Trending on MSDN: Azure AD App Proxy + Azure Domain Services (Kerberos Based application)

Question

We have an application which is doing Kerberos authentication. After going through the Azure Domain services I got to know that kerberos based authentication is supported via AD DS with Azure AD.

Does Azure App Proxy support Kerberos Based authentication with Azure Domain Services or it can be integrated with any on-premises Application as well ?

Few queries here:

Q1. For Kerberos Based application support do we need to use all 3 services i.e. Azure Domain Services + Azure App proxy [ Kerberos constrained delegation (KCD)] ?

Q2. Is Kerberos based authentication supported with Azure App Proxy (KCD ) alone without the need to deploy Azure Domain Services ?

Q3. Will kerberos based authentication in Azure Domain services will work inside Azure VM that are domain joined to AD DS or it can work over the internet with Azure App proxy help

We need to make this application accessible for External and partner users.

Sourced from MSDN

Answer 1

Welcome to the Microsoft Q&A (Preview) platform. Happy to answer your question.

Azure AD App Proxy and Azure ADDS are independent features and are not dependant on each other.

Azure AD App proxy works directly with on-premises applications and is better suited in your scenario. Azure ADDS supports Kerberos authentication on devices which are joined to the domain joined to the domain in AAD DS.

1. No, you do not need all the 3 services.
2. Yes, KCD is supported directly with App proxy. Reference this document.
3. It will work only with the machines which have a line of sight with the DC's internally. It will not work over the internet.

Please let us know if you have further questions.

Sourced from MSDN