Abnormal behaviour Error 86, 53 and 85 mapping Azure SMB File Share from Win10

Sahid Afridi 21 Reputation points
2023-05-27T10:04:48.96+00:00

Difficult problem that I have banged my head on for almost a week with no signs of making progress. Any help would be greatly appreciated. I know the "86" error has several documented fixes but none have worked for me so far. If I can provide any additional information, please ask.

Synopsis:
We are moving file servers into the cloud and I want to use Azure file shares for our migration. We have an on-premise AD and an Azure tenant. I want my users to be able to access these file shares using their AD credentials from anywhere in the world, with no VPN requirement.

Configuration:

1.) Storage Account: created in Azure & in on-prem AD (both computer & user accounts).
2.) Storage Account: all Azure AD users temporarily have "Storage File Data SMB Share Contributor " and Storage File Data SMB Share Elevated Contributor role.

3.) File Share: configured with "Azure AD Kerberos" Active Directory.
4.) File Share: default share-level permissions configured with "Read-Only".
5.) File Share: security set to "Maximum Compatibility".

6.) Networking:maked connection with private endpint with azure virtuale ntwork.
7.) Networking: public network access enabled.

8.) Workstation: Windows 10 Enterprise 20H2 - joined to on-premise domain, logged in with O365-enabled account.
9.) Workstation: registry key "CloudKerberosTicketRetrievalEnabled" set to 1
10.) Workstation: local security policy LAN Manager Authentication Level set to "Send NTLMv2 response only".
11.) Active Directory: synced to Azure via AAD Connect (password sync, no writeback)

12: Existing Infrastructure: We have an on-premises domain controller that has syncronized with our office 365/Azure tenants, as well as establishing private connectivity with Azure's site-to-site and point-to-site VPNs. Additionally, we have created another virtual machine in Azure and configured it as an additional domain controller, configured the Azure file share on the ADC, and joined it. All FSMO roles remain on the On-premises domain controller.

"DSRegCmd /status" Results:
AzureAdJoined : YES
EnterpriseJoined : NO
DomainJoined : YES
DomainName :

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,224 questions
Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,565 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,563 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Sumarigo-MSFT 45,406 Reputation points Microsoft Employee
    2023-05-29T06:13:55.82+00:00

    @shahid Afridi Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Can you share the screenshot of the exact error message?
    Please cross verify the the SMB version (SMB version compatibility) and verify DNS resolution(nslookup yourfileshare.file.core.windows.net) ?

    To learn how to enable AD DS authentication, first read Overview - on-premises Active Directory Domain Services authentication over SMB for Azure file shares and then see Enable AD DS authentication for Azure file shares.

    How it works: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview#azure-ad-ds

    Based on the information provided, it seems that you are encountering errors when trying to map an Azure SMB File Share from a Windows 10 workstation. Let's go through the errors you mentioned and possible solutions for each:

    This article lists common problems that might occur when you try to connect to and access SMB Azure file shares from Windows or Linux clients. It also provides possible causes and resolutions for these problems.

    Error 86:
    Error System 86 has occurred. The specified network password is not correct. when clients trying to connect to Azure storage using ADDS Authentication for Azure files.

    If you have a Private Endpoint with ADDS or Azure ADDS Authentication for Azure files – please verify the Private link is configured correctly by doing an **NSLookup of [storageaccount.file.core.windows.net ]**and an **NSLookup of [storageaccount.privatelink.file.core.windows.net ]**via cmd prompt.

    See documentation - Use private endpoints - Azure Storage

    Verify that the Storage Account is AAD or AD is joined and verify if user has RBAC roles in ASC, also check with customer to verify NTFS permissions have been setup.

    Run the debug cmdlet from AzFilesHybrid in Powershell Releases· Azure-Samples/azure-files-samples · GitHub - User may need to import the modules from AzFilesHybrid.zip if they do not have it installed from the user context. https://docs.microsoft.com/en-us/azure/storage/files/storage-troubleshoot-windows-file-connection-problems#self-diagnostics-steps

    This error typically occurs when there is a mismatch in the encryption settings between the client and server. Here are some troubleshooting steps you can try:

    1. Make sure the workstation's time is synchronized with the domain controller and Azure AD.
    2. Ensure that the Azure file share and the workstation are both configured with the same encryption settings. You can set the encryption settings on the Azure file share by navigating to the "Configuration" section of the file share in the Azure portal.
    3. Check if any firewall or network security groups are blocking the necessary ports (e.g., port 445 for SMB). Ensure that the required ports are open between the workstation and the Azure file share.

    Verify the customer is utilizing acceptable encryption settings on-premises to match the level encryption supported by the feature.

    Error 53: This error typically indicates that the network path to the Azure file share is not found. Here are some steps to troubleshoot this error:

    1. Ensure that the workstation has network connectivity to the Azure file share. You can try pinging the file share endpoint from the workstation to verify connectivity.
    2. Check if any firewall or network security groups are blocking the necessary ports (e.g., port 445 for SMB). Ensure that the required ports are open between the workstation and the Azure file share.
    3. Verify that the DNS resolution is working correctly. Ensure that the file share endpoint is resolving to the correct IP address.

    Error 85: This error usually occurs when you attempt to map a drive letter that is already in use by another resource. Ensure that the drive letter you are trying to map is not already in use by another mapped network drive or any other resource on the workstation.

    Additionally, you mentioned that you want your users to access the Azure file shares using their AD credentials from anywhere in the world without a VPN requirement. This can be achieved using Azure AD DS (Domain Services) or Azure AD Application Proxy. Please let me know if you need more information on setting up either of these options.

    If the troubleshooting steps mentioned above do not resolve your issue, it would be helpful to provide the specific error messages you are encountering, any relevant event log entries, and the output of the "DSRegCmd /status" command on the workstation. This information can help in further diagnosing the problem.

    If the issue still persist, I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you.  Once again, apologies for any inconvenience with this issue.

    Thanks for your patience and co-operation.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  2. Jörg Mayer Azure Consulting 45 Reputation points
    2023-05-30T16:48:23.3566667+00:00

    Hi,

    how do you mount the file shares to your clients/VM's? Can you provide the command?

    CU

    Joerg

    0 comments No comments