Troubleshoot Azure Files identity-based authentication and authorization issues (SMB)
This article lists common problems when using SMB Azure file shares with identity-based authentication. It also provides possible causes and resolutions for these problems. Identity-based authentication isn't currently supported for NFS Azure file shares.
Applies to
File share type | SMB | NFS |
---|---|---|
Standard file shares (GPv2), LRS/ZRS | ![]() |
![]() |
Standard file shares (GPv2), GRS/GZRS | ![]() |
![]() |
Premium file shares (FileStorage), LRS/ZRS | ![]() |
![]() |
Error 5 when mounting an Azure file share
When you try to mount a file share, you might receive the following error:
- System error 5 has occurred. Access is denied.
Cause: Share-level permissions are incorrect
If end users are accessing the Azure file share using Active Directory Domain Services (AD DS) or Azure Active Directory Domain Services (Azure AD DS) authentication, access to the file share fails with "Access is denied" error if share-level permissions are incorrect.
Note
This error might be caused by issues other than incorrect share-level permissions. For information on other possible causes and solutions, see Troubleshoot Azure Files connectivity and access issues.
Solution
Validate that permissions are configured correctly:
Active Directory Domain Services (AD DS) see Assign share-level permissions.
Share-level permission assignments are supported for groups and users that have been synced from AD DS to Azure Active Directory (Azure AD) using Azure AD Connect sync or Azure AD Connect cloud sync. Confirm that groups and users being assigned share-level permissions are not unsupported "cloud-only" groups.
Azure Active Directory Domain Services (Azure AD DS) see Assign share-level permissions.
Error AadDsTenantNotFound in enabling Azure AD DS authentication for Azure Files "Unable to locate active tenants with tenant ID aad-tenant-id"
Cause
Error AadDsTenantNotFound happens when you try to enable Azure AD DS authentication on Azure Files on a storage account where Azure AD DS isn't created on the Azure AD tenant of the associated subscription.
Solution
Enable Azure AD DS on the Azure AD tenant of the subscription that your storage account is deployed to. You need administrator privileges of the Azure AD tenant to create a managed domain. If you aren't the administrator of the Azure AD tenant, contact the administrator and follow the step-by-step guidance to create and configure an Azure AD DS managed domain.
Unable to mount Azure file shares with AD credentials
Self diagnostics steps
First, make sure that you've followed the steps to enable Azure Files AD DS Authentication.
Second, try mounting Azure file share with storage account key. If the share fails to mount, download AzFileDiagnostics
to help you validate the client running environment. AzFileDiagnostics can detect incompatible client configurations that might cause access failure for Azure Files, give prescriptive guidance on self-fix, and collect the diagnostics traces.
Third, you can run the Debug-AzStorageAccountAuth
cmdlet to conduct a set of basic checks on your AD configuration with the logged on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. You need to run this cmdlet with an AD user that has owner permission on the target storage account.
$ResourceGroupName = "<resource-group-name-here>"
$StorageAccountName = "<storage-account-name-here>"
Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose
The cmdlet performs these checks in sequence and provides guidance for failures:
- CheckADObjectPasswordIsCorrect: Ensure that the password configured on the AD identity that represents the storage account is matching that of the storage account kerb1 or kerb2 key. If the password is incorrect, you can run Update-AzStorageAccountADObjectPassword to reset the password.
- CheckADObject: Confirm that there is an object in the Active Directory that represents the storage account and has the correct SPN (service principal name). If the SPN isn't correctly set up, run the
Set-AD
cmdlet returned in the debug cmdlet to configure the SPN. - CheckDomainJoined: Validate that the client machine is domain joined to AD. If your machine isn't domain joined to AD, refer to this article for domain join instruction.
- CheckPort445Connectivity: Check that port 445 is opened for SMB connection. If port 445 isn't open, refer to the troubleshooting tool
AzFileDiagnostics
for connectivity issues with Azure Files. - CheckSidHasAadUser: Check that the logged on AD user is synced to Azure AD. If you want to look up whether a specific AD user is synchronized to Azure AD, you can specify the -UserName and -Domain in the input parameters.
