To integrate a legacy application based on Kerberos authentication in an Azure infrastructure as a service (IaaS) scenario, we configure Azure AD Domain Services. In this section, we configure the basic service and integrate an active example application:

To start the configuration, we need to specify the DNS domain name, the Azure Subscription we want to use, and the name of the Resource group:

When enabling Azure AD Domain Services, you will need to specify which Azure virtual network to use. We use a range 192.168.x.x/20 to configure the network:

Add the admin account and your test user as a member of the Azure AD Domain Services Administrator group:

The summary should look like the following:

Next, you will be asked to update the DNS configuration to the addresses of your DNS servers provided by Azure AD Domain Services. In my case, these addresses were 192.168.0.4 and 192.168.0.5:

The last important step that you need to complete to use the domain you have just created is to enable password synchronization:

By default, Azure AD does not store the credential hashes required for Kerberos authentication. You need to populate these credential hashes in Azure AD so that users can use them to authenticate against the domain. The process can be completed by changing the password of the user. You can use the accounts after 20 minutes in Azure AD Domain Services.

Users can use Azure AD's self-service password change mechanism from the Azure AD Access Panel page to change their passwords.