Press ESC to close

Maxime RastelloMaxime Rastello Microsoft 365, Azure, Identity, Security & Compliance, Enterprise Mobility, Workplace

Use Azure AD Cloud Kerberos ticket for on-premises resources

Microsoft has released for a long time now the ability for Azure Active Directory (now Microsoft Entra ID) to deliver a cloud Kerberos ticket when a user opens its Windows session.

Cloud Kerberos trust has been used by several Microsoft products in the past few years:

This diagram shows how a device authenticates to a cloud storage account using Azure AD Kerberos authentication:


I’ve been able to test the following scenarios:

    • Authenticate to a Kerberos-based web application hosted on a domain-joined IIS server (doc here)

    • Authenticate to Exchange Server web services (OWA, ECP, Autodiscover, EWS…) when Kerberos authentication is enabled with ASA Credential (doc here)


Using an Azure AD Kerberos ticket instead of an Active Directory Kerberos ticket could be useful in the following situations:



To be able to leverage Azure AD Kerberos authentication, the following prerequisites must be met:

    • Your web application is configured to use Active Directory Kerberos Authentication

    • Users must be synced from AD to Azure AD

    • Azure AD Kerberos Trust must be configured using the Azure AD Hybrid Authentication Management PowerShell module (doc here)

    • Cloud Kerberos retrieval must be activated at user logon on the device by one of the following methods:

      CSP : Kerberos/CloudKerberosTicketRetrievalEnabled set to 1

      : Administrative Templates\System\Kerberos\Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logon

      : reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1


How it works

When Azure AD Kerberos Trust is properly configured, a Cloud Kerberos ticket is generated for the user when you first log on to a Windows or Windows Server machine.

You can see the Kerberos tickets currently available by using the klist command:


The principle is simple: we will configure your Windows workstation to map a Kerberos web app authentication with this Cloud Kerberos ticket using the cloud realm KERBEROS.MICROSOFTONLINE.COM



Kerberos realm configuration

To map the Cloud Kerberos ticket with your on-premises web apps, we will use the setting Hostname to Kerberos realm mappingsYou can configure this setting using:

    • A Group Policy Object (GPO)

    • A Microsoft Intune Settings catalog profile

    • A command line

Using GPO

    1. Create a new GPO and link it to your workstations

    2. Go to Computer Configuration > Administrative Templates > System > Kerberos and configure the parameter Define host name-to-Kerberos realm mapping

    3. Create a new entry with the following values:
        • Value: <AppFQDN1>;<AppFQDN2>



Using Microsoft Intune

    1.  Create a new Windows configuration profile using Settings Catalog

    2. Go to Administrative Templates > System > Kerberos and add the setting Define host name-to-Kerberos realm mapping

    3. Set the following parameters:
        • Value: <AppFQDN1>;<AppFQDN2>



Using Command Line

    1. Open a Command Prompt or a PowerShell console as an administrator

    2. Enter the following command:

      ksetup /addhosttorealmmap <AppFQDN> KERBEROS.MICROSOFTONLINE.COM



This will create a new registry key in HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\HostToRealm