- CheckGetKerberosTicket: Attempt to get a Kerberos ticket to connect to the storage account. If there isn't a valid Kerberos token, run the
klist get cifs/storage-account-name.file.core.windows.net
cmdlet and examine the error code to root-cause the ticket retrieval failure. - CheckStorageAccountDomainJoined: Check if the AD authentication has been enabled and the account's AD properties are populated. If not, refer to the instructions here to enable AD DS authentication on Azure Files.
- CheckUserRbacAssignment: Check if the AD identity has the proper RBAC role assignment to provide share level permission to access Azure Files. If not, refer to the instructions here to configure the share level permission. (Supported on AzFilesHybrid v0.2.3+ version)
- CheckUserFileAccess: Check if the AD identity has the proper directory/file permission (Windows ACLs) to access Azure Files. If not, refer to the instructions here to configure the directory/file level permission. (Supported on AzFilesHybrid v0.2.3+ version)
Unable to configure directory/file level permissions (Windows ACLs) with Windows File Explorer
Symptom
You may experience one of the symptoms described below when trying to configure Windows ACLs with File Explorer on a mounted file share:
- After you click on Edit permission under the Security tab, the Permission wizard doesn't load.
- When you try to select a new user or group, the domain location doesn't display the right AD DS domain.
- You're using multiple AD forests and get the following error message: "The Active Directory domain controllers required to find the selected objects in the following domains are not available. Ensure the Active Directory domain controllers are available, and try to select the objects again."
Solution
We recommend that you configure directory/file level permissions using icacls instead of using Windows File Explorer.
Errors when running Join-AzStorageAccountForAuth cmdlet
Error: "The directory service was unable to allocate a relative identifier"
This error might occur if a domain controller that holds the RID Master FSMO role is unavailable or was removed from the domain and restored from backup. Confirm that all Domain Controllers are running and available.
Error: "Cannot bind positional parameters because no names were given"
This error is most likely triggered by a syntax error in the Join-AzStorageAccountforAuth
command. Check the command for misspellings or syntax errors and verify that the latest version of the AzFilesHybrid module (https://github.com/Azure-Samples/azure-files-samples/releases) is installed.
Azure Files on-premises AD DS Authentication support for AES-256 Kerberos encryption
Azure Files supports AES-256 Kerberos encryption for AD DS authentication beginning with the AzFilesHybrid module v0.2.2. AES-256 is the recommended encryption method, and it's the default encryption method beginning in AzFilesHybrid module v0.2.5. If you've enabled AD DS authentication with a module version lower than v0.2.2, you'll need to download the latest AzFilesHybrid module and run the PowerShell below. If you haven't enabled AD DS authentication on your storage account yet, follow this guidance.
Important
If you were previously using RC4 encryption and update the storage account to use AES-256, you should run klist purge
on the client and then remount the file share to get new Kerberos tickets with AES-256.
$ResourceGroupName = "<resource-group-name-here>"
$StorageAccountName = "<storage-account-name-here>"
Update-AzStorageAccountAuthForAES256 -ResourceGroupName $ResourceGroupName -StorageAccountName $StorageAccountName
User identity formerly having the Owner or Contributor role assignment still has storage account key access
The storage account Owner and Contributor roles grant the ability to list the storage account keys. The storage account key enables full access to the storage account's data including file shares, blob containers, tables, and queues, and limited access to the Azure Files management operations via the legacy management APIs exposed through the FileREST API. If you're changing role assignments, you should consider that the users being removed from the Owner or Contributor roles may continue to maintain access to the storage account through saved storage account keys.
Solution 1
You can remedy this issue easily by rotating the storage account keys. We recommend rotating the keys one at a time, switching access from one to the other as they are rotated. There are two types of shared keys the storage account provides: the storage account keys, which provide super-administrator access to the storage account's data, and the Kerberos keys, which function as a shared secret between the storage account and the Windows Server Active Directory domain controller for Windows Server Active Directory scenarios.
To rotate the Kerberos keys of a storage account, see Update the password of your storage account identity in AD DS.
Navigate to the desired storage account in the Azure portal. In the table of contents for the desired storage account, select Access keys under the Security + networking heading. In the Access key pane, select Rotate key above the desired key.
Set the API permissions on a newly created application
After enabling Azure AD Kerberos authentication, you'll need to explicitly grant admin consent to the new Azure AD application registered in your Azure AD tenant to complete your configuration. You can configure the API permissions from the Azure portal by following these steps.
