NEW Native Azure AD KERBEROS!!!
Вставка
- Опубліковано 29 лип 2024
- Yes, you are reading that title right! Azure AD now supports native Kerberos. In this video I explore how and what works with it today!
🔎 Looking for content on a particular topic? Search the channel. If I have something it will be there!
▬▬▬▬▬▬ C H A P T E R S ⏰ ▬▬▬▬▬▬
0:00 - Introduction
0:30 - Azure AD and AD auth basics
2:07 - Native Azure AD Kerberos
3:19 - Requirements and components
4:40 - Client required policy
5:40 - My environment and ticket overview
6:49 - Service support for the Kerberos
8:38 - Kerberos and 3-headed dogs
11:22 - Shared secret requirements
13:03 - Demo with Azure Files access
14:48 - Seeing the tickets
17:45 - Few more useful commands
19:30 - Summary of tickets
21:25 - Close
▬▬▬▬▬▬ K E Y L I N K S 🔗 ▬▬▬▬▬▬
► Azure Storage AAD step-by-step:
🔗 docs.microsoft.com/azure/virt...
► My sample file for the demo:
🔗 github.com/johnthebrit/Random...
▬▬▬▬▬▬ Want to learn more? 🚀 ▬▬▬▬▬▬
📖 Recommended Learning Path for Azure
🔗 learn.onboardtoazure.com
📅 Weekly Azure Update
🔗 • Azure Infrastructure U...
☁ Azure Master Class
🔗 • Microsoft Azure Master...
⚙ DevOps Master Class
🔗 • DevOps Master Class
💻 PowerShell Master Class
🔗 • PowerShell Master Class
🎓 Certification Cram Videos
🔗 • Microsoft Certificatio...
❔ Question about my setup?
🔗 • My Setup
SUBSCRIBE ✅ / @ntfaqguy
#microsoft #azure #johnsavillstechnicaltraining #onboardtoazure #cloud - Наука та технологія
Yes, you read that right! Native Kerberos with Azure AD! Please make sure to read the description for the chapters and key information about this video and others.
⚠️ P L E A S E N O T E ⚠️
🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there!
🕰️ I don't discuss future content nor take requests for future content so please don't ask 😇
Thanks for watching!
☁️🤙💪
John your breadth and depth of knowledge never ceases to amaze - keep up the good work sir
Thanks for sharing. Funny thing is I was literally studying for the new AZ-800 (Windows Server Hybrid setup) certification this whole day. AZ-800 is still in beta and was only released this December 7. It emphasizes that Azure AD doesn't support Kerberos authentication. And we have to work around it. Now, you're saying it's already in preview. Crazy how fast the pace things change and improve. I think I don't need to rush studying for it now since it's still on beta and many things might change. And the provided learning materials might be outdated a couple of months from now.
This video looks like it took a while to play around and put together. Thanks for feeling your way through it for us!
Yes, it did :-D Started from scratch a few times :-D
This video was not only a good explanation of the Azure AD, it was also a good explanation of Kerberos
So cool! Looks like that’s my weekend tied up.
Thanks again for sharing 🙌
Thanks, this is a great video!
Thanks John!
Very good video John as usual. I also tested that solution and now waiting next features ;)
👍
John is the GOAT! Thanks :)
Great video!
Never thought this day will come.
This is a great addition! I’m a little disappointed that cloud-only support isn’t there from the off though, as this scenario seems to get ‘forgotten’ about on a regular basis.
...this is both heartbreaking and wonderful at the same time. My org was eager to leave Kerberos behind, but now I see a use case...dang it.
Great video, no one explains things as well as you Mr Savill :)
Very cool
Hi, just wanted to express my deep gratitude for your video. Have been troubleshooting my Azure file share mapping using Entra AD auth for what feels like weeks. Your video is incredibly well-made, detailed, easy to understand, and your 'AADKerbRBAC.ps1' script was just *chef's kiss*. Thanks for putting our such great content, helped me quite a bit!
Glad it helped
Coming back to this as we are moving some shares to azure files and deciding on which deployment to go with. Seems like we'll still need to use Entra ADDS for clients getting rid of on-prem AD
Thank you
Another great video, thanks John. In your example, the kerberos ticket is generated directly by AAD for use with the storage account, so why do we still need the client to be logged in using an account synced from ADDS? What is stopping us from using a cloud-only AAD user on a AAD joined device, and do you see a future where this ADDS requirement may also be removed? The reason I ask is we have a lot of smaller customers who have moved to a cloud-only environment and dont want to stand up AADDS or ADDS if they can avoid it. Cheers :)
As I said current requirement during preview. May change over time
This is great! Would love to see how this works with Windows Hello for Business - have tried setting it up and works with password but not a PIN/Biometrics.
Hi John, thanks for the video. You emphasize the point that no line of sight to the DC is needed. Have you really tested this? I'm asking because Microsoft in its description of the preview states "The user accounts must be hybrid user identities, which means you'll also need Active Directory Domain Services (AD DS) and Azure AD Connect. You must create these accounts in Active Directory and sync them to Azure AD." It's a bit confusing.
You are mixing up things. The aad user account needs to have sync’d from ad but the machine connecting does not need dc line of sight. You can see in the token which it’s using as I clearly showed. Population of accounts in aad has nothing to do with client connection requirements.
Thanks for this walk-through and taking time out of your busy day to do these deep dives sir.
I do have a quick, quick question: In the interest of file sync or robo-copy from on-prem, I'm assuming this won't accomplish the task of preserving SID/ACLs on files/folders in Azure? As I understand AAD generates its own SIDs as any directory would, but I wanted to ask.
Thanks!
azure file sync maintains them as do some other methods. Doc's walk through some I believe.
@@NTFAQGuy OK great thank you for the reply! I'm just now getting back to wrapping around this.
My only mental "hoop" so to say was joining the storage account as a security principle in AAD vs. joining the storage account to an AD DS directory that maintains the SIDs for the hybrid user accounts.
I looked through the documentation, and found the article for this preview, as well as the latest v. of file sync, but it only mentions the traditional SA to AD DS method. I'll look again tonight, or possibly lab it up - thank you again for your time sir!
Hi John, a few weeks back you replied to my Reddit question about "joining" storage to ADD. I was re-reading the known limitation for AAD joined AVDs and it states...."Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach. You'll need Kerberos authentication to access either of these features." Would this new Kerberos feature fix that issue?
Yes, this will address that.
That's great news! Will it be possible to use windows authentication in MSSQL on VMs without having to run domain controllers?
I discuss scenarios in the video
Hi John, why do the api permissions use the Microsoft Graph API, was it just the first api? Why don't they just rename it?
I don't understand what you are asking. Microsoft Graph is the standard API now for most MS interactions including AAD.
@@NTFAQGuy yes, but why did they call it 'Graph'?
@@ru54623 Zero clue but if you think what a graph is about information and what microsoft graph provides I can see why.
@@NTFAQGuy i got the impression that it comes from the old Microsoft Graphing tool part of old old Office, and the app eventually got overtaken by the api and name stuck.
again :-) i have zero clue on the origin but I don’t think that sounds right :)
Somehow misread the title thinking it say Azure AD Kebabs. Clearly need a bit of a break 😂
They don't have that feature yet :-) And you should probably go have dinner :-D
Great video!