The client machine contacts an on-premises Active Directory Domain Controller and trades the partial TGT for a fully formed TGT. The TGT is returned to the client along with the user's Azure AD Primary Refresh Token (PRT). The TGT includes the user's SID only, and no authorization data.
It's simply a resource that can be used by Azure Active Directory to generate Kerberos TGTs for your Active Directory domain.Ī user signs in to a Windows 10 device with an FIDO2 security key and authenticates to Azure AD.Īzure AD checks the directory for a Kerberos Server key that matches the user's on-premises Active Directory domain.Īzure AD generates a Kerberos TGT for the user's on-premises Active Directory domain. The object isn't associated with any physical servers. Kerberos Service Tickets and authorization continue to be controlled by your on-premises Active Directory domain controllers (DCs).Īn Azure AD Kerberos Server object is created in your on-premises Active Directory instance and then securely published to Azure Active Directory. With this functionality, users can sign in to Windows with modern credentials, such as FIDO2 security keys, and then access traditional Active Directory-based resources.
This passwordless authentication functionality provides seamless single sign-on (SSO) to on-premises resources when you use Microsoft-compatible security keys, or with Windows Hello for Business Cloud trust Use SSO to sign in to on-premises resources by using FIDO2 keysĪzure AD can issue Kerberos ticket-granting tickets (TGTs) for one or more of your Active Directory domains. This document discusses how to enable passwordless authentication to on-premises resources for environments with both Azure Active Directory (Azure AD)-joined and hybrid Azure AD-joined Windows 10 devices.
0 kommentar(er)