Open Azure Active Directory.
Select App registrations in the left pane.
Select All Applications in the right pane.
Select the application with the name matching [Storage Account] $storageAccountName.file.core.windows.net.
Select API permissions in the left pane.
Select Add permissions at the bottom of the page.
Select Grant admin consent for "DirectoryName".
Potential errors when enabling Azure AD Kerberos authentication for hybrid users
You might encounter the following errors when enabling Azure AD Kerberos authentication for hybrid user accounts.
Error - Grant admin consent disabled
In some cases, Azure AD admin may disable the ability to grant admin consent to Azure AD applications. Below is the screenshot of what this may look like in the Azure portal.
If this is the case, ask your Azure AD admin to grant admin consent to the new Azure AD application. To find and view your administrators, select roles and administrators, then select Cloud application administrator.
Error - "The request to AAD Graph failed with code BadRequest"
Cause 1: an application management policy is preventing credentials from being created
When enabling Azure AD Kerberos authentication, you might encounter this error if the following conditions are met:
- You're using the beta/preview feature of application management policies.
- You (or your administrator) have set a tenant-wide policy that:
- Has no start date, or has a start date before 2019-01-01
- Sets a restriction on service principal passwords, which either disallows custom passwords or sets a maximum password lifetime of less than 365.5 days
There is currently no workaround for this error.
Cause 2: an application already exists for the storage account
You might also encounter this error if you previously enabled Azure AD Kerberos authentication through manual limited preview steps. To delete the existing application, the customer or their IT admin can run the following script. Running this script will remove the old manually created application and allow the new experience to auto-create and manage the newly created application.
Important
This script must be run in PowerShell 5 because the AzureAD module doesn't work in PowerShell 7. This PowerShell snippet uses Azure AD Graph.
$storageAccount = "exampleStorageAccountName"
$tenantId = "aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee"
Import-Module AzureAD
Connect-AzureAD -TenantId $tenantId
$application = Get-AzureADApplication -Filter "DisplayName eq '${storageAccount}'"
if ($null -ne $application) {
Remove-AzureADApplication -ObjectId $application.ObjectId
}
Error - Service principal password has expired in Azure AD
If you've previously enabled Azure AD Kerberos authentication through manual limited preview steps, the password for the storage account's service principal is set to expire every six months. Once the password expires, users won't be able to get Kerberos tickets to the file share.
To mitigate this, you have two options: either rotate the service principal password in Azure AD every six months, or disable Azure AD Kerberos, delete the existing application, and reconfigure Azure AD Kerberos.
Option 1: Update the service principal password using PowerShell
- Install the latest Az.Storage and AzureAD modules. Use PowerShell 5.1, because currently the AzureAD module doesn't work in PowerShell 7. Azure Cloud Shell won't work in this scenario. For more information about installing PowerShell, see Install Azure PowerShell on Windows with PowerShellGet.
To install the modules, open PowerShell with elevated privileges and run the following commands:
Install-Module -Name Az.Storage
Install-Module -Name AzureAD
- Set the required variables for your tenant, subscription, storage account name, and resource group name by running the following cmdlets, replacing the values with the ones relevant to your environment.
$tenantId = "<MyTenantId>"
$subscriptionId = "<MySubscriptionId>"
$resourceGroupName = "<MyResourceGroup>"
$storageAccountName = "<MyStorageAccount>"
- Generate a new kerb1 key and password for the service principal.
Connect-AzAccount -Tenant $tenantId -SubscriptionId $subscriptionId
$kerbKeys = New-AzStorageAccountKey -ResourceGroupName $resourceGroupName -Name $storageAccountName -KeyName "kerb1" -ErrorAction Stop | Select-Object -ExpandProperty Keys
$kerbKey = $kerbKeys | Where-Object { $_.KeyName -eq "kerb1" } | Select-Object -ExpandProperty Value
$azureAdPasswordBuffer = [System.Linq.Enumerable]::Take([System.Convert]::FromBase64String($kerbKey), 32);
$password = "kk:" + [System.Convert]::ToBase64String($azureAdPasswordBuffer);
- Connect to Azure AD and retrieve the tenant information, application, and service principal.
