AzureADKerberos - RODC

[sieuwe]

We hit a false-positive.

AzureADKerberos is a member of the Read-Only Domain Controllers group, but isn't a real RODC.
The msDS-isRODC is missing on that computer account.

[An-dir]

Does this help:

Whilst the account is indeed not a real server, I believe the finding is still valid.

The Cloud Kerberos Trust documentation also states that the RODC restrictions should not be lifted due to Entra ID → On Prem attack paths as well as those restriction controlling who it can issue TGTs for. You can see this on the two notes in this specific section.

learn.microsoft.com

Windows Hello for Business cloud Kerberos trust deployment guide
https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune#microsoft-entra-kerberos-and-cloud-kerberos-trust-authentication

Source: https://community.netwrix.com/t/p-rodcneverreveal-should-ignore-azureadkerberos/113470

[sieuwe]

I have it setup that way, but the rule still triggers because msDS-isRODC attribute is missing on the AzureADKerberos computer account.

[An-dir]

The object is a RODC AD object, and it is relevant for password in combination with EntraID. Accounts wich you do not want to be on any RODC may be in the Denied RODC Password Replication Group to block authentication for Kerberos from cloud,

You mentioned the following:

rule still triggers because msDS-isRODC attribute is missing

The rule is triggerd because Denied RODC Password Replication Group group is missing in the msDSNeverRevealGroup as you could read in the already posted Netwrix community link. This missing group is MS default. You can see that in your screenshot as well.
Here is the source code of the rule: https://github.com/netwrix/pingcastle/blob/master/PingCastleCommon/Healthcheck/Rules/HeatlcheckRulePrivilegedRODCNeverReveal.cs

[JoeDibley]

Thanks @An-dir. This definitely looks to be the same thing we previously spoke about.

@sieuwe Does this make sense now as to why it is called out?

[sieuwe]

@JoeDibley it does, is it maybe possible to link the original topic or be more specific in the report how to solve this?

Cause I was able to solve this with the link from @An-dir but it would have been helpful if the report would mention that.

[JoeDibley]

Absolutely. I will look at updating the risk text to give some more specific guidance around the AzureADKerberos object.