Implementing Cloud Kerberos Trust with Multiple On-premises AD Forests
I have a question about setting up Cloud Kerberos trust in an environment with multiple on-premises Active Directory (AD) forests that are configured with domain trusts between them.
Is it sufficient to configure Cloud Kerberos trust for only one on-premises AD forest, or is it necessary to set it up for each of the AD forests connected by domain trusts?
Has anyone done something like this?
1 answer
-
Anonymous
Hello,
Thank you for posting in Q&A forum.
Yes, we need to configure Cloud Kerberos trust for every AD forest. Here are the steps to follow:
1.Enable Entra Kerberos in every domain involved in all forest.
2.Create AzureADKerberos Computer Object: For each AD forest, create an AzureADKerberos computer object in the respective domain. This object acts as a read-only domain controller (RODC) and is used by Microsoft Entra ID to generate Ticket Granting Tickets (TGTs)1.
3.Configure Cloud Kerberos Trust on endpoints via GPO or Intune.
4.Verify the configuration and ensure that users can authenticate via Cloud Kerberos Trust.
For further details, please refer to below Microsoft Official Documentation:
To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.
Best Regards
Zunhui
-
David Rukavina 20 Reputation points
The previous answer is incorrect, once you have a TGT for your primary domain, you can request service tickets as normal to any available service within the forest or any trusted forest. It's just a different authentication flow than direct AD authentication, after that it's regular kerberos.
Multi-forest is not mentioned in the Microsoft documentation, and searching yields little information besides this forum question, so I hope this helps someone out 🙂
Sign in to comment -