Enabling Password Hash Sync in Hybrid environment

Question

Enabling Password Hash Sync in Hybrid environment

Ward Anderson 6

I have a bunch of InTune built AzureAD joined laptops right now. I don't have the ability to do offline domain join because I don't have 2016/2019 DCs just yet. So! My issue is with WIA / Kerberos websites and applications not always working due to the lack of Kerberos tickets on these machines over VPN. Was looking at this link: https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-password-hash-sync

I'm wondering if anyone has run the script in the link and if there's any possible negative impact like me locking out a bunch of users or something.

Appreciate any and all responses, I'm just a bit nervous and needed another set of eyes on it.

Thanks!

Answer 1

Danny Zollner 7,016 Microsoft Employee

The doc you linked describes enabling AAD Connect Password Hash Sync's feature to push additional information used by the feature Azure AD Domain Services. That doc isn't relevant to the scenario you outlined (Azure AD Joined laptops having WIA/Kerberos auth issues) in any way that I can tell.

I unfortunately don't have any background on the actual issue you've described, but I'm pretty confident the solution you're looking at will not help.

Ward Anderson 6 Reputation points

2021-02-24T21:37:36.567+00:00

@Danny Zollner Are you sure? It says here:

To use Azure AD DS with accounts synchronized from an on-premises AD DS environment, you need to configure Azure AD Connect to synchronize those password hashes required for NTLM and Kerberos authentication. After Azure AD Connect is configured, an on-premises account creation or password change event also then synchronizes the legacy password hashes to Azure AD.

This is pretty much exactly what I want to do. I have IIS sites or HTTP sites that won't auth properly automatically the same way a domain joined machine would due to the lack of kerberos. It was my understanding that AADDS + this would help.
Danny Zollner 7,016 Reputation points Microsoft Employee

2021-02-24T21:43:42.633+00:00

If your plan is to stand up AADDS and have the websites/apps look towards that for NTLM/Kerb data, it seems more likely that it would work than how I originally understood your scenario, which would be "AAD Joined devices, maybe connected to a corporate network VPN, trying to access websites/apps using <unspecified AD/LDAP directory that I did not understand to be AADDS> as their source for authentication data."
Ward Anderson 6 Reputation points

2021-02-24T21:46:17.807+00:00

From my understanding I needed both AADDS for this and that password hash sync for it to be able to pass NTLM/kerb. I have AAD joined device over a corporate VPN trying to access websites/apps just the same as that scenario. Am I missing something in AADDS to enable this? I selected the user option because it'd mentioned Kerberos.
Danny Zollner 7,016 Reputation points Microsoft Employee

2021-02-24T22:06:41.843+00:00

My area of knowledge is mostly focused on AAD Connect, I don't know enough about the rest of your scenario to comfortably offer guidance. Consider my answer as "If you are using AAD Joined devices and authenticating to apps/websites looking to <anywhere besides AADDS> for their authentication data, this won't help" - if you are using AADDS here, I don't know if what you're proposing will work or not.

Enabling Password Hash Sync in Hybrid environment

1 answer

Activity