NEW Native Azure AD KERBEROS!!!

Sdílet
Vložit

Komentáře • 46

  • @NTFAQGuy
    @NTFAQGuy  Před 2 lety +8

    Yes, you read that right! Native Kerberos with Azure AD! Please make sure to read the description for the chapters and key information about this video and others.
    ⚠️ P L E A S E N O T E ⚠️
    🔎 If you are looking for content on a particular topic search the channel. If I have something it will be there!
    🕰️ I don't discuss future content nor take requests for future content so please don't ask 😇
    Thanks for watching!
    ☁️🤙💪

  • @Slayer_of_Asian_Stacys
    @Slayer_of_Asian_Stacys Před 2 lety +8

    Thanks for sharing. Funny thing is I was literally studying for the new AZ-800 (Windows Server Hybrid setup) certification this whole day. AZ-800 is still in beta and was only released this December 7. It emphasizes that Azure AD doesn't support Kerberos authentication. And we have to work around it. Now, you're saying it's already in preview. Crazy how fast the pace things change and improve. I think I don't need to rush studying for it now since it's still on beta and many things might change. And the provided learning materials might be outdated a couple of months from now.

  • @jgrote
    @jgrote Před 2 lety +7

    This video looks like it took a while to play around and put together. Thanks for feeling your way through it for us!

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety +2

      Yes, it did :-D Started from scratch a few times :-D

  • @TheMaevian
    @TheMaevian Před 5 měsíci

    This video was not only a good explanation of the Azure AD, it was also a good explanation of Kerberos

  • @marktyler6832
    @marktyler6832 Před 2 lety

    John your breadth and depth of knowledge never ceases to amaze - keep up the good work sir

  • @BuggageandGlitchage
    @BuggageandGlitchage Před 2 lety

    So cool! Looks like that’s my weekend tied up.

  • @jlou65535
    @jlou65535 Před 2 lety

    Very good video John as usual. I also tested that solution and now waiting next features ;)

  • @veljom
    @veljom Před 2 lety

    Thanks, this is a great video!

  • @juanpabloguerra9512
    @juanpabloguerra9512 Před 2 lety

    John is the GOAT! Thanks :)

  • @pkaycr
    @pkaycr Před 2 lety

    Thanks again for sharing 🙌

  • @iNekdima
    @iNekdima Před 2 lety +1

    Never thought this day will come.

  • @Easyn_
    @Easyn_ Před 2 lety

    Thanks John!

  • @GiovanniOrlandoi7
    @GiovanniOrlandoi7 Před 2 lety

    Great video!

  • @TheProtesilaus
    @TheProtesilaus Před 5 měsíci

    Hi, just wanted to express my deep gratitude for your video. Have been troubleshooting my Azure file share mapping using Entra AD auth for what feels like weeks. Your video is incredibly well-made, detailed, easy to understand, and your 'AADKerbRBAC.ps1' script was just *chef's kiss*. Thanks for putting our such great content, helped me quite a bit!

  • @charliemelga7445
    @charliemelga7445 Před 2 lety

    Great video, no one explains things as well as you Mr Savill :)

  • @blizzyTX
    @blizzyTX Před 2 lety +3

    ...this is both heartbreaking and wonderful at the same time. My org was eager to leave Kerberos behind, but now I see a use case...dang it.

  • @laughtonsm
    @laughtonsm Před 2 lety +1

    This is a great addition! I’m a little disappointed that cloud-only support isn’t there from the off though, as this scenario seems to get ‘forgotten’ about on a regular basis.

  • @simonkeen9776
    @simonkeen9776 Před 2 lety

    Very cool

  • @Luger718A1
    @Luger718A1 Před 7 měsíci

    Coming back to this as we are moving some shares to azure files and deciding on which deployment to go with. Seems like we'll still need to use Entra ADDS for clients getting rid of on-prem AD

  • @chaminda512
    @chaminda512 Před rokem

    Thank you

  • @unearthnz
    @unearthnz Před 2 lety

    Another great video, thanks John. In your example, the kerberos ticket is generated directly by AAD for use with the storage account, so why do we still need the client to be logged in using an account synced from ADDS? What is stopping us from using a cloud-only AAD user on a AAD joined device, and do you see a future where this ADDS requirement may also be removed? The reason I ask is we have a lot of smaller customers who have moved to a cloud-only environment and dont want to stand up AADDS or ADDS if they can avoid it. Cheers :)

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety +1

      As I said current requirement during preview. May change over time

  • @mpowelltech1120
    @mpowelltech1120 Před 10 měsíci

    This is great! Would love to see how this works with Windows Hello for Business - have tried setting it up and works with password but not a PIN/Biometrics.

