Eliminating the line-of-sight requirement to an on-premises domain controller is a crucial step in a Zero Trust strategy. Microsoft Entra Kerberos bridges the gap between legacy applications and modern cloud identity.
The Challenge with Legacy Authentication
As organizations move to the cloud, legacy authentication protocols like NTLM and Kerberos often stand in the way. Traditional Kerberos requires a direct line-of-sight to an on-premises Active Directory Domain Controller (DC). For remote workers, this usually meant maintaining complex VPN infrastructures just to access legacy applications or on-premises file shares.
Enter Microsoft Entra Kerberos
Microsoft Entra Kerberos (previously known as Azure AD Kerberos) shifts the Kerberos Ticket Granting Ticket (TGT) issuance to the cloud. When users authenticate against Entra ID, they receive a cloud-issued Kerberos ticket alongside their standard OAuth/OIDC tokens.
Cloud Kerberos Authentication Flow
No Line-of-Sight
Users can access Kerberos-reliant resources over the internet without needing a direct connection or VPN to on-premises DCs.
Passwordless Ready
Unlocks the ability to use modern, phishing-resistant credentials like FIDO2 security keys or Windows Hello for Business for legacy app access.
Azure Files Support
Seamlessly access Azure Files over SMB using cloud-only or hybrid identities, without syncing passwords back on-premises.
Primary Use Cases
1. Azure Files over SMB
One of the most common drivers for deploying Entra Kerberos is enabling secure SMB access to Azure Files. By integrating Entra Kerberos, organizations can enforce modern Conditional Access policies, multi-factor authentication (MFA), and passwordless flows when accessing shared cloud storage.
2. Cloud Trust for Windows Hello for Business
Microsoft Entra Kerberos simplifies the deployment of Windows Hello for Business (WHfB) by enabling the "Cloud Trust" deployment model. This model removes the requirement for complex PKI (Public Key Infrastructure) setups, allowing faster and simpler rollouts of passwordless authentication to endpoints.
Implementation Guardrails
When designing an Entra Kerberos architecture, consider the following:
- Hybrid Identity: Users must be synchronized from on-premises AD to Entra ID (using Entra Connect or Cloud Sync). Cloud-only users currently have limited support depending on the exact workload (e.g., supported for Azure Files but not legacy on-prem apps).
- Endpoint Readiness: Windows 10/11 devices must be Entra Joined or Hybrid Entra Joined and running a supported build.
- Security Configuration: Ensure your Entra ID Kerberos Server object (`krbtgt_AzureAD`) is securely managed and rotated according to best practices.
# Install the AzureADKerberos module
Install-Module -Name AzureADKerberos
# Set up the Entra ID Kerberos Server object
Set-AzureADKerberosServer -Domain "contoso.com" -UserPrincipalName "krbtgt_AzureAD@contoso.com"
Conclusion
Microsoft Entra Kerberos is a vital transitional technology. It allows organizations to decouple their endpoints from legacy on-premises infrastructure while maintaining access to critical resources that have not yet been modernized.
Need assistance mapping out your transition to modern identity? Let's discuss your Zero Trust journey.