Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,729 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 68%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Hi Chanuka Francis,
Thank you for posting your query on Microsoft Q&A. I am Saiteja from Q&A will be assisting you with your query.
Based on your query, I understand your configuration has failed at the initial stage of creating Kerberos server object.
As per the error, I see there is a failure with authentication to create an object in On-premise AD. I would like to provide you the two supported scenarios before we go into the configuration:
- Cloud resources such as Microsoft 365 and other Security Assertion Markup Language (SAML)-enabled applications.
- On-premises resources, and Windows-integrated authentication to websites. The resources can include websites and SharePoint sites that require IIS authentication and/or resources that use NTLM authentication.
Before starting the configuration, make sure you have 2016 or 2019 servers, and you need to enable TLS1.2 in it from PowerShell as administrator using the following command: [Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
All the required PORTS for NTLM, LDAP and Kerberos should be open in your DC. While performing this operation Entra reaches your DC to create a Kerberos server object which needs an internet connectivity. Kindly make sure to have internet accessible for domain controller.
Network security: Configure encryption types allowed for Kerberos policy enabled with AES256_HMAC_SHA1 on your domain controller. You can refer this document for configuration.
If you would like to use $domaincred make sure the user is associated with Domain admin group and Enterprise admin group. If you would like to use $CloudCred the user should be hybrid administrator or synchronized user with Global admin role with following attributes populated in Entra from AD connect:
-
onPremisesSamAccountName(accountNamein Microsoft Entra Connect) -
onPremisesDomainName(domainFQDNin Microsoft Entra Connect) -
onPremisesSecurityIdentifier(objectSIDin Microsoft Entra Connect)
Here is the Microsoft document that refers to perform the configuration based on the above pre checks: https://learn.microsoft.com/en-us/entra/identity/authentication/howto-authentication-passwordless-security-key-on-premises#install-the-azureadhybridauthenticationmanagement-module
Note: If you're working on a domain-joined machine with an account that has domain administrator privileges, you can skip the "-DomainCredential" parameter. If the "-DomainCredential" parameter isn't provided, the current Windows login credential is used to access your on-premises Active Directory Domain Controller.
I hope this information is helpful. Please feel free to reach out if you have any further questions.
If the answer is helpful, please click "Accept Answer" and kindly "upvote it". If you have extra questions about this answer, please click "Comment".