Kerberos Realm Domain Trust setup between the two domains - Authenticate automatically

Copper Contributor

We’ve established an Azure Virtual Desktop environment for our client ClientDomain Transport using AADDS:

Joined to: aadds.ClientDomain.com.au
UPN Suffix: ClientDomain.com.au
UPN (pre-Windows 2000): AADDS\

 

We’ve also run a test migration of their existing onsite infrastructure to Azure, maintaining the existing AD DS. This includes domain controllers, file servers, SQL servers etc.

Joined to: ClientDomain.local
UPN Suffix: ClientDomain.com.au
UPN (pre-Windows 2000): ClientDomain\

 

Users and Groups are synced from AD DS up to Azure using Azure AD Connect, so the directory is the almost the same in both environments.

We have a Kerberos Realm Domain Trust setup between the two domains.

 

However, we currently can’t authenticate automatically between the domains.

Example:

User email address removed for privacy reasons is logged into AVD (which sits in aadds.ClientDomain.com.au)
User tries to access \\<server IP> (which is in AD DS ClientDomain.local) in File Explorer
Credentials are incorrect and Windows prompts for authentication, automatically prepending AADDS\ to the login window
User manually inputs credentials with @ClientDomain.com.au domain suffix and connection is successful

 

We also are experiencing similar issues when trying to use Windows Authentication with the SQL servers in the ClientDomain.local domain.

 

What do we need to do to allow AADDS users to authenticate with AD DS resources automatically?

1 Reply

Hi @BlairMuller,

To allow AADDS users to authenticate with AD DS resources automatically, you need to configure the following:

  1. Kerberos realm trust: Make sure that the two domains are configured to trust each other, and that the trust relationship is bidirectional.
  2. SPNs: Register the SPNs for the AD DS resources that the AADDS users need to access.
  3. Permissions: Make sure that the AADDS users have the appropriate permissions on the AD DS resources.
  4. UPN suffix: Make sure that the AADDS users are using the UPN suffix of the AADDS domain when they authenticate to the AD DS resources.

Here are some additional tips for troubleshooting authentication issues between AADDS and AD DS:

  • Make sure that the time and date are synchronized between the two domains.
  • Make sure that the DNS servers are configured correctly.
  • Make sure that the firewall is not blocking any necessary traffic.

Here are some useful links to this issue:


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)