I'm dealing with some intermittent Kerberos issues in an environment where devices are managed through Intune and joined to Entra. The problem occurs mainly when users log in after a fresh boot in the morning, whether they're using a PIN or biometrics with Windows Hello for Business (WHfB). After starting up, some devices don't seem to generate Kerberos tickets immediately, which means the proxy can't authenticate, leading to various issues. Usually, things resolve themselves after a few minutes, but if users are impatient, they can lock the device and unlock it with a password to fix the problem. Notably, when using password authentication, everything works as it should. The logs show Event ID 9 from the Security-Kerberos source, which indicates a failure to validate the domain controller certificate due to the revocation server being offline. I've been working with three different teams (workplace, AD, and network), but we haven't found a solution yet. The entire chain of CRL and network settings has been checked without finding any faults. This issue is quite random, and most of our 1500+ users don't report any problems. Any ideas for a resolution? By the way, I'm aware of Cloud Kerberos trust and have been trying to push that implementation for months, but keep getting told it's risky and might impact our scenario with multiple domains, although Key Trust has its own issues right now.
2 Answers
It sounds like you've got quite a challenge on your hands! From my experience, it might help to clarify how you’re implementing your Certificate Revocation Lists (CRLs). Exposing the CRL via HTTP and using the Entra App Proxy worked for us before moving to Cloud Trust, which has been pretty smooth overall.
I’ve dealt with similar Kerberos issues lately. One thing I noticed is that having different versions of domain controllers causes weird behaviors, especially regarding how device passwords reset. If they’re not all running the same version, it can result in failures. Make sure all your DCs are updated and try switching which DC the client is using—it sometimes helps resolve the ticketing issues. Also, ensure your certificate selection on the DCs is clean since overlapping certificates can really mess things up. Ideally, have just the necessary certs in their respective stores to avoid any selection mishap.
The devices are primarily either on the internal network or always-on VPN, so they should have access to internal resources. Just need to ensure the CRLs are being properly reachable.