Most VPN solutions have two kinds of always-on VPN (they call it by different names)
Private Access does not need line of site to DC. Two caveats though: 1. You have to logon with password. Biometrics,Pin you will get prompted for username/password. 2. Does not work on a cell connection. I’ve been testing this out and it work well
Oh. We’ve deployed Azure joined devices and staff are using Ivanti(Pulse) VPN and can access our file shares fine.
Now they aren’t using WHFB, just logging in with their Azure AD username and password.
Are you saying if moved to WHFB using a PIN and Kerberos Cloud Trust, this won’t work for remote users?
CloudKerberosTicketRetrievalEnabled
I’ve deployed the UseCloudTrustForOnPremAuth CSP per MS docs, but I haven’t seen anything about that one - I googled it and it seems more related to Azure Files which we are not using (i.e. getting a Kerberos ticket from Azure, rather than a kerberos ticket from On-prem).
Is this definitely the CSP that’s needed?
I suspect you might if the VPN is activated after logon, not before.
From what I gather, when using WHFB, users need line-of-sight to a DC at logon time. I’ve heard some conflicting reports though, so I’m going to confirm this.
Exactly this.
The CloudKerberosTicketRetrievalEnabled key is for getting ticket for Azure (file) stuff, not on-prem.
UseCloudTrustForOnPremAuth IS the right one according to every doc and site.
Only, I can’t get it to work either.
I’ve tried resetting/clear my WHfB container and it seemed to work exactly 1 time. But I did enter my real password to login to Set my pin, so afterwards I guess this was why.
Another thing I found strange is that my on-prem fileserver has NO logs at all at me trying to reach it. So it looks like it stuck somewhere else…
Interesting. I thought the whole point of Cloud Kerberos Trust was for this not to be the case.
Must test it when I’m back in the office
From what I’ve gathered, this is just the first time the users logs in/sets up WHfB.
Yeah well I could be wrong (seems like I have to be missing something given this is the MS-recommended method). I’d love to hear how you go testing this out.
Ideally I would think that line-of sight is only needed when you try to authenticate to a resource, and not at the time of logon, and while this seems to be true for password, I can’t seem to get it working with PIN.
Ahhhhh Windows Hello, this all makes sense now. Are you using it? When I said it was working fine for me without cloud kerberos I had Windows Hello turned off
Be careful, Windows Hello is NOT the same as Windows Hello for Business 