Azure – Creating a cross-forest Trust between two Active Directory Forests hosted on Azure VMs? (separate subscriptions)

active-directoryazuretrust-relationship

I see that it's possible to create a cross-forest Kerberos Trust between an on-premises AD Forest and a Forest hosted on Azure VMs. But is it also possible to create a cross-forest Trust between two separate organizations which exist only on Azure VMs?

Thanks!

Best Answer

To answer your question you posed in the comments and the original question:

http://blogs.technet.com/b/canitpro/archive/2014/06/03/step-by-step-configure-vnet-to-vnet-connectivity-in-azure.aspx

You would establish a vnet to vnet VPN tunnel to allow that cross cloud service connectivity between the two forests. Then you could setup the trust relationship as normal.

Related Solutions

“KDC has no support for encryption type” when setting up cross-realm trust between MIT Kerberos and Active Directory

I have solved the problem. I'm posting a reply here in case someone else faces the same issue.

The solution was very simple. I needed to make sure that the cross-realm authentication principals were created with a single encoding type, of type rc4-hmac:

addprinc -e rc4-hmac krbtgt/AD.EXAMPLE.COM@EXAMPLE.COM
addprinc -e rc4-hmac krbtgt/EXAMPLE.COM@AD.EXAMPLE.COM

As far as I can tell, what happens is that the MIT KDC uses the most secure encoding type when sending the ticket to the AD server. The AD server is unable to handle that encoding and thus replied with the error that the encryption type is not supported. By only having a single encoding type for the principals, the MIT server will use that type when talking to the AD server.

Cross-Realm-Trust between Active Directory and MIT Kerberos

Fair warning, my knowledge in this area is extremely dated at this point. Like early 2000's, Windows 2003 era Active Directory. So things may work differently now.

The main problem is that Windows doesn't know how to find the KDC for your MIT realm by default (ironically, it won't just use DNS to look it up like it does for AD). There's a utility called ksetup.exe that will let you map a realm name to one or more KDC servers. Ultimately, this utility is just setting some registry values. So you can automate this with Group Policy if necessary.

Update: @grawity mentioned that Windows may actually be able to find the KDCs via DNS as long as the proper SRV records exist and ksetup has been used to at least define the realm.

We also had what were essentially "shadow" accounts in AD that matched the users defined in the MIT realm. The passwords on those accounts didn't matter, they just had to exist. We may have also set some additional attributes like UPN or SPN that were related to the MIT realm in some way. Memory is hazy though.

Another thing to be aware of is the supported encryption types between AD and your MIT realm. If both are pretty recent, you'll probably be fine. But when we were doing this, our MIT realm was old and we had to add Group Policy in AD to add some legacy encryption types that the MIT realm supported.

Hopefully this should get you going in the right direction.

Best Answer

Related Solutions

“KDC has no support for encryption type” when setting up cross-realm trust between MIT Kerberos and Active Directory

Cross-Realm-Trust between Active Directory and MIT Kerberos

Related Topic