“P-RODCNeverReveal" (“Check if the protection against revealing privileged group is active“) reports “AzureADKerberos” but it is just an RODC object without a RODC Server.
The Attribute “msDS-KrbTgtLink“ has the DN of a “krbtgt_AzureAD“ object. That is a unique name and would help to filter out these objects. I’m not aware of any better detections.
Example:
msDS-KrbTgtLink: CN=krbtgt_AzureAD,CN=Users,DC=example,DC=local
Hi there Andreas,
Whilst the account is indeed not a real server, I believe the finding is still valid.
The Cloud Kerberos Trust documentation also states that the RODC restrictions should not be lifted due to Entra ID → On Prem attack paths as well as those restriction controlling who it can issue TGTs for. You can see this on the two notes in this specific section.
I hope this helps understand this better and why I believe this should remain as is.
Hi Joe,
thank you for your quick reply.
So the following is what i did not know in detail, but was well described in MS documentation as linked by you:
The default Password Replication Policy configured on the AzureADKerberos computer object doesn’t allow to sign high privilege accounts on to on-premises resources with cloud Kerberos trust or FIDO2 security keys.
Due to possible attack vectors from Microsoft Entra ID to Active Directory, it’s not recommended to unblock these accounts by relaxing the Password Replication Policy of the computer object
CN=AzureADKerberos,OU=Domain Controllers,<domain-DN>.
But I still was wondering why in multiple environments I found the “Denied RODC…” group is missing by default in the “AzureADKerberos” object in the “msDS-NeverRevealGroup“ list. So I searched and found this good additional information from Jorge (aka “zjorz” aka “Jorge de Almeida Pinto”) I would like to share here:
- Configure the default “Denied RODC Password Replication Group” (objectSID = domainSID-572) in the DENY part of the Password Replication Policy
- Configure all accounts and groups, configured on the domain NC, with explicit permissions for “Replicating Directory Changes” and “Replicating Directory Changes All” control access right (CAR), or “Full Control”, or “Write DACL” or “Write Owner”, as members of that default “Denied RODC Password Replication Group”
Awesome stuff Andreas. It is definitely a confusing one but your linked post definitely clears up the confusion.
For some reason I initially thought Microsoft changed the PRP but that doesn’t seem to be the case after checking the version history.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.