question

WardAnderson-0632 avatar image
0 Votes"
WardAnderson-0632 asked ZollnerD commented

Enabling Password Hash Sync in Hybrid environment

I have a bunch of InTune built AzureAD joined laptops right now. I don't have the ability to do offline domain join because I don't have 2016/2019 DCs just yet. So! My issue is with WIA / Kerberos websites and applications not always working due to the lack of Kerberos tickets on these machines over VPN. Was looking at this link: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-password-hash-sync


I'm wondering if anyone has run the script in the link and if there's any possible negative impact like me locking out a bunch of users or something.


Appreciate any and all responses, I'm just a bit nervous and needed another set of eyes on it.



Thanks!

azure-ad-connectazure-ad-hybrid-identity
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

ZollnerD avatar image
0 Votes"
ZollnerD answered ZollnerD commented

The doc you linked describes enabling AAD Connect Password Hash Sync's feature to push additional information used by the feature Azure AD Domain Services. That doc isn't relevant to the scenario you outlined (Azure AD Joined laptops having WIA/Kerberos auth issues) in any way that I can tell.

I unfortunately don't have any background on the actual issue you've described, but I'm pretty confident the solution you're looking at will not help.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@ZollnerD Are you sure? It says here:

To use Azure AD DS with accounts synchronized from an on-premises AD DS environment, you need to configure Azure AD Connect to synchronize those password hashes required for NTLM and Kerberos authentication. After Azure AD Connect is configured, an on-premises account creation or password change event also then synchronizes the legacy password hashes to Azure AD.

This is pretty much exactly what I want to do. I have IIS sites or HTTP sites that won't auth properly automatically the same way a domain joined machine would due to the lack of kerberos. It was my understanding that AADDS + this would help.

0 Votes 0 ·

If your plan is to stand up AADDS and have the websites/apps look towards that for NTLM/Kerb data, it seems more likely that it would work than how I originally understood your scenario, which would be "AAD Joined devices, maybe connected to a corporate network VPN, trying to access websites/apps using <unspecified AD/LDAP directory that I did not understand to be AADDS> as their source for authentication data."

0 Votes 0 ·

From my understanding I needed both AADDS for this and that password hash sync for it to be able to pass NTLM/kerb. I have AAD joined device over a corporate VPN trying to access websites/apps just the same as that scenario. Am I missing something in AADDS to enable this? I selected the user option because it'd mentioned Kerberos.

0 Votes 0 ·
Show more comments