Azure Files
An Azure service that offers file shares in the cloud.
1,228 questions
Connection using Azure AD Kerberos authentication fails.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 88%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
馬場 勇真
180
Reputation points
Connection using Azure DA Kerberos authentication fails.
What I want to achieve:
I would like to use Azure Files by using Azure Ad Kerberos authentication as the authentication method.
Prerequisites:
The domain controller is generated as a VM on Azure.
Azure AD Connect between tenant and on-premises AD has been completed.
The machine that verifies connectivity is also an Azure VM.
This machine has already joined on-premises AD, and device registration has also been completed with Azure AD using Azure AD Connect. The Kerberos ticket settings are also complete.
The most important thing is that two tenants and Azure AD Connect are built for one on-premises AD.
What has been verified:
I followed the steps in Microsoft's documentation to build it. Specifically, it is as follows.
①Create storage accounts and file shares.
②Select "Azure AD Kerberos" as the authentication method and enter the domain name and domain GUID values obtained from the domain controller.
③Grant API permissions to the automatically generated storage account application.
④Mount the file share on a domain controller using the storage account key and set ACLs.
⑤From the verification machine, enter the file share path in UNC path format in Explorer.
⑤Credentials are requested. (I am aware that SSO is no longer supported because you are connecting multiple tenants.)
Here's the problem:
Even after entering the credentials, an error message is displayed and connection cannot be established.
The error message is below.
The specified network password is incorrect.
I tried entering several credentials, but they all returned the same error message. If you have any problems with my steps, please let me know.
{count} votes
-
馬場 勇真 180 Reputation points
2023-10-20T01:51:51.53+00:00 dsregcmd /status
+----------------------------------------------------------------------+ | Device State | +----------------------------------------------------------------------+ AzureAdJoined : YES EnterpriseJoined : NO DomainJoined : YES DomainName : ****** Device Name : ****** +----------------------------------------------------------------------+ | Device Details | +----------------------------------------------------------------------+ DeviceId : ****** Thumbprint : ****** DeviceCertificateValidity : [ 2023-10-19 07:08:12.000 UTC -- 2033-10-19 07:38:12.000 UTC ] KeyContainerId : ****** KeyProvider : Microsoft Software Key Storage Provider TpmProtected : NO DeviceAuthStatus : SUCCESS +----------------------------------------------------------------------+ | Tenant Details | +----------------------------------------------------------------------+ TenantName : TenantId : ****** AuthCodeUrl : https://login.microsoftonline.com/****** AccessTokenUrl : https://login.microsoftonline.com/****** MdmUrl : MdmTouUrl : MdmComplianceUrl : SettingsUrl : JoinSrvVersion : 2.0 JoinSrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/device/ JoinSrvId : urn:ms-drs:enterpriseregistration.windows.net KeySrvVersion : 1.0 KeySrvUrl : https://enterpriseregistration.windows.net/EnrollmentServer/key/ KeySrvId : urn:ms-drs:enterpriseregistration.windows.net WebAuthNSrvVersion : 1.0 WebAuthNSrvUrl : https://enterpriseregistration.windows.net/webauthn/****** WebAuthNSrvId : urn:ms-drs:enterpriseregistration.windows.net DeviceManagementSrvVer : 1.0 DeviceManagementSrvUrl : https://enterpriseregistration.windows.net/manage/****** DeviceManagementSrvId : urn:ms-drs:enterpriseregistration.windows.net +----------------------------------------------------------------------+ | User State | +----------------------------------------------------------------------+ NgcSet : NO WorkplaceJoined : NO WamDefaultSet : NO +----------------------------------------------------------------------+ | SSO State | +----------------------------------------------------------------------+ AzureAdPrt : NO AzureAdPrtAuthority : AcquirePrtDiagnostics : PRESENT Previous Prt Attempt : 2023-10-20 01:39:04.610 UTC Attempt Status : 0xc000006a User Identity : ****** Credential Type : Password Correlation ID : ****** Endpoint URI : https://ap.ssso.hdems.com/active/****** HTTP Method : POST HTTP Error : 0x0 HTTP status : 403 Server Error Code : Server Error Description : EnterprisePrt : NO EnterprisePrtAuthority : +----------------------------------------------------------------------+ | Diagnostic Data | +----------------------------------------------------------------------+ AadRecoveryEnabled : NO Executing Account Name : ******, ****** KeySignTest : PASSED DisplayNameUpdated : YES OsVersionUpdated : YES HostNameUpdated : YES Last HostName Update : NONE +----------------------------------------------------------------------+ | IE Proxy Config for Current User | +----------------------------------------------------------------------+ Auto Detect Settings : YES Auto-Configuration URL : Proxy Server List : Proxy Bypass List : +----------------------------------------------------------------------+ | WinHttp Default Proxy Config | +----------------------------------------------------------------------+ Access Type : DIRECT +----------------------------------------------------------------------+ | Ngc Prerequisite Check | +----------------------------------------------------------------------+ IsDeviceJoined : YES IsUserAzureAD : NO PolicyEnabled : NO PostLogonEnabled : YES DeviceEligible : NO SessionIsNotRemote : NO CertEnrollment : none PreReqResult : WillNotProvision For more information, please visit https://www.microsoft.com/aadjerrors -
Sumarigo-MSFT 45,416 Reputation points Microsoft Employee2023-10-27T08:53:30.7166667+00:00 @馬場 勇真 I wish to engage with you offline for a closer look and provide a quick and specialized assistance, please send an email with subject line “Attn:subm” to AzCommunity[at]Microsoft[dot]com referencing this thread and the Azure subscription ID, I will follow-up with you. Once again, apologies for any inconvenience with this issue.
Thanks for your patience and co-operation.
Additional information: https://learn.microsoft.com/en-us/answers/questions/1031080/authentication-issues-using-aad-kerberos-for-azure
This article lists common problems when using SMB Azure file shares with identity-based authentication. It also provides possible causes and resolutions for these problems. Identity-based authentication isn't currently supported for NFS Azure file shares: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?tabs=azure-portal
Sign in to comment