7,023 questions
Hi,
This blog has detailed info on the AAD Kerberos setup please check this and review the requirements - https://techcommunity.microsoft.com/t5/itops-talk-blog/deep-dive-how-azure-ad-kerberos-works/ba-p/3070889
About requirements for using Azure AD Kerberos authentication
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 88%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
馬場 勇真
180
Reputation points
When using Azure AD kerberos authentication,
①Do I need to configure Microsoft Intune to make my device compliant?
② Can it be used on devices that have not successfully obtained a Primary Refresh Token (PRT)?
Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Microsoft Security | Microsoft Entra | Microsoft Entra ID
25,151 questions
Microsoft Security | Intune | Other
5,571 questions
Microsoft Security | Microsoft Entra | Other
2,596 questions
{count} votes
-
馬場 勇真 180 Reputation points
2023-10-23T09:41:32+00:00 I found this answer in another Q&A.
To answer your first question, regarding the domain level and forest level requirements for setting up the Azure AD Kerberos server, the specific requirements may vary based on the features and functionality you intend to use. However, in general, to use Azure AD Kerberos server, you need:
- Active Directory domain functional level of Windows Server 2008 or higher: This means your on-premises domain should be running at least Windows Server 2008 domain functional level.
- Azure AD Connect: You should have Azure AD Connect set up and configured to synchronize your on-premises Active Directory with Azure AD.
- Azure AD Premium P1 or P2: You need either Azure AD Premium P1 or P2 licenses assigned to your users. These licenses provide the necessary features for Windows Hello for Business and Azure AD Kerberos server.
Are requirements 3 required? Is Azure AD Kerberos authentication not available with a free license?
-
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator2023-11-10T09:32:34.64+00:00 @馬場 勇真 Just checking in to see if the below answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Sumarigo-MSFT 47,471 Reputation points Microsoft Employee Moderator
2023-11-06T05:16:36.5266667+00:00 @馬場 勇真 Welcome to Microsoft Q&A Forum, Thank you for posting your query here Apologies for the delay response!
- Do I need to configure Microsoft Intune to make my device compliant?
No, not a requirement. Intune is just one possible way to enable CloudKerberosTicketRetrievalEnabled (and other registry keys if needed). They can either use Intune, or use group policies, or set the registry value manually on each machine.
This doc has information on how to do that: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal
- Can it be used on a device that has not obtained a primary refresh token (PRT)?
Probably not, no. One of our prerequisites is that the machine needs to be Entra joined (formerly known as AAD joined) or hybrid Entra joined (formerly known as hybrid AAD joined). If I’m not mistaken, the machine would receive a PRT in these cases. The Kerberos TGT is also received at the same time as the PRT, so if the machine doesn’t have a PRT that would tell me they probably also aren’t getting the TGT. I think the PRT also plays a role in TGT renewal, but I’m not entirely sure of how this works -- the Windows Kerberos experts will know more on this than I do.
Are they Entra joined or hybrid Entra joined? If not, they need to be. If yes, we can try to understand more about their scenario, why they don’t seem to get a PRT.
There are no additional licensing requirements for Kerberos on Azure AD.
Please let us know if you have any further queries. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator2023-11-06T18:04:07.52+00:00 I wanted to check in and see if you had any other questions or if you were able to resolve this issue?
- I also noticed that your recent experience was not helpful, and to better improve our processes and learn from our customers, I'm eager to know what could have been done better.
If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.
If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Sign in to comment