, but according to a Microsoft DOC article, no further configurations are required: https://learn.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
I should also mention that on the DC side, I haven't been able to detect any Kerberos requests with IDs 4768, 4769, or 4770 yet.
I'd really appreciate any help or advice on this.
Thanks so much!
Did you set up your file share to use Windows-Integrated authentication?
The documentation you mentioned has this statement:
During an access attempt to an on-premises resource requesting Kerberos or NTLM, the device:
Based on the behaviour you get, Kerberos TGT fails. It's trying to use "vm-avd-vdp4-001" which is computer identity (of AVD) when it should use your user identity (login into AVD). Your AVD is Azure AD joined, which means AD DS does not have any knowledge about the computer identity.
Correct, I have configured file shares with Windows Integrated Authentication. I have managed to make SSO work and successfully receive a Kerberos ticket (via cmd klist) to my OnPrem domain when logging in. Login to the file share now works as well. After implementing the following, it worked immediately: https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azure-ad-kerberos-powershell-module?WT.mc_id=EM-MVP-5004668.
I am now only wondering if the setup I have created is a supported scenario. Thank you for your help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 83%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
did you manage to resolve this in the end? We are seeing exactly the same for a client, only difference is that we are using an on-premises dns server on the vnet, accessible via site 2 site vpn.
Hi @Ryan Jewell , if I understand correctly, your config:
Your Azure VM should be able to resolve on-prem domains successfully, but it will not resolve local domains in Azure, including Private Endpoints. What exactly is your issue/question?