This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 15%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
I have several scanners that scan to SMB folders on the local computer. I have the folders setup, shared and permissions set with local computer accounts. but scan to SMB still fails to authenticate when accessing theses folder.
Thank you for contacting Microsoft Open Specifications Support. After reviewing your question with our team, it determined that you question does not fall under Protocole Guidelines outlined in https://aka.ms/openspecs. I will be removing [openspecs-windows-firesharing], I am adding [windows-10-network] and [Azure Security Center] tags, an engineer there might be able to better assist you or find a right team for your question.
Never-the-less, I found an old MSDN post that provide some help - Cannot connect a Scanner to a Folder Share AzureAD office 365 joined only
I tried making the folder open with no username or password required and then set the scanner to not login but I still get an authentication error on the scanner. This is a huge deal, I have 80+ locations with one to three scanners at each location and I'm in the process of migrating everyone to AzureAD but it breaks scanning so I have to put a hold on everything until this is resolved. I don't understand why adding the computer to AzureAD break the local accounts on the computer. before Azure I had a local user account called scans on the computer and the scanner would login with that account like a service account to copy the scanned file into the scanned folder but Azure breaks this. I really need a solution other than moving everyone to scan to e-mail because has it's issues as well.
I found additional posts that might help you
File scanner can't connect via smb after OS upgrade of file server to 2019
Enable Azure Active Directory Domain Services authentication on Azure Files
Configuring and installing the Azure Information Protection (AIP) unified labeling scanner
Mount SMB Azure file share on Windows
SMB file shares in Azure Files
Part one: enable AD DS authentication for your Azure file shares
Have you also try the steps mentioned in Cannot connect a Scanner to a Folder Share AzureAD office 365 joined only
Yes, I tried the suggestions mentioned in the cannot connect a scanner to a folder share AzureAD office 365 joined and I still get an authentication error on the scanner. I'll read through the new items you suggested and see if it helps any, thanks for the suggestions, this is a huge deal right now and I have to figure out a solution. switching over to scan to e-mail has it's challenges as well so I really do not want to go that route.
Pardon me for jumping in, but I had a few thoughts.
If you have a local account on the server named "scans", you should be able to verify that that account can authenticate by using a "NET USE" command from a Windows pc and providing the id and password.
If you have an authentication failure, then some event should be logged in the Security eventlog on the server. In addition to that, there are several eventlogs for the SMBServer feature in the Applications and Services Logs. What errors get generated when the scanner tries to connect?
The scanner might only support SMB1, see if it's enabled on the server.
Thank you for jumping in, can use all the help I can get on this one :) I have enabled SMB1 on the computer, I do not have another computer at that location to try and connect to the share with but I'll see what I can do. Everything works fine until the switch to AzureAD. From my understanding once that happens the local account can no longer login tot he file share which seems to be my issue. I'm not seeing anything in the security log on the computer either it's like it is not even getting there. I've tried connecting via computer name and by IP but still there is nothing in the security log that I can see.
I have no experience with AzureAD, but given that it's "AD", that would imply (to me) that a different set of group policies are assigned to the server. Who manages your Active Directory group policies? Have they reviewed the settings?
Have you reviewed the Effective Access tab to see if that account can access the folder?
Is the server itself hosted in Azure or is it still on your private network? A network firewall or local Windows Defender firewall would be the next suspect. Is Defender FW set up to log dropped packets? Did you check the log?
The scan to folder is stored locally on the computer, there are no servers on-site, they are all in workgroups which is why I'm moving to AzureAD. All local firewalls are disabled on the computer
is stored locally on the computer,
So you have a workstation that is on your private network with an IP address of nnn.nnn.nnn.nnn and when it's in a workgroup, the scans work. But when you join the workstation to an AzureAD domain, while maintaining the same nnn.nnn.nnn.nnn address, the scans then fail?
On the scanner are you defining the workstation by IP address or by machine name? If by name, is there a way to check to see that the DNS servers that the scanner is using can resolve the machine name? Are you defining the short (MyWS) or fully qualified (MyWS.MyAzureDomain.com) name?
I converted your answers back into comment. If you marked the post as answered, people might assume that someone answered the question already. Per one of the posts I found, you might have to use SMB 3 in order to File Azure Files. I also added additional tags, hopefully a subject matter expert from those teams can provide some insight for you. Or have help redirect the post to proper team.
yes you are correct. I have tried attaching via both computer name and by IP and get the same result.
Since you've hit a wall, try this... using notepad, save the script below as RecentEvents.ps1. Newer versions of Windows now have lots of event logs and it can be difficult to search through all of them. This script reads every event log based on a timeframe (default is one hour) and sorts by TOD.
# Name: RecentEvents.ps1
# Desc: Script to read all event logs and put all events within a timeframe into TOD sequence.
# The intent is to see all events that occurred at a certain time when an error may have occurred.
# Life was simpler when we only had 3 eventlogs.
# Usage: RecentEvents.ps1 NumberOfHours Ie: RecentEvents.ps1 24
# Author: Dave (MotoX80)
param($tf = 1 ) # Time frame in hours.
$hdr = $tf
$tf = $tf * 3600000
$elna = (Get-WinEvent -ListLog * -EA silentlycontinue | where-object { $_.recordcount -gt 1}) # get all event log names that have records in them.
$AllEvents = @() # prepare array so we can append to it
foreach ($el in $elna) # look at each event log
{
$xml = "<QueryList><Query Id=""0"" Path=""$($el.logname)"">
<Select Path=""$($el.logname)"">*[System[TimeCreated[timediff(@SystemTime) <= $tf ]]]</Select>
</Query></QueryList>"
$AllEvents += Get-WinEvent -FilterXml $XML -ErrorAction SilentlyContinue # append the events (if any)
}
$AllEvents | sort-object -Descending -Property TimeCreated |
Select-Object -property TimeCreated, ID, Logname, LevelDisplayName, Message |
Out-GridView -Title "Recent Events ($hdr hours)"
Recreate the problem and from a "run as administrator" Powershell prompt run ".\RecentEvents.ps1".
Plug in the IP address of the scanner and see if it finds an error, like this. If that doesn't find anything relevant, try the scans user id.
Wow, nice script! Thank you very much, I'll give this a try.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 9%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
Hello,
Did you find a solution ?
I did it with a "workaround" : I did create a local user, grant him rights on a shared folder on which the user that want to scan has access to, and then, on the printer, did configure to scan to that local folder with user name and password of the local user.
Hope this helps and sorry for my auwfull english ;)