NEW Native Azure AD KERBEROS!!!

แชร์
ฝัง
  • เผยแพร่เมื่อ 21 ธ.ค. 2024

ความคิดเห็น • 46

  • @NTFAQGuy
    @NTFAQGuy  3 ปีที่แล้ว +8

    Yes, you read that right! Native Kerberos with Azure AD! Please make sure to read the description for the chapters and key information about this video and others.
    ⚠️ P L E A S E N O T E ⚠️
    🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there!
    🕰️ I don't discuss future content nor take requests for future content so please don't ask 😇
    Thanks for watching!
    ☁️🤙💪

  • @TheMaevian
    @TheMaevian 10 หลายเดือนก่อน

    This video was not only a good explanation of the Azure AD, it was also a good explanation of Kerberos

  • @Arrian_YT
    @Arrian_YT 3 ปีที่แล้ว +8

    Thanks for sharing. Funny thing is I was literally studying for the new AZ-800 (Windows Server Hybrid setup) certification this whole day. AZ-800 is still in beta and was only released this December 7. It emphasizes that Azure AD doesn't support Kerberos authentication. And we have to work around it. Now, you're saying it's already in preview. Crazy how fast the pace things change and improve. I think I don't need to rush studying for it now since it's still on beta and many things might change. And the provided learning materials might be outdated a couple of months from now.

  • @jgrote
    @jgrote 3 ปีที่แล้ว +8

    This video looks like it took a while to play around and put together. Thanks for feeling your way through it for us!

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว +2

      Yes, it did :-D Started from scratch a few times :-D

  • @marktyler6832
    @marktyler6832 2 ปีที่แล้ว

    John your breadth and depth of knowledge never ceases to amaze - keep up the good work sir

  • @Luger718A1
    @Luger718A1 ปีที่แล้ว

    Coming back to this as we are moving some shares to azure files and deciding on which deployment to go with. Seems like we'll still need to use Entra ADDS for clients getting rid of on-prem AD

  • @iNekdima
    @iNekdima 3 ปีที่แล้ว +1

    Never thought this day will come.

  • @jlou65535
    @jlou65535 3 ปีที่แล้ว

    Very good video John as usual. I also tested that solution and now waiting next features ;)

  • @BuggageandGlitchage
    @BuggageandGlitchage 3 ปีที่แล้ว

    So cool! Looks like that’s my weekend tied up.

  • @TheProtesilaus
    @TheProtesilaus 10 หลายเดือนก่อน

    Hi, just wanted to express my deep gratitude for your video. Have been troubleshooting my Azure file share mapping using Entra AD auth for what feels like weeks. Your video is incredibly well-made, detailed, easy to understand, and your 'AADKerbRBAC.ps1' script was just *chef's kiss*. Thanks for putting our such great content, helped me quite a bit!

    • @NTFAQGuy
      @NTFAQGuy  10 หลายเดือนก่อน

      Glad it helped

  • @laughtonsm
    @laughtonsm 3 ปีที่แล้ว +1

    This is a great addition! I’m a little disappointed that cloud-only support isn’t there from the off though, as this scenario seems to get ‘forgotten’ about on a regular basis.

  • @juanpabloguerra9512
    @juanpabloguerra9512 3 ปีที่แล้ว

    John is the GOAT! Thanks :)

  • @blizzyTX
    @blizzyTX 3 ปีที่แล้ว +3

    ...this is both heartbreaking and wonderful at the same time. My org was eager to leave Kerberos behind, but now I see a use case...dang it.

  • @mpowelltech1120
    @mpowelltech1120 ปีที่แล้ว

    This is great! Would love to see how this works with Windows Hello for Business - have tried setting it up and works with password but not a PIN/Biometrics.

  • @Easyn_
    @Easyn_ 3 ปีที่แล้ว

    Thanks John!

  • @unearthnz
    @unearthnz 3 ปีที่แล้ว

    Another great video, thanks John. In your example, the kerberos ticket is generated directly by AAD for use with the storage account, so why do we still need the client to be logged in using an account synced from ADDS? What is stopping us from using a cloud-only AAD user on a AAD joined device, and do you see a future where this ADDS requirement may also be removed? The reason I ask is we have a lot of smaller customers who have moved to a cloud-only environment and dont want to stand up AADDS or ADDS if they can avoid it. Cheers :)

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว +1

      As I said current requirement during preview. May change over time

  • @Vic-ky3cc
    @Vic-ky3cc 3 ปีที่แล้ว +1

    Hi John, thanks for the video. You emphasize the point that no line of sight to the DC is needed. Have you really tested this? I'm asking because Microsoft in its description of the preview states "The user accounts must be hybrid user identities, which means you'll also need Active Directory Domain Services (AD DS) and Azure AD Connect. You must create these accounts in Active Directory and sync them to Azure AD." It's a bit confusing.

