Entra joined device does not receive Kerberos ticket for "custom" SPN

Philipp Näther 20 Reputation points
2024-03-26T19:07:42.9333333+00:00

Hi everyone,

I am currently trying to make our mail system's (not Outlook) SSO work with an Azure/Entra joined device. So the device is not domain joined, it is only Entra joined. But has line of sight to the on prem domain controllers so it actually receives the Kerberos TGT of the on prem DC and for example the ticket for the ldap service of the DC. But the problem is, the client does not receive the Kerberos ticket for the mail system SPN while being only Entra joined. If I join the device to the onprem AD, everything works fine, the ticket for the mail system gets granted and I am able to login seamlessly.

Does anyone have an idea or experience what can be done here?

Regards,

Philipp

PS: The reason behind going the Entra way is I want to implement a way for our users to work in office and mobile / in home office as seamlessly as possible.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,529 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,717 questions
{count} votes

Accepted answer
  1. Givary-MSFT 32,581 Reputation points Microsoft Employee
    2024-03-28T05:23:45.4733333+00:00

    Hi @Philipp Näther taking over from Akhilesh, could you help me with the below details:

    1. Provide more info on the mail application which is being accessed.
    2. When you access the mail application from on-premise domain joined device, share the output of klist and dsregcmd /status
    3. When you access the mail application from entra joined device, share the output of klist and dsregcmd /status
    4. Was this setup working before?
    5. How did you configure SSO?
    6. Also, what happens when you access myapps.microsoft.com from the entra joined device, does the user experience seamless sso?

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.