Azure AD DS and file share on Azure VM credential prompt

Question

The environment:

• Cloud Only Azure AD. (company.com)
• Azure AD Domain Services Managed Domain. (hq.company.com)
• Windows 2019 VM hosted in Azure, joined to Azure AD DS (hq.company.com) Managed Domain with a file share.
• Azure hosted Virtual VPN Appliance.
• Windows 10 remote client Azure AD joined (company.com), and Intune managed, connected via VPN.

I can connect to the file share on the Azure hosted VM from the client, but every time I do, it prompts for credentials. If I enter the credentials, it works just fine. Is there a way to get it to authenticate automatically by using the logged in user's credentials without having to save credentials?

I am thinking I must be missing a configuration item between the server and AADDS.

Answer 1

@tjb1966 Thank you for providing the detailed description of the issue, As I understand you are trying to achieve SSO (no need to provide credentials again when accessing the file share) from a client machine is joined to Azure AD and the File Share to AADDS.

This is not possible, Azure AD uses mordern (OAUTH, OID, SAML, etc) protocols while AADDS uses legacy (NTLM and Kerberos), when the user logs in to the machine, he gets a Modern token and to access the file share, he needs a legacy one,this is why they need to provide the user/password again.

Also, refer to this documentation https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#how-it-works:~:text=file%20shares.-,Azure%20AD%20DS,-For%20Azure%20AD it says For Azure AD DS authentication, you should enable Azure AD DS and domain-join the VMs you plan to access file data from. Your domain-joined VM must reside in the same virtual network (VNET) as your Azure AD DS.

Let me know if you have any further questions, feel free to post back.

Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.