Bastion connection with on-prem AD

Kyle Weeks 16 Reputation points
2020-03-18T00:54:47.927+00:00

I'm trying to figure out if connection to an Azure VM is supported via Azure Bastion providing on-prem AD credentials.

The VM is AD bound on a vNet with access to on-prem AD infrastructure.

I can connect to the Azure VM with local admin credentials. Once there, I can runas with on-prem AD credentials, but I cannot figure out how to connect to the VM in the first place via Bastion Host service using on-prem AD credentials.

domain\username, username, username@keyman do not work. Only result in error message

“The target machine is either currently unreachable or username/password is not correct. Please re-verify your credentials. If the problem persists please contact support.”

Is this a support architecture, or is something broken in my NSG?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,513 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Kyle Weeks 16 Reputation points
    2020-03-19T22:30:53.517+00:00

    Got this solved.

    1. The on-prem AD user is a member of the protected users group.

    https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group

    NTLM authentication is disabled for such a user, and since the bastion service is going by IP connection only -- the authentication downgrades to NTLM.

    Problem solved... use a user that can auth with NTLM. So yes - its possible, and you also have to support NTLM until such a time that bastion supports supplying the FQDN of the VM.

    Kyle

    3 people found this answer helpful.