Cloud Kerberos - Failed to read secrets from the domain

Question

Hi all,&nbsp;Apologies if this is the wrong place to post this!&nbsp;I am looking at understanding Cloud Kerberos and the uses behind it, primarily for WHfB for now. Following the guide on the Microsoft page, I get an error when running on the DCPasswordless security key sign-in to on-premises resources - Microsoft Entra ID | Microsoft Learn&nbsp;&nbsp;&nbsp;Set-AzureADKerberosServer : Failed to read secrets from the domain DOMAIN.LOCAL.&nbsp;&nbsp;The lab environment has 2 DCs at different sites but replicate between each other without issue.&nbsp;&nbsp;The process creates an entry in AD but when I run the command below (GA details is an address, just changed for the forum post)&nbsp;Get-AzureADKerberosServer -Domain $domain -UserPrincipalName "GA details" -DomainCredential $domainCred&nbsp;&nbsp;I get the output below...&nbsp;Id                 : 16451
UserAccount        : CN=krbtgt_AzureAD,CN=Users,DC=DOMAIN,DC=LOCAL
ComputerAccount    : CN=AzureADKerberos,OU=Domain Controllers,DC=DOMAIN,DC=LOCAL
DisplayName        : krbtgt_16451
DomainDnsName      : DOMAIN.LOCAL
KeyVersion         : 1598799
KeyUpdatedOn       : 27/07/2024 06:41:15
KeyUpdatedFrom     : PDC.DOMAIN.LOCAL
CloudDisplayName   : 
CloudDomainDnsName : 
CloudId            : 
CloudKeyVersion    : 
CloudKeyUpdatedOn  : 
CloudTrustDisplay  : &nbsp;&nbsp;Can you advise why the secrets aren't being found and the cloud information not populated?&nbsp;This is a lab enviroment so if needed, we can get a bit rough with it.&nbsp;Any help would be welcomed.&nbsp;Kind regardsTom&nbsp;

joachim dissing · Answer

Twrriglesworth&nbsp;I got my problem fixed the following wayHad to run the commands from the AD Connect server (the module uses ADconnect dll's).Also had to run the command import-module .\AzureAdKerberos.psd1 from the directory where the module is installed (under programfiles)Set the $cloudcred and $domaincred in variables then the command worked.&nbsp;/Joachim&nbsp;

simonthomson · Answer

I ran the&nbsp;Set-AzureADKerberosServer&nbsp; from my laptop with the latest&nbsp;AzureADHybridAuthenticationManagement&nbsp; module installed with GA and DA accounts. Likewise it failed with message "Set-AzureADKerberosServer: Failed to read secrets from domain..."&nbsp;The Get-AzureADKerberosServer command then only showed the values for the top half of the listed parameters, the "cloudxxxx" ones in the bottom half of the list being blank.The AzureADKerberos computer object had been created, but obviously something was wrong...&nbsp;I backed out and cleaned up with Remove-AzureADKerberosServer&nbsp; which removed the computer object.&nbsp;After seeing this post, I tried running the powershell on our AD Connect server. This worked seamlessly!&nbsp;It seems that&nbsp; C:\Program Files\Microsoft Azure Active Directory Connect\AzureADKerberos\AzureAdKerberos.psd1&nbsp; on an AD Connect server is needed.&nbsp;Be handy if this was mentioned in the MS instructions:&nbsp; &nbsp;Passwordless security key sign-in to on-premises resources - Microsoft Entra ID | Microsoft Learn

jason_shaffer · Answer

I had the exact same experience, except I did not have to remove the existing object. Once I ran the commands from the AD Connect server, and did not receive the "failed to read secrets..." error, Kerberos auth started to work.

It does seem like there's more needed than just an "import-module AzureADHybridAuthenticationManagement", which did not error on my laptop, it just didn't work.

chris_toffer0707 · Answer

Hi. Could you please share the complete set of command lines you use in the creation process?
Also, what version of Windows Server and Domain/Forest levels are you running?

Also just to confirm, you are running Entra Connect Sync from on-premise AD to Entra ID?

joachim dissing · Answer

Twrriglesworth&nbsp;I have the same issue. Did you find a solution to your problem ?&nbsp;Br. Joachim

Forum Discussion

Cloud Kerberos - Failed to read secrets from the domain

Share

Resources