AzureAD authentication for local shared folder

rlabinot-7687 1 Reputation point
2021-11-09T13:25:01.533+00:00

Hello,

I have a special case for a costumer which is using only the Azure Active Directory (so no on-premise servers).

He has two computers devices joined to the Azure AD with a common admin account (PC1 and PC2).

PC2 has one local shared folder and PC1 try to access to it with an Azure admin account.

This works if the two PCs have internet. On the security logs, I can see these three entries :

-----------------------------------------------------------------------------------------------------

First log (Special Logon : Give some privilege, also the impersonate privilege) :

  • Event ID: 4672
  • Task Category: Special Logon
  • Level: Information
  • Keywords: Audit Success
  • Privileges: SeSecurityPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeTakeOwnershipPrivilege
    SeDebugPrivilege
    SeSystemEnvironmentPrivilege
    SeLoadDriverPrivilege
    SeImpersonatePrivilege
    SeDelegateSessionUserImpersonatePrivilege

-----------------------------------------------------------------------------------------------------

Second log (Logon : Null SID, impersonation with AzureAD account)

  • Event ID: 4624
  • Task Category: Logon
  • Level: Information
  • Keywords: Audit Success
  • An account was successfully logged on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Information:
Logon Type: 3
Restricted Admin Mode: -
Virtual Account: No
Elevated Token: Yes

Impersonation Level: Impersonation

New Logon:
Security ID: AzureAD\admin
Account Name: AzureAD\admin@keyman .com
Account Domain: -
Logon ID: 0x1096196
Linked Logon ID: 0x0
Network Account Name: -
Network Account Domain: -
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x0
Process Name: -

Network Information:
Workstation Name: PC1
Source Network Address: 192.168.1.102
Source Port: 58267

Detailed Authentication Information:
Logon Process: Pku2uSsp
Authentication Package: NegoExtender
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

-----------------------------------------------------------------------------------------------------

Third log (Logoff : After closing the explorer for shared folder):
Task Category: Logoff
Level: Information
Keywords: Audit Success
User: N/A
Computer: PC1
Description:
An account was logged off.

Subject:
Security ID: AzureAD\admin
Account Name: AzureAD\admin@keyman .com
Account Domain:
Logon ID: 0x1096196

Logon Type: 3

-----------------------------------------------------------------------------------------------------

The problem is that these PCs won't have internet all the time. They will exchange file through the share in a limited network. For the first time, it is ok but after a few hours, the share is not accessible anymore and nothing changed from a configuration point of view.

I can see in the log that the PC1 tries to authenticate the AzureAD admin account with NTLM which I think would not work because Azure does not work with NTML.

I search in Microsoft documentation and found the PRT lifetime question :
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-primary-refresh-token#how-is-a-prt-used

I believe that when the PCs are not connected to the internet, the token in the cache of both PCs are expired and the authentication doesn't work anymore. Windows 10 might use the NTML authentication as last attempt.

Did you have this scenario/behavior/case ? What do you think about it ?

How should I make it work ? I can do it with local account but the costumer is not ok with that and prefer using AzureAD accounts.

By the way, this is strange since I can still logon with the AzureAD account so it means that the token is still valid ? It is only at the SMB shared folder that this struggles.

NOTE: To debug easily, the AzureAD account is member of Administrators group on both PCs. We want to discard the NTFS part in the problem and focus on authentication only.

Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,274 questions
Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,760 questions
Microsoft Intune
Microsoft Intune
A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.
4,376 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,595 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jason Sandys 31,166 Reputation points Microsoft Employee
    2021-11-09T14:22:10.517+00:00

    Why not use a local account on the system hosting the share? Or better yet, move the data to something more robust than a workstation where the data is subject to the availability and stability of that workstation.

    Also, it's a terrible security practice to use an admin account -- least privilege principals should always dictate that you use an admin account only when necessary.