Active Directory
A set of directory-based technologies included in Windows Server.
6,625 questions
.........q
Issue accessing file share in different AD forest
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 97%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ED%3C/text%3E%3C/svg%3E)
Daniel
81
Reputation points
Hello,
I am having trouble accessing a file share that is located in a different AD forest from my laptop with AlwaysONVPN configured.
I am able to access the file share without issue from a servers that are located in AD forest B and AD forest C network domain, but not from my VPN-connected laptop. I have confirmed that DNS resolution and network connectivity are working properly. Does anyone have any ideas on what could be causing this issue?
Attached for context is a diagram of the AD Forests setup:
Thanks in advance for any suggestions!
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 78%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAL%3C/text%3E%3C/svg%3E)
Alan La Pietra (CSA) 80 Reputation points Microsoft Employee2024-03-14T13:54:00.81+00:00 where is your laptop connected?
Could be an issue with RC4 through the Trust? You could have AES forced on them.
Some time ago an update was released for AES Session Key in Kerberos. Just guessing. Don't know about your laptop or OS versions
-
Daniel 81 Reputation points
2024-03-14T14:04:53.7966667+00:00 Hi,
Thanks for the answers. I'll check these.
The laptop is part of AD forest B, and its OS is Windows 10. We also have the same issues with Windows 11 laptops. The connection is not working when the user is not located in the company network (working from home). What is strange for me is that DNS for the file server can be resolved when computers are in the user's home network and when they are in company B's network. But they are not able to access the file share from their laptops. And one slightly strange thing is that admin users can access the file share from laptops without any issues
-
Alan La Pietra (CSA) 80 Reputation points Microsoft Employee
2024-03-14T14:18:56.51+00:00 so laptop at home can resolve through DNS the File Share (vpn connected), and when they are in the office. They can resolve but not connect to it through SMB 445. Maybe port is closed for normal users and not admins?
-
Daniel 81 Reputation points
2024-03-14T14:23:27.8333333+00:00 that is correct, in both cases users can resolve DNS of file share server. Access by port 445 was also reviewed both for admin and normal users. Network traffic by this port is enabled for both users.
-
Alan La Pietra (CSA) 80 Reputation points Microsoft Employee
2024-03-14T14:46:40.55+00:00 any error showing?Event viewer?
-
Daniel 81 Reputation points
2024-03-15T12:39:41.1566667+00:00 Hi,
I have checked the logs and I'm not able to find any log entries that would suggest that there was even an attempt of login to a file server.
Would it be possible that if computer is not domain joined but is Microsoft Entra joined(Azure AD joined) and managed with Intune that it's is not able to access file share in another AD forest?
Sign in to comment
4 answers
Sort by: Most helpful
-
-
Karlie Weng 18,521 Reputation points Microsoft Vendor2024-03-15T06:31:16.3866667+00:00 Hello,
Perform a packet capture using tools like Wireshark while attempting to access the file share as both an admin user and a regular user. Analyze the captured packets to compare the network traffic between the two scenarios. Look for differences in protocols used, authentication attempts, or any other relevant details.
If the Answer is helpful, please click "Accept Answer" and upvote it.
-
Daniel 81 Reputation points
2024-11-01T10:25:19.9333333+00:00 Apologies for the delayed response; this topic had been on the back burner due to other project commitments. I have been analyzing network traffic via Wireshark and observed that the client (a Windows 10 machine) is sending a TCP connection reset after negotiating the SMB protocol with the file share server. It appears that during this process, Kerberos authentication is falling back to NTLM, which is disabled on the file share server.
