Share via

Kerberos authentication in Azure Bastion

Salvador Relloso Jr 0 Reputation points
2025-03-31T11:57:00.7766667+00:00

We have recently enabled Kerberos authentication on Azure Bastion. Since then, we are experiencing issues when attempting to sign in using the UPN format: ******@contoso.com This format previously worked without issue, but it is no longer functioning as expected.

Currently, only the following login formats appear to work, and even then, inconsistently:

  • username@<on-premises domain>
  • username (without any domain suffix)

This behavior is affecting usability and access consistency, especially for users who are accustomed to using their UPN for authentication.

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
278 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 43,785 Reputation points MVP
    2025-03-31T12:23:53.6+00:00

    AFAIK, if you're not signing in by using UPN, you are not using Kerberos.

    Review the considerations available at https://learn.microsoft.com/en-us/azure/bastion/kerberos-authentication-portal#considerations and make sure that they do apply to your deployment.

    Btw. your post seems to imply a mismatch between the UPN used in your AD DS environment and Entra ID (in general, they should match)

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.