Share via

bastion unstable connection kerberos not working, with remote connection to server 2022 dc with full UPN login but fine if short domain version (but falls back to NTLM)?

theskyisthelimit99 41 Reputation points
2025-09-29T17:36:10.3+00:00

We have a bastion configuration setup, it works fine and connects if you use domain\userid and the dc (ntlm).. we followed the steps to enable kerberos in azure for bastion, now when you attempt to use ******@fqdn.etc (to force kerberos) it will give an error in the lower right of the black screen saying unstable connection, then time out and say logon failed, reconnect.

At the same time if you look in event viewer on the dc you will see unknown user name or bad password status 0xc000006d for that fqdn userid attempt.

It also works fine to use the same bastion failing user upn to login from a standard rdp connection session, outside of the azure portal. Not seeing any NSG related issues

Anyone have any suggestions on what else to look for? These are windows server vm's trying to connect to, dcs in azure, bastion works fine if using NTLM, just not kerberos

Azure Bastion
Azure Bastion
An Azure service that provides private and fully managed Remote Desktop Protocol (RDP) and Secure Shell (SSH) access to virtual machines.
Answer accepted by question author
  1. Ravi Varma Mudduluru 3,775 Reputation points Microsoft External Staff Moderator
    2025-09-29T19:57:11.3966667+00:00

    Hello @theskyisthelimit99,

    Thanks for reaching out to Microsoft Q&A.

    I understand that you're experiencing issues with Kerberos authentication through Azure Bastion while accessing your Windows Server 2022 domain controller. When using the full UPN format, you get an "unstable connection" error, whereas using the short domain format with NTLM works fine.

    • Since you're working with Kerberos, make sure that the Bastion service and the domain controllers can communicate without issues. Also, verify that there are no network problems or firewall settings blocking Kerberos traffic.
    • Kerberos usually operates over UDP, but in some cases, changing to TCP may help resolve problems. You could try configuring Kerberos to use TCP instead of UDP by updating the appropriate settings.
    • Please check that Kerberos is set up properly so users can log in using UPNs. Make sure the domain controller can resolve the full UPN address and that the service principal names (SPNs) for the domain are configured correctly. If there are any DNS issues, it might prevent the Kerberos authentication from succeeding.
    • If a user belongs to many groups, the ticket could become too large. You might consider increasing the MaxTokenSize setting in the domain controller's registry.
    • Check the event logs on both the domain controller and the client. Error codes can help identify the cause of the issue. For example, the unknown username or bad password status (0xc000006d) suggests that the Kerberos authentication request is failing, which could be due to replication problems or incorrectly configured security policies.

    Reference Document:

    https://quic.hkg1.meaqua.org/en-us/azure/bastion/kerberos-authentication-portal

    https://quic.hkg1.meaqua.org/en-us/troubleshoot/windows-server/active-directory/config-firewall-for-ad-domains-and-trusts

    In addition to the Azure Policy setup, the OP also resolved the issue by configuring the NSG on the outgoing Bastion host. Specifically, they opened the standard set of Kerberos ports, which enabled seamless connectivity. The virtual network was correctly selected for the interfaces, and everything worked without further issues.”

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the Answer" if the information helped you. This will help us and others in the community as well.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.