Hosting AD-related services via ziti-edge-tunnel on any domain-joined Windows host (DC or member server) breaks Cloud Kerberos Trust ticket issuance for Entra ID–joined dial clients; same configuration on an Edge Router works

Hi Clint,

Thanks! And yes, I'd be happy to write this up as a blog post.

What I really like about this design is the flexibility and isolation it gives:

  • You only bind to the domain controllers you actually want to expose — each service is an explicit, policy-controlled path, so it's fully flexible.
  • The routers can be deployed anywhere there is just SDK access to them for hosting the service they need no access into the infrastructure at all they have only to connect to the router. That keeps OpenZiti completely isolated from the environment it serves.
  • And if you need to reach another environment, you just drop a Ziti client on a server in that domain or directly on the domain controllers if you want host-to-host, end-to-end encryption.