Is it possible to obtain a kerberos ticket for a domain user from a device that is outside the domain?
Question
We have devices outside the domain and we don't want them to be inside. But we are trying to go with kind of SSO in theese devices when they are in the corporate network.
So, in order to do that we saw that Azure can do something similar with its Windows10 devices.
https://docs.microsoft.com/en-us/azure/active-directory/devices/azuread-join-sso
Is there any way to do such from a Windows 10 using powershell or cmd? Obtain the kerberos ticket and use it to SSO
Thanks!!
1 answers
solution1
0 2019-08-12 16:00:10
Windows supports SSO by letting you log into your desktop using your domain credentials. These credentials are stuffed somewhere, and then retrieved the next time you need to access a network resource by authenticating to local AD.
Machines that are not domain joined do the exact same thing, however you don't do step 1, which is log into the machine with the creds, so you don't have them on hand already. This is why you get prompted for creds the first time you hit something on the network. After that first prompt you've authenticated to local AD and can then start getting SSO within that domain.
Azure AD Join, which is what you've linked to, works the same way, but instead of authenticating to local AD, it authenticates to Azure AD, and then stuffs the credentials away for use later once you need to hit a network resource, at which point it changes gears and authenticates to local AD.
So specifically yes, if the logged on user is on an AADJ machine and has line of sight to a domain controller a PowerShell script or app can request a Kerberos ticket. The critical bit being that the machine is AADJ.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.