Unable to use Azure AD accounts to remotely authenticate to Windows

0

How can I use an Azure AD account to remotely authenticate to Azure AD-joined Windows?

I have:

  1. Tried authenticating remotely using Azure AD accounts and every sign-in format that I'm aware of (listed below) but all result in error message The user name or password is incorrect and Audit Failure event with ID 4625, status 0xC000006D, and sub status 0xC0000064 which means that the user doesn't exist.
    • %UPN%.
      For example, username.admin@domain.com.
    • AzureAD\%UPN%.
      For example, AzureAD\username.admin@domain.com.
    • AzureAD\%username%.
      For example, AzureAD\username.admin.
    • AzureAD\%securityID%.
      For example, AzureAD\UsernameAdmin. This seems to be the display name with spaces removed.
    • %NetBIOSDomainName%\%securityID%.
      For example, EXAMPLE\UsernameAdmin. This is how Windows displays it in Computer Management → Local Users and Groups → Groups → Administrators.
  2. Tried using PsGetSid locally and found that it can resolve the following Azure AD sign-in formats:
    • %UPN% (only if the user account has signed in previously).
    • AzureAD\%UPN% (regardless of whether the user account has signed in previously).
    • AzureAD\%securityID%.

  3. Tried authenticating locally using Azure AD accounts and the aforementioned sign-in formats and found that local Run As can handle the following:

    • %UPN%.
    • AzureAD\%UPN%.
    • AzureAD\%securityID%.

  4. Tried authenticating remotely using local admin accounts and found that they work fine.

So, it seems that Windows can handle the Azure AD accounts but only locally and not remotely, unlike with AD DS accounts.

Everything I've found online is either not for this particular scenario or is just other people who are experiencing the same problem.

Is this even possible?

remote-access
windows-10
server-message-block
azure-active-directory
asked on Server Fault Dec 12, 2019 by mythofechelon • edited Dec 13, 2019 by mythofechelon

1 Answer

0

From my extensive testing, I have concluded that Windows 10 v1909 (latest as of writing) simply doesn't support the usage of Azure AD accounts / credentials with Network-Level Authentication (NLA).

Remote access via RDP can be worked around by disabling NLA and manually editing the .RDP file adding enablecredsspsupport:i:0.

Remote access via SMB cannot be worked around it seems.

answered on Server Fault Dec 13, 2019 by mythofechelon

User contributions licensed under CC BY-SA 3.0