  • @Vic-ky3cc
    @Vic-ky3cc Před 2 lety +1

    Hi John, thanks for the video. You emphasize the point that no line of sight to the DC is needed. Have you really tested this? I'm asking because Microsoft in its description of the preview states "The user accounts must be hybrid user identities, which means you'll also need Active Directory Domain Services (AD DS) and Azure AD Connect. You must create these accounts in Active Directory and sync them to Azure AD." It's a bit confusing.

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety +4

      You are mixing up things. The aad user account needs to have sync’d from ad but the machine connecting does not need dc line of sight. You can see in the token which it’s using as I clearly showed. Population of accounts in aad has nothing to do with client connection requirements.

  • @welock
    @welock Před 2 lety

    Thanks for this walk-through and taking time out of your busy day to do these deep dives sir.
    I do have a quick, quick question: In the interest of file sync or robo-copy from on-prem, I'm assuming this won't accomplish the task of preserving SID/ACLs on files/folders in Azure? As I understand AAD generates its own SIDs as any directory would, but I wanted to ask.
    Thanks!

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety +2

      azure file sync maintains them as do some other methods. Doc's walk through some I believe.

    • @welock
      @welock Před 2 lety

      @@NTFAQGuy OK great thank you for the reply! I'm just now getting back to wrapping around this.
      My only mental "hoop" so to say was joining the storage account as a security principle in AAD vs. joining the storage account to an AD DS directory that maintains the SIDs for the hybrid user accounts.
      I looked through the documentation, and found the article for this preview, as well as the latest v. of file sync, but it only mentions the traditional SA to AD DS method. I'll look again tonight, or possibly lab it up - thank you again for your time sir!

  • @amishel2006
    @amishel2006 Před 2 lety

    That's great news! Will it be possible to use windows authentication in MSSQL on VMs without having to run domain controllers?

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety +1

      I discuss scenarios in the video

  • @michaelpietrzak2067
    @michaelpietrzak2067 Před 2 lety

    Hi John, a few weeks back you replied to my Reddit question about "joining" storage to ADD. I was re-reading the known limitation for AAD joined AVDs and it states...."Azure AD-joined VMs can't access Azure Files file shares for FSLogix or MSIX app attach. You'll need Kerberos authentication to access either of these features." Would this new Kerberos feature fix that issue?

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety

      Yes, this will address that.

  • @ru54623
    @ru54623 Před 2 lety

    Hi John, why do the api permissions use the Microsoft Graph API, was it just the first api? Why don't they just rename it?

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety

      I don't understand what you are asking. Microsoft Graph is the standard API now for most MS interactions including AAD.

    • @ru54623
      @ru54623 Před 2 lety

      @@NTFAQGuy yes, but why did they call it 'Graph'?

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety

      @@ru54623 Zero clue but if you think what a graph is about information and what microsoft graph provides I can see why.

    • @ru54623
      @ru54623 Před 2 lety

      @@NTFAQGuy i got the impression that it comes from the old Microsoft Graphing tool part of old old Office, and the app eventually got overtaken by the api and name stuck.

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety +1

      again :-) i have zero clue on the origin but I don’t think that sounds right :)

  • @leimingyu7455
    @leimingyu7455 Před 2 lety

    Somehow misread the title thinking it say Azure AD Kebabs. Clearly need a bit of a break 😂

    • @NTFAQGuy
      @NTFAQGuy  Před 2 lety +1

      They don't have that feature yet :-) And you should probably go have dinner :-D

  • @christianibiri
    @christianibiri Před 2 lety

    Great video!