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว +4

      You are mixing up things. The aad user account needs to have sync’d from ad but the machine connecting does not need dc line of sight. You can see in the token which it’s using as I clearly showed. Population of accounts in aad has nothing to do with client connection requirements.

  • @charliemelga7445
    @charliemelga7445 2 ปีที่แล้ว

    Great video, no one explains things as well as you Mr Savill :)

  • @pkaycr
    @pkaycr 3 ปีที่แล้ว

    Thanks again for sharing 🙌

  • @veljom
    @veljom 3 ปีที่แล้ว

    Thanks, this is a great video!

  • @chaminda512
    @chaminda512 ปีที่แล้ว

    Thank you

  • @welock
    @welock 2 ปีที่แล้ว

    Thanks for this walk-through and taking time out of your busy day to do these deep dives sir.
    I do have a quick, quick question: In the interest of file sync or robo-copy from on-prem, I'm assuming this won't accomplish the task of preserving SID/ACLs on files/folders in Azure? As I understand AAD generates its own SIDs as any directory would, but I wanted to ask.
    Thanks!

    • @NTFAQGuy
      @NTFAQGuy  2 ปีที่แล้ว +2

      azure file sync maintains them as do some other methods. Doc's walk through some I believe.

    • @welock
      @welock 2 ปีที่แล้ว

      @@NTFAQGuy OK great thank you for the reply! I'm just now getting back to wrapping around this.
      My only mental "hoop" so to say was joining the storage account as a security principle in AAD vs. joining the storage account to an AD DS directory that maintains the SIDs for the hybrid user accounts.
      I looked through the documentation, and found the article for this preview, as well as the latest v. of file sync, but it only mentions the traditional SA to AD DS method. I'll look again tonight, or possibly lab it up - thank you again for your time sir!

  • @GiovanniOrlandoi7
    @GiovanniOrlandoi7 3 ปีที่แล้ว

    Great video!

  • @michaelpietrzak2067
    @michaelpietrzak2067 3 ปีที่แล้ว

    Hi John, a few weeks back you replied to my Reddit question about "joining" storage to ADD. I was re-reading the known limitation for AAD joined AVDs and it states...."Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach. You'll need Kerberos authentication to access either of these features." Would this new Kerberos feature fix that issue?

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว

      Yes, this will address that.

  • @simonkeen9776
    @simonkeen9776 3 ปีที่แล้ว

    Very cool

  • @amishel2006
    @amishel2006 3 ปีที่แล้ว

    That's great news! Will it be possible to use windows authentication in MSSQL on VMs without having to run domain controllers?

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว +1

      I discuss scenarios in the video

  • @ru54623
    @ru54623 3 ปีที่แล้ว

    Hi John, why do the api permissions use the Microsoft Graph API, was it just the first api? Why don't they just rename it?

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว

      I don't understand what you are asking. Microsoft Graph is the standard API now for most MS interactions including AAD.

    • @ru54623
      @ru54623 3 ปีที่แล้ว

      @@NTFAQGuy yes, but why did they call it 'Graph'?

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว

      @@ru54623 Zero clue but if you think what a graph is about information and what microsoft graph provides I can see why.

    • @ru54623
      @ru54623 3 ปีที่แล้ว

      @@NTFAQGuy i got the impression that it comes from the old Microsoft Graphing tool part of old old Office, and the app eventually got overtaken by the api and name stuck.

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว +1

      again :-) i have zero clue on the origin but I don’t think that sounds right :)

  • @leimingyu7455
    @leimingyu7455 3 ปีที่แล้ว

    Somehow misread the title thinking it say Azure AD Kebabs. Clearly need a bit of a break 😂

    • @NTFAQGuy
      @NTFAQGuy  3 ปีที่แล้ว +1

      They don't have that feature yet :-) And you should probably go have dinner :-D

  • @christianibiri
    @christianibiri 3 ปีที่แล้ว

    Great video!