In a virtualized desktop or remote desktop world, we're using a service where more than one person can log onto a server and get their own, temporary remote session - you can configure the default desktop settings and icons, they can run applications just like they are running them on a PC, and this is really helpful for centralising access to non-browser line-of-business apps that you don't want to install and run locally on every single computer. Let's look at a specific use case - Profile containers using FSLogix for Azure Virtual Desktop There are some solutions to help with some of those capabilities on-premises, but they are complicated, compared to ticking a check box in Azure AD. In his article " Why we built Azure AD Kerberos", Steve Syfuhs mentions that Kerberos as used by Active Directory, relies on passwords and doesn't support capabilities like FIDO, multi-factor authentication or conditional access. You only really want to be doing this if you have no other option to modernise your applications, or to buy you the time to do so. ![]() A hybrid environment with Active Directory, Azure Active Directory and Azure AD Domain Services ![]() Now, there are a few limitations with Azure AD DS, but this is the standard way to get Kerberos support in Azure. Then, you can domain-join your Azure virtual machines and apply your group policies, without needing to deploy Active Directory domain controllers into Azure. This directory synchronises accounts from Azure AD, which in turn can be synchronising accounts from your on-premises Active Directory domain. To host a Windows Server in Azure that needs to use Kerberos, or for older applications, you would create an Azure Active Directory Domain Services (Azure AD DS) managed domain. This is just one example - many, many applications including ones your organization may have written some time ago, rely on Kerberos authentication.įor a deep dive of how the local Windows logon process works, including when and how Kerberos kicks in, visit Deep dive: logging on to Windows. ![]() ![]() Kerberos is used to authenticate your account with an Active Directory domain controller, so the SMB protocol is then happy for you to access file shares on Windows Server. If you have ever explored the differences between Active Directory (AD DS) and Azure Active Directory (Azure AD), you would have found that Azure Active Directory doesn't support the Kerberos authentication protocol, but Active Directory does.
0 Comments
Leave a Reply. |