Connect-AzureAD
$azureAdTenantDetail = Get-AzureADTenantDetail;
$azureAdTenantId = $azureAdTenantDetail.ObjectId
$azureAdPrimaryDomain = ($azureAdTenantDetail.VerifiedDomains | Where-Object {$_._Default -eq $true}).Name
$application = Get-AzureADApplication -Filter "DisplayName eq '$($storageAccountName)'" -ErrorAction Stop;
$servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$($application.AppId)'"
if ($servicePrincipal -eq $null) {
Write-Host "Could not find service principal corresponding to application with app id $($application.AppId)"
Write-Error -Message "Make sure that both service principal and application exist and are correctly configured" -ErrorAction Stop
}
- Set the password for the storage account's service principal.
$Token = ([Microsoft.Open.Azure.AD.CommonLibrary.AzureSession]::AccessTokens['AccessToken']).AccessToken;
$Uri = ('https://graph.windows.net/{0}/{1}/{2}?api-version=1.6' -f $azureAdPrimaryDomain, 'servicePrincipals', $servicePrincipal.ObjectId)
$json = @'
{
"passwordCredentials": [
{
"customKeyIdentifier": null,
"endDate": "<STORAGEACCOUNTENDDATE>",
"value": "<STORAGEACCOUNTPASSWORD>",
"startDate": "<STORAGEACCOUNTSTARTDATE>"
}]
}
'@
$now = [DateTime]::UtcNow
$json = $json -replace "<STORAGEACCOUNTSTARTDATE>", $now.AddHours(-12).ToString("s")
$json = $json -replace "<STORAGEACCOUNTENDDATE>", $now.AddMonths(6).ToString("s")
$json = $json -replace "<STORAGEACCOUNTPASSWORD>", $password
$Headers = @{'authorization' = "Bearer $($Token)"}
try {
Invoke-RestMethod -Uri $Uri -ContentType 'application/json' -Method Patch -Headers $Headers -Body $json
Write-Host "Success: Password is set for $storageAccountName"
} catch {
Write-Host $_.Exception.ToString()
Write-Host "StatusCode: " $_.Exception.Response.StatusCode.value
Write-Host "StatusDescription: " $_.Exception.Response.StatusDescription
}
Option 2: Disable Azure AD Kerberos, delete the existing application, and reconfigure
If you don't want to rotate the service principal password every six months, you can follow these steps. Be sure to save domain properties (domainName and domainGUID) before disabling Azure AD Kerberos, as you'll need them during reconfiguration if you want to configure directory and file-level permissions using Windows File Explorer. If you didn't save domain properties, you can still configure directory/file-level permissions using icacls as a workaround.
- Disable Azure AD Kerberos
- Delete the existing application
- Reconfigure Azure AD Kerberos via the Azure portal
Once you've reconfigured Azure AD Kerberos, the new experience will auto-create and manage the newly created application.
Error 1326 - The username or password is incorrect when using private link
If you're connecting to a storage account via a private endpoint/private link using Azure AD Kerberos authentication, when attempting to mount a file share via net use
or other method, the client is prompted for credentials. The user will likely type their credentials in, but the credentials are rejected.
Cause
This is because the SMB client has tried to use Kerberos but failed, so it falls back to using NTLM authentication, and Azure Files doesn't support using NTLM authentication for domain credentials. The client can't get a Kerberos ticket to the storage account because the private link FQDN isn't registered to any existing Azure AD application.
Solution
The solution is to add the privateLink FQDN to the storage account's Azure AD application before you mount the file share. You can add the required identifierUris to the application object using the Azure portal by following these steps.
- Open Azure Active Directory.
- Select App registrations in the left pane.
- Select All Applications.
- Select the application with the name matching [Storage Account] $storageAccountName.file.core.windows.net.
- Select Manifest in the left pane.
- Copy and paste the existing content so you have a duplicate copy. Replace all instances of
<storageaccount>.file.core.windows.net
with<storageaccount>.privatelink.file.core.windows.net
. - Review the content and select Save to update the application object with the new identifierUris.
- Update any internal DNS references to point to the private link.
- Retry mounting the share.
Need help?
If you still need help, contact support to get your problem resolved quickly.
See also
Feedback
Submit and view feedback for