I Trusted You A Demonstrated Abuse of Cloud Kerberos Trust - Daniel Heinsen, Elad Shamir

Abstract: Microsoft has introduced a variety of protocols to abate the issue of authenticating to Azure AD and AD seamlessly. In the Windows Hello For Business setup, Cloud Kerberos Trust has been introduced to enable users to authenticate to Azure AD and still be able to access resources protected by legacy authentication mechanisms, like Kerberos. While this deployment model offers greater convenience, the ability to forge authentication material is delegated to Azure AD. This ability can be abused by attackers …

abuse authenticate azure azure ad business cloud daniel enable for business hello issue kerberos microsoft protocols trust windows windows hello