Share via

Implementing Cloud Kerberos Trust with Multiple On-premises AD Forests

Daniel 91 Reputation points
2025-01-13T15:16:32.97+00:00

I have a question about setting up Cloud Kerberos trust in an environment with multiple on-premises Active Directory (AD) forests that are configured with domain trusts between them.

Is it sufficient to configure Cloud Kerberos trust for only one on-premises AD forest, or is it necessary to set it up for each of the AD forests connected by domain trusts?

Has anyone done something like this?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | User experience | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2025-01-15T16:16:35.7566667+00:00

    Hello,

    Thank you for posting in Q&A forum.

    Yes, we need to configure Cloud Kerberos trust for every AD forest. Here are the steps to follow:

    1.Enable Entra Kerberos in every domain involved in all forest.

    2.Create AzureADKerberos Computer Object: For each AD forest, create an AzureADKerberos computer object in the respective domain. This object acts as a read-only domain controller (RODC) and is used by Microsoft Entra ID to generate Ticket Granting Tickets (TGTs)1.

    3.Configure Cloud Kerberos Trust on endpoints via GPO or Intune.

    4.Verify the configuration and ensure that users can authenticate via Cloud Kerberos Trust.

    For further details, please refer to below Microsoft Official Documentation:

    REF: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune

    To help other customers who may be facing the same issue, please don't forget to vote if the reply is helpful.

    Best Regards

    Zunhui

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. David Rukavina 20 Reputation points
    2026-06-19T10:34:54.9833333+00:00

    The previous answer is incorrect, once you have a TGT for your primary domain, you can request service tickets as normal to any available service within the forest or any trusted forest. It's just a different authentication flow than direct AD authentication, after that it's regular kerberos.

    Multi-forest is not mentioned in the Microsoft documentation, and searching yields little information besides this forum question, so I hope this helps someone out 🙂

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.