Azure AD sso to on-premise resources failing to get tgt

Question

Hi!, reaching out in desperation, we have been battling an issue with getting a new AVD environment up for a couple of days now and all help appreciated at this point!

1. We have Azure AD joined session host VMs in Azure AVD
2. Site to site VPN back to on-prem. The sessions hosts can ping and speak to all on-prem DC's on all ports at this time.
3. Identities sync'd from On-prem ADDS

When logging into an Azure session host, we get no on-prem Kerberos ticket. Testing access to file shares gives a 30 second delay where it then prompts for creds (failing from Kerberos to windows credential manager)

We get the following errors on the Azure VM within the Microsoft / Windows / AAD logs:

1. Event ID 1104 - AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3
2. Event ID 1025 - Http request status: 400. Method: GET Endpoint Uri: https://login.microsoftonline.com/redacted-tenant-id/sidtoname Correlation ID: 6872DA22-C1F7-4EEF-BB7F-F30BAC67F1E1
3. Event ID 1241 - On-prem tgt error: On-prem configuration is missing

If we build a workgroup VM on-prem and then Azure AD join it, on-prem sso works as expected, klist shows kerberos keys from On-Prem DC's, sso access to fileshares works quickly, dsregcmd shows onprem tgt: yes

So our conclusion is that the tenant / AD / Kerberos configuration appears to be ok but something about using SSO to on-prem resources from an Azure AD joined VM in Azure is not working.

A lot of focus has been on the site to site VPN although all testing so far including wiresharks on the azure session hosts suggest that the hosts are not even attempting Kerberos back to on-prem DC's.

Can anyone offer any insight on this one?

Thanks in advance!

Answer 1

Hi,

Thought I'd post an update from my side....

We still have issues on Windows 10, basically given up. The local workstation AAD operational logs are misleading, and we don't see any issues on our DCs. Fully patched workstations. Have replaced the DCs (6). The computers just don't appear to even attempt send a TGT request.

Good (or bad for some) news though - I've been using AAD Joined Windows 11 for the past 6months, and it has never failed to receive TGT from our Domain Controllers...

Answer 2

@Anonymous Apologies for the delay in reaching out to you, request you to help me with dsregcmd /status output from the device, also have you followed the steps mentioned here to configure Kerberos within Azure AD/on-premise - https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises

Please send us an email on azcommunity [at] microsoft [dot] com referencing this issue with a subject line "ATTN:Givary" so that we can connect offline and troubleshoot further on the same.

Answer 3

Hi James, just came across this topic because I'm currently experiencing the same issue in my setup. I've got the exact same error code. Has the problem been resolved already? It might be really helpful for me if it has. Thanks! 😉

Answer 4

We're seeing this issue too. Not sure if it's linked to why we can't get ESR working.

Answer 5

Hi James Did you get anywhere with this?- im seeing exactly the same issue. - storing my FSLOGIX profile in a kerb enabled storage account We are also using site to site VPN Error starts with: AAD Cloud AP plugin call Lookup name name from SID returned error: 0xC00485D3 I was initially blaming FSLOGIX but clearly an issue with the session dropping to the storage account. My VM's are AAD joined only.