![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 54%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Azure Files
An Azure service that offers file shares in the cloud.
1,301 questions
Can SMB over QUIC work with DFS-N in a work-from-home setup?
Integrating SMB over QUIC with DFS-N for remote work-from-home users introduces several challenges. SMB over QUIC is designed to allow secure, VPN-less access to Azure Files over the internet using UDP and TLS 1.3. This provides a streamlined approach for users to access files securely without the complexity of VPNs. However, DFS-N (Distributed File System Namespaces) relies on domain-based authentication and path resolution, which typically require connectivity to a domain controller. Without a VPN, establishing that domain-based path resolution and authentication becomes difficult because SMB over QUIC itself doesn’t facilitate domain services like DFS-N does.
Does the Kerberos limitation affect DFS-N with SMB over QUIC?
The statement you referenced highlights a key limitation: "Since the client cannot reach a Key Distribution Center (KDC) over the internet, Kerberos is not an option, as there is no direct line of sight to a domain controller." This applies directly to a DFS-N setup. DFS-N requires domain-based authentication, and Kerberos is the preferred protocol due to its security and efficiency. Without direct access to the KDC, Kerberos cannot be used, meaning remote DFS-N access via SMB over QUIC would need fallback methods like NTLM. However, NTLM may not meet all security or functional requirements, complicating the use of DFS-N in such a scenario.
Would a VPN make this integration feasible?
Yes, using a VPN or other secure tunnel could enable access to a domain controller, allowing Kerberos authentication to work and resolving DFS-N paths as needed. This, however, contradicts the main benefit of SMB over QUIC, which is to eliminate the need for VPNs. Implementing a VPN would add complexity to the network setup and could reduce the simplicity that SMB over QUIC aims to provide for remote file access. While possible, this solution would require careful planning and additional infrastructure to maintain security and performance.
Why isn’t this scenario well-documented?
The specific combination of DFS-N with SMB over QUIC might not be prominently documented because SMB over QUIC is typically intended for direct access to Azure Files without involving complex, domain-based namespace resolution. Most tutorials and documentation focus on simplifying remote file access rather than integrating it with domain services like DFS-N. This oversight means you may not find comprehensive guides that tackle this integration head-on.
Links to help you :