For reference, please find the captured logs below:
• 14 5.389257 10.90.3.108 10.90.9.24 SMB 127 Negotiate Protocol Request
• 15 5.524573 10.90.9.24 10.90.3.108 SMB2 306 Negotiate Protocol Response
• 16 5.524725 10.90.3.108 10.90.9.24 SMB2 326 Negotiate Protocol Request
• 17 5.559547 10.90.9.24 10.90.3.108 SMB2 366 Negotiate Protocol Response
• 18 5.566497 10.90.3.108 10.90.9.24 SMB2 536 Session Setup Request, INITATOR_NEGO, INITIATOR_META_DATA
• 19 5.601933 10.90.9.24 10.90.3.108 SMB2 153 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED
• 20 5.602598 10.90.3.108 10.90.9.24 SMB2 199 Session Setup Request, NTLMSSP_NEGOTIATE
• 21 5.637640 10.90.9.24 10.90.3.108 SMB2 463 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
• 22 5.641356 10.90.3.108 10.90.9.24 TCP 54 53405 → 445 [RST, ACK] Seq=973 Ack=1073 Win=0 Len=0
• 23 5.644586 10.90.3.108 10.90.9.24 TCP 66 53406 → 445 [SYN] Seq=0 Win=65280 Len=0 MSS=1360 WS=256 SACK_PERM
When NTLM is enabled on the file share server, access works. However, I would like to know whether it would be possible to configure Kerberos authentication exclusively for resource access in an environment where there is a two-way transitive AD trust?
-
Daniel 81 Reputation points
2024-11-01T10:27:20.7633333+00:00 One more thing I forgot to mention. All devices are only Azure AD joined.
Sign in to comment -
-
Daniel 81 Reputation points
2024-11-01T21:44:58.5066667+00:00 Hello
Apologies for the delayed response; this topic had been on the back burner due to other project commitments. I have been analyzing network traffic via Wireshark and observed that the client (a Windows 10 machine) is sending a TCP connection reset after negotiating the SMB protocol with the file share server. It appears that during this process, Kerberos authentication is reverting to NTLM, which is disabled on the file share server.
For reference, please find the captured logs below:
• 14 5.389257 10.90.3.108 10.90.9.24 SMB 127 Negotiate Protocol Request
• 15 5.524573 10.90.9.24 10.90.3.108 SMB2 306 Negotiate Protocol Response
• 16 5.524725 10.90.3.108 10.90.9.24 SMB2 326 Negotiate Protocol Request
• 17 5.559547 10.90.9.24 10.90.3.108 SMB2 366 Negotiate Protocol Response
• 18 5.566497 10.90.3.108 10.90.9.24 SMB2 536 Session Setup Request, INITATOR_NEGO, INITIATOR_META_DATA
• 19 5.601933 10.90.9.24 10.90.3.108 SMB2 153 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED
• 20 5.602598 10.90.3.108 10.90.9.24 SMB2 199 Session Setup Request, NTLMSSP_NEGOTIATE
• 21 5.637640 10.90.9.24 10.90.3.108 SMB2 463 Session Setup Response, Error: STATUS_MORE_PROCESSING_REQUIRED, NTLMSSP_CHALLENGE
• 22 5.641356 10.90.3.108 10.90.9.24 TCP 54 53405 → 445 [RST, ACK] Seq=973 Ack=1073 Win=0 Len=0
• 23 5.644586 10.90.3.108 10.90.9.24 TCP 66 53406 → 445 [SYN] Seq=0 Win=65280 Len=0 MSS=1360 WS=256 SACK_PERM
When NTLM is enabled on the file share server, access is successful. However, I would like to know whether it would be possible to configure Kerberos authentication exclusively for resource access in an environment where there is a two-way transitive Active Directory (AD) trust?
-
Alan La Pietra (CSA) 80 Reputation points Microsoft Employee
2024-11-04T08:22:42.6266667+00:00 If kerberos is not working and failing back to NTLM I would check SPN registration.
If machines are only EntraID joined do you have Kerberos Server configured? They get an Azure PRT token but what about Kerberos TGT, they will not have one available to access on-prem resources.
With Kerb Srv you get a partial TGT which you exchange with full TGT once you contact a DC trying to access on-prem resource.
You should configure Windows Hello for Business Cloud Kerberos Trust: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune