NEW Native Azure AD KERBEROS!!!

Рет қаралды 25,213

Күн бұрын

Yes, you are reading that title right! Azure AD now supports native Kerberos. In this video I explore how and what works with it today!
🔎 Looking for content on a particular topic? Search the channel. If I have something it will be there!
▬▬▬▬▬▬ C H A P T E R S ⏰ ▬▬▬▬▬▬
0:00 - Introduction
0:30 - Azure AD and AD auth basics
2:07 - Native Azure AD Kerberos
3:19 - Requirements and components
4:40 - Client required policy
5:40 - My environment and ticket overview
6:49 - Service support for the Kerberos
8:38 - Kerberos and 3-headed dogs
11:22 - Shared secret requirements
13:03 - Demo with Azure Files access
14:48 - Seeing the tickets
17:45 - Few more useful commands
19:30 - Summary of tickets
21:25 - Close
▬▬▬▬▬▬ K E Y L I N K S 🔗 ▬▬▬▬▬▬
► Azure Storage AAD step-by-step:
🔗 docs.microsoft.com/azure/virt...
► My sample file for the demo:
🔗 github.com/johnthebrit/Random...
▬▬▬▬▬▬ Want to learn more? 🚀 ▬▬▬▬▬▬
📖 Recommended Learning Path for Azure
🔗 learn.onboardtoazure.com
📅 Weekly Azure Update
🔗 • Azure Infrastructure U...
☁ Azure Master Class
🔗 • Microsoft Azure Master...
⚙ DevOps Master Class
🔗 • DevOps Master Class
💻 PowerShell Master Class
🔗 • PowerShell Master Class
🎓 Certification Cram Videos
🔗 • Microsoft Certificatio...
❔ Question about my setup?
🔗 • My Setup
SUBSCRIBE ✅ / @ntfaqguy
#microsoft #azure #johnsavillstechnicaltraining #onboardtoazure #cloud

Пікірлер: 46

@NTFAQGuy 2 жыл бұрын

Yes, you read that right! Native Kerberos with Azure AD! Please make sure to read the description for the chapters and key information about this video and others. ⚠️ P L E A S E N O T E ⚠️ 🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there! 🕰️ I don't discuss future content nor take requests for future content so please don't ask 😇 Thanks for watching! ☁️🤙💪

@Slayer_of_Asian_Stacys 2 жыл бұрын

Thanks for sharing. Funny thing is I was literally studying for the new AZ-800 (Windows Server Hybrid setup) certification this whole day. AZ-800 is still in beta and was only released this December 7. It emphasizes that Azure AD doesn't support Kerberos authentication. And we have to work around it. Now, you're saying it's already in preview. Crazy how fast the pace things change and improve. I think I don't need to rush studying for it now since it's still on beta and many things might change. And the provided learning materials might be outdated a couple of months from now.

@jgrote 2 жыл бұрын

This video looks like it took a while to play around and put together. Thanks for feeling your way through it for us!

@NTFAQGuy 2 жыл бұрын

Yes, it did :-D Started from scratch a few times :-D

@TheMaevian 4 ай бұрын

This video was not only a good explanation of the Azure AD, it was also a good explanation of Kerberos

@marktyler6832 2 жыл бұрын

John your breadth and depth of knowledge never ceases to amaze - keep up the good work sir

@jlou65535 2 жыл бұрын

Very good video John as usual. I also tested that solution and now waiting next features ;)

@NTFAQGuy 2 жыл бұрын

👍

@BuggageandGlitchage 2 жыл бұрын

So cool! Looks like that’s my weekend tied up.

@pkaycr 2 жыл бұрын

Thanks again for sharing 🙌

@juanpabloguerra9512 2 жыл бұрын

John is the GOAT! Thanks :)

@laughtonsm 2 жыл бұрын

This is a great addition! I’m a little disappointed that cloud-only support isn’t there from the off though, as this scenario seems to get ‘forgotten’ about on a regular basis.

@Easyn_ 2 жыл бұрын

Thanks John!

@GiovanniOrlandoi7 2 жыл бұрын

Great video!

@veljom 2 жыл бұрын

Thanks, this is a great video!

@iNekdima 2 жыл бұрын

Never thought this day will come.

@TheProtesilaus 4 ай бұрын

Hi, just wanted to express my deep gratitude for your video. Have been troubleshooting my Azure file share mapping using Entra AD auth for what feels like weeks. Your video is incredibly well-made, detailed, easy to understand, and your 'AADKerbRBAC.ps1' script was just *chef's kiss*. Thanks for putting our such great content, helped me quite a bit!

