Set-AzureADKerberosServer : Failed to read secrets from the domain
Earlier this week I was attempting to create an Entra ID Kerberos server object, and I kept running into these errors:
Set-AzureADKerberosServer : Failed to read secrets from the domain
Set-AzureADKerberosServer : Failed to connect to domain
Normally these errors occur for these reasons:
- The Microsoft.Online.PasswordSynchronization.Rpc.dll is missing from the server, or the server is missing a .dll from the AzureADHybridAuthenticationManagement module
- The cloud credentials and the domain credentials are entered incorrectly.
For me, both of these reasons were true! You can isolate the issue by going to the AADConnect log folder on your machine. This folder is hidden by default, but you can access it by browsing to it directly under C:\ProgramData\AADConnect\
.
Sure enough, in my case the trace logs revealed:
System.IO.FileNotFoundException: Could not load file or assembly ‘Microsoft.Online.PasswordSynchronization.Rpc.dll’ or one of its dependencies. The specified module could not be found.
This issue occurred because I was trying to create the Kerberos server object on my Domain Controller, but I needed to create it on either my Microsoft Entra Connect machine, or a machine where the .dll dependency was installed.
I signed into my Microsoft Entra Connect machine. I then ran the import-module command again:
import-module .\AzureAdKerberos.psd1
I tried to run the commands again to create the Kerberos server object, but still faced this error:
Set-AzureADKerberosServer : Failed to read secrets from the domain
In this case, root cause turned out to be because I had not set my $cloudCred , $domainCred , and $domain variables in the right format. To resolve this, you can explicitly set these variables:
$domain = company.domain.com
$cloudCred = Get-Credential
$domainCred = Get-Credential
$cloudCred and $domainCred expect a username and password, so you need to read them with the Get-Credential prompt. Note that $domainCred needs to be formatted as domain_netbios_name\username.
Then run:
Set-AzureADKerberosServer -Domain $domain -CloudCredential $cloudCred -DomainCredential $domainCred
The error should go away. If your machine is domain joined and you still receive errors, check the most recent trace logs again for clues, and you should be able to discover the issue under:
C:\ProgramData\AADConnect
Open the latest trace log.
Additional resources:
Viewing the Microsoft Entra Kerberos server logs
How to Configure Kerberos SSO
Enable passwordless security key sign-in by using Microsoft Entra ID