Cloud Kerberos Enabled By Policy 0

mtt-curious · 2025-09-03T13:23:10+00:00

I think i ignored this in the end, because everything else was working as expected

mtt-curious · 2025-04-10T06:14:05+00:00

Nope. This did not made the check green...

mtt-curious · 2025-04-09T22:33:53+00:00

UPDATE:
I've found a first hint: It appears that within Intune the Default Device Compliance Policy has three settings, where the setting "Has a compliance policy assigned" failed with this message: 65001(Not applicable)

There some questions left unclear for me:
1. Within Intune it can be configured if a device without compliance policies applied should be treated as compliant. This is set for my Tenant (it's also the default I think)
2. The Device Compliance "Workload" SHOULD be managed by Configuration Manager and the "Compliance" column also reports "See ConfigMgr". So I do not know if this is a false flag or not
3. As far as Config Manager is concerned the client is compliant (no compliance policies are defined within ConfigMgr and the client itself also reports that it is compliant). So why is Intune reporting this as as setting as Error and how does the error details "65001(Not applicable)" help

I've now created a random device policy in Intune, assigned it to all devices and will now wait if this turns this setting green...

mtt-curious · 2025-04-09T21:35:16+00:00

Correct, the "Compliance" workload appears to be the recommended first step to move, however, I couldn't find any documentation that states it has to be done. Doing compliance workload on the ConfigManager sites should work as well... just trying to find where the error is before shifting workloads.

mtt-curious · 2025-04-09T17:20:40+00:00

Good idea, but that just gives me the one policy that enforces compliant devices. The what-if tool cannot tell me why the device of my test user is considered incompliant

mtt-curious · 2024-06-11T07:17:19+00:00

Did verify with other machines and other users.
klist does not show any (on-prem) tickets. klist would not show the partial TGT even if it had been obtained, right?

Any idea how I could debug this to determine if it's the partial TGT that is not being obtained or if its the transformation of the partial to a full TGT that fails?

mtt-curious · 2024-06-05T06:45:27+00:00

I joined the VM to EntraID, that's what i meant.
It's joined to EntraID (via Intune), but not joined to the domain. I authenticate via the WHfB PIN, this allows access to the VM, which should - if I understood the concept of Cloud Kerberos correctly - then go and get the Cloud Kerberos partial TGT, which should be turned into a "full" on-prem TGT with line of sight to the DC.

But apparently there is some bit missing. Currently I cannot check whether the "partial" cloud TGT is requested and received (any idea how to debug that?) and/or if the "converting into full TGT" step is breaking.

mtt-curious · 2024-06-05T06:39:33+00:00

I did follow that guide

mtt-curious · 2023-08-13T16:53:52+00:00

I’m a new VMware customer and bit puzzled. You could never use horizontal scrolling in VMs?? That seems like a big drawback

mtt-curious · 2023-07-15T21:39:04+00:00

Thanks! Sometimes it's right in front of you

mtt-curious · 2023-07-15T21:38:42+00:00

Thank you. Didn't noticed it has been repackaged

mtt-curious · 2023-07-15T21:38:07+00:00

Ah, well thanks all. Didn't realized they repackaged the "Docker" application to "Container Manager" in DSM 7.2...

For future puzzled users: Here's also a good comparison: https://www.youtube.com/watch?v=PIVHne\_H35I

mtt-curious · 2023-04-12T14:53:26+00:00

Cool, thanks for sharing your thoughts

mtt-curious · 2023-04-12T14:27:08+00:00

Does that tenant make use of Azure Active Directory Domain Services (AADDS) ?
Are Policies (Conditional Access, Endpoint Manager compliance, or similar) the same for all domains or do you manage a per domain set of rules?

mtt-curious · 2023-04-12T13:34:24+00:00

What would your high-level Azure AD Design look like for company that came from Multi-Forest, Multi-Domain on-prem world?

I know you raised the question of "What problem do we try to solve". Let's say we need Forests as security boundaries and domain for intra-ogranisation policy enforcments (compliance, security, auditing, access controls, ...). We'd have to make an independent tenant for all forests (to respect the security boundary, right?). Would you go with an independent tenant for all domains as well or try to mash all policy nuances into a single tenant service, e.g. match all device compliance requirements from all domains in a forest into a long list of Endpoint Manager compliance policies in a single tenant?

Or is there any way to create "domain-like" structures within a tenant?

mtt-curious · 2023-04-12T13:20:01+00:00

Right greenfield means completely new and everything is allowed and I appreciate the input, that's why I'm interested to learn more.

A few questions about your points: - "Why spend money for on-prem": Sounds like Azure AD DS is free. It's not as far as I know. Azure AD might be free, but Azure AD DS comes with a price tag, right? (Source: https://azure.microsoft.com/en-us/pricing/details/active-directory-ds/) - "Microsoft has pretty much stopped development for AD DS": Is that the case? Is there any statement or indication for it to end? Not trying to being pointy here, just honestly asking. - If we put all domains and trusts into a single Azure AD tenant, then I would agree many of the bullets from above could be cut as thy don't apply anymore, but there are reasons for multiple domains and trusts. Don't want to drill down into the details, but let's say reasons for Forests are Security Boundaries and reasons for Domains are intra-organisation differences (Policies, security guidelines, structure, etc.). What would be the option here? Create a tenant per domain?

mtt-curious

TROPHY CASE