A simplified deployment experience for Passwordless Security Key Sign-in. Cloud Kerberos trust uses Microsoft Entra Kerberos, a cloud-based service that can issue Kerberos tickets for one or more AD domains, without requiring a PKI or additional servers.
In this blog post series, I will show how to deploy Windows Hello for Business using the Cloud Kerberos Trust deployment model.
Part 1 will cover creating the Kerberos server account to enable Cloud Kerberos Trust. Stay tuned for the next posts in this series where we enable Windows Hello for Business using Group Policy and Microsoft Intune. I’ll also cover changing the Microsoft Entra Kerberos server encryption krbtgt keys.
What is Windows Hello for Business Cloud Kerberos Trust?
Windows Hello for Business is a modern, secure, and convenient way to sign into Windows devices and access resources with a user gesture, such as a PIN, biometric, or security key. Windows Hello for Business replaces passwords with strong two-factor authentication that is tied to the device and the user.
Windows Hello for Business can use different methods to authenticate users and request Kerberos tickets from Active Directory (AD) domain controllers. One of these methods is cloud Kerberos trust, which uses Microsoft Entra Kerberos, a cloud-based service that can issue Kerberos tickets for one or more AD domains.
What are the benefits of Windows Hello for Business Cloud Kerberos Trust?
Windows Hello for Business cloud Kerberos trust offers several advantages over the traditional key trust model, such as:
- Simplified deployment: Cloud Kerberos trust does not require a public key infrastructure (PKI) to issue certificates for users and devices. Instead, it uses Microsoft Entra ID, a cloud identity provider that can validate users and devices and issue Kerberos tickets.
- Reduced infrastructure: Cloud Kerberos trust does not require additional servers or network devices to support Windows Hello for Business. It only requires a minimal configuration on the AD domain controllers and the Azure AD Connect server.
- Enhanced security: Cloud Kerberos trust leverages the security features of Microsoft Entra Kerberos, such as encryption, signing, and replay protection. It also supports security key sign-in, which uses a physical device that users plug into their computer or tap with NFC to authenticate.
- Seamless user experience: Cloud Kerberos trust provides a consistent and familiar sign-in experience for users across Windows devices and AD-based resources. Users can use their Windows Hello for Business gesture or security key to sign into their device, access network shares, printers, or applications that use Kerberos authentication.
Set up a trusty connection with the cloud using Kerberos.
Welcome to the tutorial on how to set up the Kerberos server object for cloud Kerberos trust. This is a crucial step for enabling secure authentication between your on-premises and cloud resources. In this section, you will learn how to create the server object in Active Directory. Let’s get started.
Install the required Windows PowerShell Module.
I used this command in Windows PowerShell as Administrator to install the Azure AD Hybrid Authentication Management module. This module enables hybrid identity organizations (those with Active Directory on-premises) to use modern credentials for their applications and trust Azure AD for cloud and on-premises authentication.
Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber
The module I want to install is not part of the standard library, so I need to download it from an external source. Before doing that, the system asks me to verify that I trust the repository and that I agree to the terms and conditions of the module. This is a security measure to prevent installing malicious or incompatible code on my device.
To start the installation of the module, please type Y and press Enter. This will confirm your action.
The installation was a success, and everything went smoothly. No errors or confirmation messages to worry about.
Create the Kerberos server object using Windows PowerShell
I followed example 3 from the Microsoft Technical Documents and copied the PowerShell code into PowerShell ISE. Then, I replaced the UserPrincipalName (UPN) with the UPN of my tenant’s Global Administrator.
When I run the script, it asks me to type in the credentials of my on-prem Active Directory Domain Administrator account.
Next, it asks me to enter the information for the Global Administrator account.
Instead of typing a password, I’ll use the Microsoft Authenticator App to log in.
I use the usual number matching method for signing in without a password.
There are no messages indicating that the configuration finished without errors. We would have to look for the Entra ID Kerberos server information to verify that this was done correctly.
To view the details of the Entra ID Kerberos Server account, run the Get-AzureADKerberosServer command as shown in the Microsoft Docs example. Use the UPN (username@domain.com) format to specify the Active Directory Domain Admin account, instead of domain\username.
Verify the existence of both the user and the computer account in the domain.
The user and computer accounts can also be verified using Active Directory Users and Computers (dsa.msc). The computer object should be in the Domain Controllers OU.
The properties will show this as a RODC (Read-Only Domain Controller) account.
Summary
You can create the Entra ID Kerberos server account with the Azure AD Hybrid Authentication Management module in PowerShell. This allows you to use Kerberos Cloud Trust for a simpler Windows Hello for Business deployment.
In part 2 of this series, I’ll show you how to enable Windows Hello for Business with Group Policy and Microsoft Intune.
Resources
Windows Hello for Business links:
- Deployment requirements
https://aka.ms/whfbdocs - Planning guide
https://aka.ms/whfbplan - Deployment guide
https://aka.ms/whfbdeploy
Passwordless security key sign-in to on-premises resources – Microsoft Entra ID | Microsoft Learn
Windows Hello for Business cloud Kerberos trust deployment – Windows Security | Microsoft Learn