Table of Contents | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Synergetic Windows Client (SynMain) and Azure AD: Solutions for Authentication Compatibility
The Synergetic Windows client, SynMain (a FAT32 application), relies on Kerberos authentication to communicate with on-premises domain controllers (DC). However, when end-user devices are Azure AD-joined, the SynMain client doesn’t function as expected. This is because Azure AD does not natively support Kerberos authentication.
Why Azure AD Does Not Support Kerberos Authentication
Azure AD is designed primarily for cloud-based authentication and does not include the traditional Kerberos protocol used by on-premises Active Directory (AD). Kerberos relies on a trusted third-party (the Key Distribution Center, or KDC) to issue tickets for authentication, which is a core component of on-prem AD environments. Azure AD, on the other hand, uses modern authentication protocols such as OAuth 2.0 and OpenID Connect, which are not compatible with Kerberos.
Below are the alternative solutions that can be implemented:
Hybrid Azure AD Join (Recommended)
Description: This solution allows devices to be both domain-joined and Azure AD-joined.
Technical Details:
Devices authenticate against on-premises AD using Kerberos while also registering with Azure AD for cloud services.
This dual-join configuration ensures that the SynMain client can use domain credentials for authentication via the on-prem AD.
Implementation Steps:
Configure Hybrid Azure AD Join in Azure AD Connect.
Ensure devices are synchronized and registered with both on-prem AD and Azure AD.
Verify that Group Policy settings are correctly applied to support Hybrid Join.
Complication: Please note Changes made in Azure AD won’t reflect back to the on-premises AD, leading to inconsistencies. Only changes made on the On-Premises AD will be reflected on Azure AD.
Active Directory Domain Services (ADDS) in Azure
Description: Set up an Azure Virtual Machine running ADDS, acting as a domain controller in the cloud.
Technical Details:
Extends on-premises AD infrastructure to Azure, allowing devices to authenticate with this domain controller.
Maintains traditional Windows authentication required by the FAT32 application.
Implementation Steps:
Deploy an Azure VM and install ADDS.
Configure the VM as a domain controller and join it to the existing on-prem AD domain.
Set up site-to-site VPN or Azure ExpressRoute for secure communication between on-prem and Azure environments.
Remote Access
...
or Virtualization
Description: Deploy the FAT32 application on a virtual machine (VM) that remains domain-joined.
Technical Details:
Users access the VM through Remote Desktop or similar solutions, ensuring the application functions as it would in an on-prem domain-joined environment.
Implementation Steps:
Set up a VM in the on-premises environment or in Azure.
Install and configure the SynMain client on the VM.
Provide users with remote access credentials and instructions.
By implementing one of these solutions, you can ensure that the Synergetic Windows client (SynMain) continues to function as expected while leveraging the benefits of Azure AD and cloud services. If you need further assistance with any of these steps, please raise a new case through the help portal.
Troubleshooting
TBC