I've been diving into how to authenticate Entra Joined devices using Windows Hello for Business with our on-premises Active Directory setup. I'm seeking advice on the best approach to take, or if this even makes sense considering our current configuration.
Here's a brief overview of what we're working with:
- We have Active Directory users synced via Entra Connect to M365.
- All user laptops are Entra Joined and managed via InTune.
- We still have a few on-premises Active Directory Joined desktops that we access through RDP.
- There are two legacy applications that rely on Active Directory for authentication. One is an SQL-backed analytics tool using SQL Server Authentication, which is currently functioning without issues. The other is an email archiving solution that prompts users for their Active Directory credentials in a browser pop-up. While this is operational, I'd prefer if Entra Joined devices could authenticate automatically like our AD Joined desktops did.
- Also, I'd ideally like to enable Windows Hello for Business for RDP access.
I found this article on hybrid deployments, which I'm considering: [Windows Hello for Business Hybrid Azure AD Join](https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso)
2 Answers
You should definitely look into setting up a Kerberos trust between Entra and your Active Directory. I found an article (https://www.systemcenterdudes.com/windows-hello-cloud-kerberos-trust/) that details the process. I set up MEDS with Azure Files for Kerberos, and it's been working smoothly for us. Just a heads up, when I configured it, I had to enable token grabbing at logon to ensure seamless authentication. Good luck with your setup!
Quick question—are you using a network share for your Sage data? Did you have to make any special configurations for that? I'm considering switching to a network share for data files using AVD app attach instead of relying on a single RDS server.
Yeah, for your situation, you'll definitely want to implement cloud Kerberos. I've just started the process at my workplace, and it should make things much smoother.
Thanks for the guidance! Also, I recently noticed my root CA cert expired, so I'll have to address that first. It was throwing Warning ID 45 messages which led me to check into it.