Unable to mount Azure File Share using user credentials with Azure AD Kerberos

Question

I have set up Azure File Share with Azure AD Kerberos, which seems that the computer doesn't have to have a direct line of sight to the AD. When I try to add the File Share on any computer domained or Azure AD Joined, it gives the error "System Error 86 has occurred. The specified network password is not correct".
The only way it seems to work if using storage key, which you would not want to use in a real world example.
Are there any ways to have a Azure AD Joined device which could mount Azure File Share using the users credentials?

Answer 1

@Karolis Surkus Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Firstly, Let me explain: How Enable Azure Active Directory Domain Services authentication on Azure Files

Azure Files supports identity-based authentication over Server Message Block (SMB) using three different methods: on-premises Active Directory Domain Services (AD DS), Azure Active Directory Domain Services (Azure AD DS), and Azure Active Directory (Azure AD) Kerberos for hybrid identities (preview). We strongly recommend that you review the How it works section to select the right AD source for authentication. The setup is different depending on the domain service you choose. This article focuses on enabling and configuring Azure AD DS for authentication with Azure file shares.

Overview of Azure Files identity-based authentication options for SMB access

Note: Azure AD DS and on-premises AD DS authentication don't support authentication against computer accounts. You can consider using a service logon account instead.
Neither Azure AD DS authentication nor on-premises AD DS authentication is supported against Azure AD-joined devices or Azure AD-registered devices.
Identity-based authentication isn't supported with Network File System (NFS) shares.

Supported scenarios and restrictions
AD DS identities used for Azure Files on-premises AD DS authentication must be synced to Azure AD or use a default share-level permission. Password hash synchronization is optional.

• Supports Azure file shares managed by Azure File Sync.
• Supports Kerberos authentication with AD with AES 256 encryption (recommended) and RC4-HMAC. AES 128 Kerberos encryption is not yet supported.
• Supports single sign-on experience.
• Only supported on clients running OS versions Windows 8/Windows Server 2012 or newer.
• Only supported against the AD forest that the storage account is registered to. You can only access Azure file shares with the AD DS credentials from a single forest by default. If you need to access your Azure file share from a different forest, make sure that you have the proper forest trust configured, see the FAQ for details.
• Doesn't support authentication against computer accounts created in AD DS.
• Doesn't support authentication against Network File System (NFS) file shares.
• Doesn't support using CNAME to mount file shares.
• When you enable AD DS for Azure file shares over SMB, your AD DS-joined machines can mount Azure file shares using your existing AD DS credentials. This capability can be enabled with an AD DS environment hosted either in on-premises machines or hosted on a virtual machine (VM) in Azure.

Based on the error message there are few threads which can resolve your issue: System error 86 has occurred. The specified network password is not correct.
https://github.com/MicrosoftDocs/azure-docs/issues/49481
https://stackoverflow.com/questions/67185346/how-do-you-mount-azure-files-using-ad-credentials
https://stackoverflow.com/questions/66882545/azure-file-shares-drive-map-password-prompt

Please let us know if you have any further queries. I’m happy to assist you further.

----------

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

I'm also investigating this at the moment. I am testing from a Windows 10 machine (not in line of sight to an DC)

I have followed the pre-requites, particularly, I am using a synced AD account in AAD, that the share has been mounted on another machine using the key and set AD permissions. (I have re-set the permissions as this storage account was initially set to use AD authentication). I have ensured the user account is a SMB contributor and the storage account has been granted the API permissions.

I have set the CloudKerberosTicketRetrievalEnabled = 1 and I have tried using an Azure joined machine (thinking that the machine needs to be logged in with AAD credentials, rather than just entering the credentials in a SMB dialog). There are no conditional access policies configured (no endpoint license) and per-user MFA is not configured on the user account, but I get 'The user name or password is incorrect' when I try and mount the SMB share.

I have also allowed RC4_HMAC_MD5 and AES256_HMAC_SHA1 in local security policy

Also worth mentioning that if you use 'Windows Hello', make sure you sign in with a password not the pin, since this doesn't normally work with AD authentication on any day.

When the dialogue first appears when trying to mount the share, I note I receive: 'The system cannot contact a domain controller to service the authentication request'
Then it precedes to show: 'The user name or password is incorrect' when trying to enter the UPN of the user. I have tried using 'AzureAD\<username>' format also.

Would really like to see this working, I guess this is why it is in preview?

Answer 3

Got it working.

My colleague spotted that you need Windows 10 Enterprise rather than Win 10 Pro. Either that, or the the build wasn't high enough.

After deploying a new Win 10 Enterprise 21H2 19044.2006 and adding the registry key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1, it connected immediately with no credentials or line of site from AD.

Also worth noting that the machine needs to be Azure AD Joined (not registered), by setting up for an organization.

References:

The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems:
Windows 11 Enterprise single or multi-session.
Windows 10 Enterprise single or multi-session, versions 2004 or later with the latest cumulative updates installed, especially the KB5007253 - 2021-11 Cumulative Update Preview for Windows 10.
Windows Server, version 2022 with the latest cumulative updates installed, especially the KB5007254 - 2021-11 Cumulative Update Preview for Microsoft server operating system version 21H2.

Answer 4

Having exactly the same issue, but unable to track down why. AzureFiles - using private endpoint. Deployed Azure VPN Client with identical config to 15 devices. 13 devices connect to the Azure Files no problem, 2 do not. Receive the message "The Specified Username or password is incorrect". However, the users failing to access the storage, can do so from within the company network. Running AZDiagnostics from a device that's not working I get this

======Validate port 445 reachability over Storage Account IP 20.209.7.166 20.209.6.198 20.209.7.230

[ERROR]: Connection attempt fails with iteration(0 + 1) of 3  with the error --- No such host is known
Exception calling "BeginConnect" with "4" argument(s): "No such host is known"
At C:\Temp\azuretools\azure-files-samples-master\AzFileDiagnostics\Windows\AzFileDiagnostics.ps1:508 char:9
+         $AsyncResult = $tcpClient.BeginConnect($DestIP , $DestPort ,  ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : SocketException
 

[ERROR]: Connection attempt fails with iteration(1 + 1) of 3  with the error --- The IAsyncResult object was not returned from the corresponding asynchronous method on t
his class.
Parameter name: asyncResult

[ERROR]: Connection attempt fails with iteration(2 + 1) of 3  with the error --- No such host is known

[ERROR]: Last connection exception is:
       ---No such host is known

[ERROR]: Port 445 is not reachable from this client, Exit the validation and please verify the network