This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 13%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENC%3C/text%3E%3C/svg%3E)
Hi,
I trying to build an "Cloud Only AVD Environment with FSLogix" in my test tenant.
I create:
1) an Azure AD Domain Service
2) a Test User and an Admin in Azure AD
3) Server VM (MGMT) and join to AADDS, read Domain GUID
4) Storage Account and configure Azure AD Kerberos with Domain name und Doman Guid
5) configure ADDS App registrations
6) Set the RBAC Roles (SMB Share Contributor) for my Testuser on the Storage Account
7) Link the Share with Access Keys on my Server VM and set the ntfs permissions
8) Create an AVD Environment with one Windows 11 VM Multiuser. Azure AD Join
dsregcmd /status
AzureADJoined: YES
DomainJoined: NO
9) Configure on the Windows 11 VM Kerberos functionality
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1
reg add HKLM\Software\Policies\Microsoft\AzureADAccount /v LoadCredKeyFromProfile /t REG_DWORD /d 1
My problem is now that I can't access to the fileshare. As I see I do not get an Kerberos Key:
After a login on AVD with the Testuser:
> klist:
Cached Tickets: (0)
> klist get krbtgt
Current LogonId is 0:0x146a092
Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x520
klist failed with 0x8009030e/-2146893042: No credentials are available in the security package
I read the learn.microsoft.com Sites again and again. Deleted everything and started from the beginning. Several times. The same result again and again.
I found the YT Video: https://www.youtube.com/watch?v=dCUUkkzfcug. I do exactly the same. No change
I have no idea what I am doing wrong and how to find the error.
thx, Chris
I am reviewing this with internal teams, let me get back.
If an answer has been helpful, please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!
Hi
does the article below help at all as regards setup of the solution?
Hope this helps,
Thanks
Michael Durkan
Hello @Nekola Christian
According to this below document, Azure AD DS Joined systems are NOT supported, at minimum they need to be hybrid devices
"Clients must be Azure AD-joined or hybrid Azure AD-joined. Azure AD Kerberos isn’t supported on clients joined to Azure AD DS or joined to AD only."
Link: Use Azure Active Directory to access Azure file shares over SMB for hybrid identities using Kerberos authentication | Microsoft Learn
As per the expert advisory, FSLogix hosting on file shares without an AD DS infrastructure is fraught with peril! This is the simple, and easy way to get FSLogix working in a test environment using Cloud Cache: Spare the Share: AADJ AVD and FSLogix Cloud Cache – Azure Advanced Migration Topics for Government (azurewebsites.us)
If this does answer your question, please accept it as the answer as a token of appreciation.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 22%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
I have same issue,. have you resolved the issue?