From VM cannot connect to File Share trough UNC path

Question

Hi there,

I'm having issues connecting to our File Shares trough the UNC path on our Azure VMs.

We have some domain joined VMs. Our User Accounts can login with the Entra ID credentials but when I try to connect to our Azure File Shares, I get a wrong credentials error.

I checked and our AADDS is synched. I also looked in to the IAM Role Assignments, which should work.

It worked before, but since we try using a Key Vault for the sensible data, I can't connect anymore. The AADDS had to be destroyed once and we rebuilded it with our terraform script.

I'm struggling to find the issue.

Does anyone know where I'm failing?

Answer 1

Hello Alan Benet,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are unable to connect to File Share through UNC path from your VM.

So sorry for the difficulties, you do not need struggling to find the solution, three things you will need to look into are your File Share configuration, Key Vault Integration policy and AA - Authorization and Authentication implemented. Here you go from top:

1. Since you started using Key Vault for sensitive data, ensure that Key Vault access policies are properly configured to allow the Azure File Share service to retrieve secrets if necessary and if you are storing secrets or keys related to the Azure File Share connection, ensure they are correctly referenced and updated in your configuration. https://learn.microsoft.com/en-us/azure/key-vault/general/assign-access-policy and https://learn.microsoft.com/en-us/azure/key-vault/general/overview-key-vault
2. Troubleshooting SMB authentication https://learn.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-smb-authentication and https://learn.microsoft.com/en-us/azure/active-directory-domain-services/kerberos
3. Reconfigure File Share Connection https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/net-use and https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-services and https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-domain-services#mount-azure-files-shares-with-azure-ad-ds NOTE: If you tried all the above and no solution, check your network security group (NSG) with File Share. Also provide your log from Azure Storage Diagnostics Logging and Windows Event logs.

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam

Answer 2

@Alan Benet Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Apologies for the delay response.

Based on the error messasge, please refer to the suggestion mentioned here
Can you please cross verify the configuration once again and let me know the status
Overview of Azure Files identity-based authentication options for SMB access

Supported scenarios and restrictions

AD DS identities used for Azure Files on-premises AD DS authentication must be synced to Microsoft Entra ID or use a default share-level permission. Password hash synchronization is optional.

Supports Azure file shares managed by Azure File Sync.

Supports Kerberos authentication with AD with AES 256 encryption (recommended) and RC4-HMAC. AES 128 Kerberos encryption isn't yet supported.

Supports single sign-on experience.

Only supported on Windows clients running OS versions Windows 8/Windows Server 2012 or newer, or Linux VMs (Ubuntu 18.04+ or an equivalent RHEL or SLES VM) running on Azure.

Only supported against the AD forest that the storage account is registered to. Users belonging to different domains within the same forest should be able to access the file share and underlying directories/files as long as they have the appropriate permissions.

You can only access Azure file shares with the AD DS credentials from a single forest by default. If you need to access your Azure file share from a different forest, make sure that you have the proper forest trust configured. For details, see Use Azure Files with multiple Active Directory forests.

Doesn't support assigning share-level permissions to computer accounts (machine accounts) using Azure RBAC. You can either use a default share-level permission to allow computer accounts to access the share, or consider using a service logon account instead.

Doesn't support authentication against Network File System (NFS) file shares.

• AD DS identities used for Azure Files on-premises AD DS authentication must be Check the IAM role assignments: Make sure that the user accounts that are trying to connect to the Azure File Shares have the necessary IAM role assignments. Specifically, they should have the Storage File Data SMB Share Contributor role assigned to them. You can check this in the Azure portal by going to the Access control (IAM) section of the storage account that contains the file shares.
• Check the authentication settings: Make sure that the authentication settings for the Azure File Shares are configured correctly. Specifically, you should have the "Allow access from Azure services" setting enabled, and you should have the "Minimum SMB protocol" set to SMB 2.1 or higher. You can check these settings in the Azure portal by going to the Configuration section of the storage account that contains the file shares.
• Check the UNC path: Make sure that the UNC path you are using to connect to the Azure File Shares is correct. Specifically, the UNC path should be in the following format: \\<storage-account-name>.file.core.windows.net\<file-share-name>. You can find the correct UNC path in the Azure portal by going to the Connect pane of the file share.
• Check the firewall settings: Make sure that the firewall settings for the storage account that contains the file shares are configured correctly. Specifically, you should have the "Allow trusted Microsoft services to access this storage account" setting enabled, and you should have the IP address ranges for your VMs added to the firewall rules. You can check these settings in the Azure portal by going to the Firewall and virtual networks section of the storage account that contains the file shares.

Option 2

Here are a few steps you can take to troubleshoot and resolve this issue:

Check AD Configuration: Ensure that your Active Directory configuration is correct and that the necessary permissions are in place. You can use the dsregcmd /status command to check the status of your device registration.

Verify URLs: Make sure that your system can access the required URLs for device registration. These include:

• https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com
    • https://device.login.microsoftonline.com
    Proxy Settings: If you're using a proxy, ensure that it is correctly configured. You can set the proxy using the command:

   netsh winhttp set proxy PROXY01:8080

Event Logs: Check the event logs for any related errors. Look for errors under Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider.

Permissions: Verify that the necessary permissions are set in Active Directory. Sometimes, permission issues can cause this error.

Certificate Validation: Ensure that the SSL certificates are correctly installed and that there are no issues with certificate validation. You can use the certutil command to check the certificate status.

If none of these solutions work, I would like to work closer on this issue.

Please let us know if you have any further queries. I’m happy to assist you further.    

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.