question

BD-9059 avatar image
0 Votes"
BD-9059 asked LukasBeran answered

Azure AD joined devices // ADSystemInfo call cannot locate DC

Hi,

We deploy our clients as Azure AD joined devices. Hybrid Azure AD joined devices would solve the problem I will describe below. However, this scenario would have downsides as I have been told. Does anyone have some more info on what one would loose when choosing the Hybrid scenario?

The problem is that we have a certain software which does a IADsADSystemInfo::get_UserName() call when starting the application. It would retrieve the username this way and compare it on the backend with active directory thus allowing or blocking access to the application.
Because it's a Azure AD joined device this call does not work because it cannot locate the domain controller and thus fails in making this ADSystemInfo call.
What would be the preferred way to work around this problem? Thanks


azure-active-directoryazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

5 Answers

MrAzureAD avatar image
0 Votes"
MrAzureAD answered

Hybrid joined devices are technically devices that are joined to Windows Server AD. So authentication of the device and the user will go to Windows Server AD.
Hybrid join is added on top, so that Azure AD “knows” something about the device.
On Azure AD joined devices, all interaction goes to Azure AD. Only if an application explicitely does Kerberos, a TGT is pulled.
I would say Hybrid join quite a big step backward.
Any chance to change that applications?

Greetings,
MrAzureAD

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BD-9059 avatar image
0 Votes"
BD-9059 answered

Unfortunately changing the application is not an option.

So, you confirm that Azure AD joined devices can (and should) not be able to locate a domain controller?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

trevorseward avatar image
0 Votes"
trevorseward answered

Azure AD isn't Active Directory Domain Services, therefor it does not contain information like DNs, site information, domain controllers, and so on.

These are your two options:

  • Use Azure AD hybrid join where the client PC is both Active Directory and Azure AD joined.

  • Change the application to support Azure AD-only joined devices.


5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

BD-9059 avatar image
0 Votes"
BD-9059 answered

When I don't have Azure AD hybrid join enabled -and- I join that client to the domain it works. Does anyone see a problem with such setup for the time being?

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LukasBeran avatar image
0 Votes"
LukasBeran answered

If you do Hybrid join, you are technically connected still to onprem AD, so everything should work the same way - your computer knows your onprem DCs. So if you go with hybrid join, your app should work as usual.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.