Share via

Connecting to Azure Storage Account File Share - native AAD/Entra - Kerberos error/issues.

Aaron Elliott 0 Reputation points
2023-12-19T07:03:14.3033333+00:00

Hi all - I am trying to mount/connect to an Azure file share without any on-prem AD (i.e. Entra ID only) as part of a broader AVD deployment (i.e. latest win11) and I am not having much joy. I am trying to use identity based access and can access the share (and create files/folders etc) via the browser function within the Azure portal (using the Entra account).

The App Registration has been added and the delegation approved, and I have added the reg setting to the client to allow Kerberos from the cloud.

When trying to map the drive on a client via the generated PowerShell, it will sit for ~3 minutes - and eventually error with: New-PSDrive : The target account name is incorrect. The same error occurs when using the 'net use' command.

Interestingly, the sign-in log for the user indicates (a multitude of) successful logons via the registered app - which seemingly goes contrary to what is happening.

I get this in the event log of the client:

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sidrastorage. The target name used was cifs/sidrastorage.file.core.windows.net. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (file.core.windows.net) is different from the client domain (KERBEROS.MICROSOFTONLINE.COM), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

But, I seem to have a ticket for that resource:

#2>     Client: abc@sidrasolutions.com @ AzureAD
        Server: cifs/sidrafiles.file.core.windows.net @ KERBEROS.MICROSOFTONLINE.COM
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40000000 -> forwardable
        Start Time: 12/19/2023 6:04:11 (local)
        End Time:   12/19/2023 7:04:11 (local)
        Renew Time: 0
        Session Key Type: AES-256-CTS-HMAC-SHA1-96
        Cache Flags: 0
        Kdc Called: KdcProxy:login.microsoftonline.com

I have since generated an all new storage account and share - and got the same result.

Hoping someone can assist - all of the documentation I have been able to find talks about every scenario except this one (i.e. having some kind of on-prem AD/integration) - which is puzzling in itself!

Many, many thanks.

Aaron

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,293 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,183 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,904 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anand Prakash Yadav 7,795 Reputation points Microsoft Vendor
    2023-12-20T11:34:24.88+00:00

    Hello Aaron Elliott,

    Thank you for posting your query here!

    If you would like to follow the approach from the link, it is required that you use hybrid user identities. Cloud-only users aren’t supported to authenticate to Azure files.

    Another approach would be to use Azure AD Domain services (AAD DS), but this also comes with some limitations like - an AVD setup with AAD DS doesn’t support SSO to the service and hybrid join of your session hosts, if you need this.

    Azure Files supports authentication from non-domain joined devices if the client has line-of-sight to the domain controller and the user types in their AD domain credentials. Note that for non-domain-joined machines wishing to access Azure Files with Azure AD DS (not on-premises AD DS), customers would want to set up line-of-sight to the domain controllers for Azure AD DS, which are located in Azure. They would have to set up this connectivity through either site-to-site or point-to-site VPN.

    Also, Microsoft Entra ID (formerly Azure AD) allows Kerberos authentication without the need for line-of-sight to domain controllers. However, the support is limited to hybrid user identities (identities created in AD DS and synced to Azure AD using Azure AD Connect). Cloud-only identities aren't currently supported.

    For reference: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

  2. Marcel Martens | M-IT Services 0 Reputation points
    2024-10-09T20:58:22.2133333+00:00

    Ensure that the SPN-account has "Trust this user for delegation to any service (Kerberos only)" as per default it is set to "Do not trust this user for delegation".

    User's image

    This is especialy so for event ID 201 "Security-Kerberos"

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.