We have an issue with our AAD Join W10 devices. This issue does not present itself on our domain joined machines. We have some on-prem applications that use Windows integrated authentication that sit behind an AWS elastic load balancer. While directly connected to the corporate network (wifi or wired LAN), we can authenticate normally with no credential prompts. However, once the client is connected to Always on VPN, you will receive a credential prompt when trying to access one of these websites. There is no event logs on the DC for any kind of failed auth. The traffic actually never gets to the DC. When doing a wireshark capture and filtering the DNS traffic, I simply see a bunch of retransmissions from my client to the web app url, but never a response back.
As I mentioned above, this is only happening on our Azure AD join devices. On-prem domain joined machines work fine. Any apps that aren't behind the load balancer work perfectly normally on AAD joined machines. We are using a split tunnel config and identical configurations for on-prem vs AADJ devices. The AADJ devices only have their configuration from Intune and domain joined machines from a PS script.
*.domain.local is added in trusted intranet zone. But it seems like whenever the client is on AOVPN and is trying to resolve somewebapp.domain.local to --> AWSelb-GUID.elb.eu-central-1.amazonaws.com, it gets kicked over to internet zone which then prompts for creds and doesn't use Windows Integrated Auth. At least that is my assumption at this point. Any suggestions on where to look or anything to change?
For reference, SSO to on-prem resources should work from AAD Joined machines. And it does except for these apps behind the ELB while on AOVPN:
Ref 1: https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
Ref 2: https://msendpointmgr.com/2021/08/15/sso-to-domain-resources-from-azure-ad-joined-devices-the-mega-series/