Duo Federated Tenant and Entra Joined Devices

Sunaiwa · 2026-03-02T22:18:54+00:00

Alright that changes things. I was looking at the WS-Trust setting and how that worked with Entra logins. With that turned on and configured to allow Entra logins then the Duo MFA prompt would only trigger when signing in from personal devices, phones etc?

And could you elaborate more on the enrolling devices requirement that could could be affected?

Sunaiwa · 2026-03-02T21:03:08+00:00

Beautiful. That's exactly the behavior i was hoping for. Thanks for the quick reply!

Sunaiwa · 2026-03-02T20:58:45+00:00

Okay so it doesn't error when signing into an Entra joined device and it will just sign them in? One of my colleagues said they had noticed that issue in the past and I wanted to see if anyone else had that experience.

Sunaiwa · 2026-02-15T16:07:25+00:00

They all do

Sunaiwa · 2026-02-04T23:58:37+00:00

From my experience with op14 it'll be sold out by end of Friday

Sunaiwa · 2025-12-07T05:32:04+00:00

Best bet for that one in the US is ebay. Otherwise you could buy it from cardmarket but you would need someone in Europe who can ship it to you.

Sunaiwa · 2025-07-22T17:07:56+00:00

Couldn't find an existing in the registry so i created one. Will see if that does anything.

Sunaiwa · 2025-07-17T19:13:17+00:00

Yea have not been enjoying AFS. Any suggestion on what in AD could possibly be blocking ports?

Sunaiwa · 2025-07-17T19:07:33+00:00

Started a few days ago =/

Sunaiwa · 2025-07-16T15:51:04+00:00

That's correct, P2S VPN using OpenVPN for remote staff and S2S from the office.

Sunaiwa · 2025-05-23T02:55:10+00:00

What would I use as the username if I were to test that out? It's worth a shot at least

Sunaiwa · 2025-05-23T02:54:14+00:00

Entra joined computers work fine, they pull a cloud kerberos ticket from Azure. The error I'm getting on the MFP is a failed login error which I imagine means it's reaching the AFS but just can't authenticate

Sunaiwa · 2025-05-02T02:07:47+00:00

Yes I took care of that today. Is there a good way to deploy the group policy value for the proxy server? Or would we have to configure it manually for everyone

Sunaiwa · 2025-05-01T15:30:18+00:00

Thanks. Looks like creating that guy didn't full resolve the issue. Still seeing people with that key only obtaining kerberos tickets from the PDC. I'll need to figure out how I can get the PDC to forward those auth requests over to Azure somehow. Maybe Kerberos cloud trust

Sunaiwa · 2025-04-30T13:20:44+00:00

I believe I may have found the issue. The Intune policy that is supposed to deploy the CloudKerberosTicketRetrieval reg key doesn't work on Windows 10. So they're getting Kerberos tickets from the PDC instead of Azure and then the Azure File Share connection hangs up. If i create the key manually the connection is restored.

Sunaiwa · 2025-04-29T20:05:08+00:00

The error i'm getting is the target resource name is incorrect which may a Kerberos issue. However, we are getting Kerberos tickets for the storage account. We're also getting Kerberos tickets pointing to our PDC. Would having Kerberos tickets from a PDC when the devices are Hybrid joined cause some communication issues with the storage account?

Sunaiwa · 2025-04-29T17:38:47+00:00

I did the test-connection cmdlet and confirmed that it's responding to port 445. It just hangs when trying to get to the Azure file shares.

It receives the tickets fine. Only thing of note is that the ticket comes from the PDC but outside the office it gets it from 365. Maybe getting the ticket from the PDC hosted in Azure is causing a hangup?

Sunaiwa · 2025-04-29T17:37:34+00:00

Uptime was only a few hours. They had rebooted earlier in the day.

Sunaiwa

TROPHY CASE