When setting up Windows Hello for Business (WHFB) Cloud Kerberos Trust, one crucial step is creating the required Kerberos object in the local Active Directory. However, when running the command to create the Kerberos Server Object, you might encounter the following error:Set-AzureADKerberosServer : Failed to connect to domain
The Scenario
I was setting up WHFB Cloud Kerberos Trust and executed the following command in PowerShell to create the Kerberos object:
$Domain = $env:USERDNSDOMAIN
$CloudUPN = Read-Host "A Global Administrator in your Azure AD."
$DomainCred = Get-Credential -Message 'An Active Directory user who is a member of the Domain Admins group.' # local AD Admin
# Create and publish the new Azure AD Kerberos Server object
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN -DomainCredential $DomainCred
Instead of successfully creating the Kerberos object, I was greeted with the dreaded Failed to connect to domain error.
If you’re in the same situation - don’t worry, the fix is incredibly simple!
The Fix
It turns out that the issue was caused by including the -DomainCredential parameter. Running the command without -DomainCredential resolved the problem instantly:
Set-AzureADKerberosServer -Domain $Domain -UserPrincipalName $CloudUPN
To validate everything wokred use this command:
Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $CloudUPN
Why Does This Happen?
The exact root cause isn’t well-documented, but in some cases, specifying -DomainCredential can interfere with the authentication process when setting up the Kerberos Server Object. Since PowerShell already runs with the necessary permissions (assuming you are using an admin account with sufficient rights in Active Directory), explicitly passing credentials may be unnecessary—or even problematic.
Final Thoughts
If you’re troubleshooting WHFB Cloud Kerberos Trust and encounter the Failed to connect to domain error, try running the command without -DomainCredential. It worked for me and might save you some valuable time as well!
For further troubleshooting and insights, check out these resources:
