Forum Discussion
Azure AAD joined only Access on prem resource
Hi,
I have the following situation, i have an Azure AVD host that is joined to Azure AD only.
From the dsregcmd /status: i have the following.
Device State:
+----------------------------------------------------------------------+
| Device State |
+----------------------------------------------------------------------+
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : NO
Virtual Desktop : NOT SET
Device Name : COMPUTERNAME
+----------------------------------------------------------------------+
| SSO State |
+----------------------------------------------------------------------+
AzureAdPrt : YES
AzureAdPrtUpdateTime : 2025-02-13 12:57:47.000 UTC
AzureAdPrtExpiryTime : 2025-02-27 14:22:41.000 UTC
+----------------------------------------------------------------------+
| Diagnostic Data |
+----------------------------------------------------------------------+
AadRecoveryEnabled : NO
Executing Account Name : DOMAINNAME\samaccount, FQDN
+----------------------------------------------------------------------+
| Ngc Prerequisite Check |
+----------------------------------------------------------------------+
IsDeviceJoined : YES
IsUserAzureAD : YES
PolicyEnabled : YES
PostLogonEnabled : YES
DeviceEligible : NO
SessionIsNotRemote : NO
CertEnrollment : none
PreReqResult : WillNotProvision
However when i connect to the on prem resource i get an authetnication prompt when i type in my username and password i can access the share.
I do not get a kerberos ticket back.
Klist remains empty. (cached tickets 0)
It's not clear to me if it is required to have the cloud kerberos trust enabled if you don't use window hello for business or passwordles authentication.
https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#rotate-the-azure-ad-kerberos-server-key?WT.mc_id=ES-MVP-5004117
https://www.tbone.se/2023/02/03/azure-ad-kerberos/
Do i need the Kerberos object in AD even i don't use keyless or hello for business.
Anybody that can help on this?
2 Replies
Hello, it seems that your Azure AD–joined device is unable to acquire a Kerberos ticket when attempting to access on-premises resources. This issue likely stems from the absence of a configured cloud Kerberos trust. Please note that, regardless of whether Windows Hello for Business or passwordless authentication is in use, seamless Kerberos-based single sign-on to on-premises resources still necessitates a correctly configured Kerberos object in Active Directory. https://www.damcogroup.com
Hi, it appears that your Azure AD–joined device isn’t obtaining a Kerberos ticket when accessing on-prem resources because the cloud Kerberos trust isn’t set up. Even if you're not using Windows Hello for Business or passwordless authentication, seamless Kerberos SSO to on-prem resources still requires a properly configured Kerberos object in AD.
In other words, if you want your device to obtain a Kerberos ticket and avoid credential prompts, you'll need to configure the cloud Kerberos trust. Without this configuration, your device won’t automatically receive a Kerberos ticket and will likely fall back to NTLM or prompt for credentials.
I hope this clarifies the situation.