@NTFAQGuy 4 ай бұрын

Glad it helped

@charliemelga7445 2 жыл бұрын

Great video, no one explains things as well as you Mr Savill :)

@blizzyTX 2 жыл бұрын

...this is both heartbreaking and wonderful at the same time. My org was eager to leave Kerberos behind, but now I see a use case...dang it.

@Luger718A1 7 ай бұрын

Coming back to this as we are moving some shares to azure files and deciding on which deployment to go with. Seems like we'll still need to use Entra ADDS for clients getting rid of on-prem AD

@simonkeen9776 2 жыл бұрын

Very cool

@chaminda512 Жыл бұрын

Thank you

@unearthnz 2 жыл бұрын

Another great video, thanks John. In your example, the kerberos ticket is generated directly by AAD for use with the storage account, so why do we still need the client to be logged in using an account synced from ADDS? What is stopping us from using a cloud-only AAD user on a AAD joined device, and do you see a future where this ADDS requirement may also be removed? The reason I ask is we have a lot of smaller customers who have moved to a cloud-only environment and dont want to stand up AADDS or ADDS if they can avoid it. Cheers :)

@NTFAQGuy 2 жыл бұрын

As I said current requirement during preview. May change over time

@welock 2 жыл бұрын

Thanks for this walk-through and taking time out of your busy day to do these deep dives sir. I do have a quick, quick question: In the interest of file sync or robo-copy from on-prem, I'm assuming this won't accomplish the task of preserving SID/ACLs on files/folders in Azure? As I understand AAD generates its own SIDs as any directory would, but I wanted to ask. Thanks!

@NTFAQGuy 2 жыл бұрын

azure file sync maintains them as do some other methods. Doc's walk through some I believe.

@welock 2 жыл бұрын

@@NTFAQGuy OK great thank you for the reply! I'm just now getting back to wrapping around this. My only mental "hoop" so to say was joining the storage account as a security principle in AAD vs. joining the storage account to an AD DS directory that maintains the SIDs for the hybrid user accounts. I looked through the documentation, and found the article for this preview, as well as the latest v. of file sync, but it only mentions the traditional SA to AD DS method. I'll look again tonight, or possibly lab it up - thank you again for your time sir!

@mpowelltech1120 9 ай бұрын

This is great! Would love to see how this works with Windows Hello for Business - have tried setting it up and works with password but not a PIN/Biometrics.

@Vic-ky3cc 2 жыл бұрын

Hi John, thanks for the video. You emphasize the point that no line of sight to the DC is needed. Have you really tested this? I'm asking because Microsoft in its description of the preview states "The user accounts must be hybrid user identities, which means you'll also need Active Directory Domain Services (AD DS) and Azure AD Connect. You must create these accounts in Active Directory and sync them to Azure AD." It's a bit confusing.

@NTFAQGuy 2 жыл бұрын

You are mixing up things. The aad user account needs to have sync’d from ad but the machine connecting does not need dc line of sight. You can see in the token which it’s using as I clearly showed. Population of accounts in aad has nothing to do with client connection requirements.

@amishel2006 2 жыл бұрын

That's great news! Will it be possible to use windows authentication in MSSQL on VMs without having to run domain controllers?

@NTFAQGuy 2 жыл бұрын

I discuss scenarios in the video

@michaelpietrzak2067 2 жыл бұрын

Hi John, a few weeks back you replied to my Reddit question about "joining" storage to ADD. I was re-reading the known limitation for AAD joined AVDs and it states...."Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach. You'll need Kerberos authentication to access either of these features." Would this new Kerberos feature fix that issue?

@NTFAQGuy 2 жыл бұрын

Yes, this will address that.

@the-real-bert 2 жыл бұрын

Hi John, why do the api permissions use the Microsoft Graph API, was it just the first api? Why don't they just rename it?

@NTFAQGuy 2 жыл бұрын

I don't understand what you are asking. Microsoft Graph is the standard API now for most MS interactions including AAD.

@the-real-bert 2 жыл бұрын

@@NTFAQGuy yes, but why did they call it 'Graph'?

@NTFAQGuy 2 жыл бұрын

@@the-real-bert Zero clue but if you think what a graph is about information and what microsoft graph provides I can see why.

@the-real-bert 2 жыл бұрын

@@NTFAQGuy i got the impression that it comes from the old Microsoft Graphing tool part of old old Office, and the app eventually got overtaken by the api and name stuck.

@NTFAQGuy 2 жыл бұрын

again :-) i have zero clue on the origin but I don’t think that sounds right :)