Global Secure Access for SMB doesn't recognize Windows Hello Authentication or Conditional Access Policies

Question

Global Secure Access for SMB doesn't recognize Windows Hello Authentication or Conditional Access Policies

Rich Bouchard 40

Starting to play around with Global Secure Access, specifically on prem SMB file share access. I'm encountering two problems. One, if I log into my test machine with a username and password the access works seemlessly. If I log in via Windows Hello using a pin I'm prompted to enter credentials to access the SMB share. Two, in both cases it's ignoring my conditional access policy to require MFA to access the resource. Conditional access policies are working with Global Secure Access; a separate application for RDP to an on prem server works with CA as expected.

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-26T19:11:22.0533333+00:00

@Rich Bouchard
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Pietrorazio, Mike 20 Reputation points

2024-04-09T18:38:55.8133333+00:00

I also cannot access my internal SMB shares using WHFB. I do have cloud Kerberos enabled and get a ticket when on prem with my Entra joined device. But when connecting remotely with Private Access authentication fails if using WHFB but succeeds if I sign in with my password.
Pizzingrilli Sandro 26 Reputation points

2024-06-18T08:35:06.45+00:00

I've got the same problem with GSA and WhfB Cloud Trust. Devices are Entra joined. Username/password works but not with PIN. WhfB Cloud Trust is deployed. Does anyone has a solution to his?
Andre 5 Reputation points

2024-07-05T08:01:23.2466667+00:00

Were you able to solve this problem? I have exactly the same issue. I can access the SMB shares when inside the local network using windows hello for kerberos cloud trust works as expected.

But when using Global Secure Access client i get the pin prompt and get only connected when entereing username/password instead of windows hello
Johan Hedelin 5 Reputation points

2024-08-21T19:43:10.35+00:00

Same issue here, logged in with username/password and SMB share works perfect with Private Access. Logged in with WHfB and i get error "Wrong username or password".
Foof1ght3r 1 Reputation point

2024-09-08T18:02:09.06+00:00

Same issue here. When logged in via PIN and GSA is active, no way to SSO to onpremise SMB shares, if I login with password, it works.

Cloud Kerberos is setup tho and the Windows Hello policy to use cloud kerberos is applied to the client.

I guess Kerberos has an issue with GSA then, as Windows probably fallsback onto NTLMv2 when I am logged in with password.
Jon Lyons 0 Reputation points

2024-09-13T00:44:49.8866667+00:00

Wondering if anyone has gotten this to work?

2 answers

Your answer

JamesTran-MSFT 36,911 Reputation points Microsoft Employee Moderator

2024-01-26T19:11:22.0533333+00:00

@Rich Bouchard
I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.
Pietrorazio, Mike 20 Reputation points

2024-04-09T18:38:55.8133333+00:00

I also cannot access my internal SMB shares using WHFB. I do have cloud Kerberos enabled and get a ticket when on prem with my Entra joined device. But when connecting remotely with Private Access authentication fails if using WHFB but succeeds if I sign in with my password.
Pizzingrilli Sandro 26 Reputation points

2024-06-18T08:35:06.45+00:00

I've got the same problem with GSA and WhfB Cloud Trust. Devices are Entra joined. Username/password works but not with PIN. WhfB Cloud Trust is deployed. Does anyone has a solution to his?
Andre 5 Reputation points

2024-07-05T08:01:23.2466667+00:00

Were you able to solve this problem? I have exactly the same issue. I can access the SMB shares when inside the local network using windows hello for kerberos cloud trust works as expected.

But when using Global Secure Access client i get the pin prompt and get only connected when entereing username/password instead of windows hello
Johan Hedelin 5 Reputation points

2024-08-21T19:43:10.35+00:00

Same issue here, logged in with username/password and SMB share works perfect with Private Access. Logged in with WHfB and i get error "Wrong username or password".
Foof1ght3r 1 Reputation point

2024-09-08T18:02:09.06+00:00

Same issue here. When logged in via PIN and GSA is active, no way to SSO to onpremise SMB shares, if I login with password, it works.

Cloud Kerberos is setup tho and the Windows Hello policy to use cloud kerberos is applied to the client.

I guess Kerberos has an issue with GSA then, as Windows probably fallsback onto NTLMv2 when I am logged in with password.
Jon Lyons 0 Reputation points

2024-09-13T00:44:49.8866667+00:00

Wondering if anyone has gotten this to work?

Answer 1

Akshay-MSFT 17,956 Microsoft Employee Moderator

@Rich Bouchard

Thank you for posting your query on Microsoft Q&A, from above description I could understand that you have following queries:

Logging onto test machine with windows hello pin prompts you for credentials when accessing SMB share.
Conditional access policy to require MFA to access the SMB share is ignored by global secure access.

Please do correct me for any discrepancies by responding in the comments section.

PFB answers inline:

Logging onto test machine with windows hello pin prompts you for credentials when accessing SMB share.

This could be due to On-prem SMB shares being configured with Kerberos authentication, and windows hello is not configured with cloud Kerberos trust

You may validate this with event logs on you device by accessing User Device Registration admin log under Applications and Services Logs > Microsoft > Windows.

Cloud Kerberos trust prerequisite check in the user device registration log

The cloud Kerberos trust prerequisite check isn't done on Microsoft Entra joined devices. If Microsoft Entra Kerberos isn't provisioned, a user on a Microsoft Entra joined device will still be able to sign in, but won't have SSO to on-premises resources secured by Active Directory.

Conditional access policy configured to prompt for MFA while accessing the SMB share is ignored by global secure access.

This could have been because of known limitation for private access traffic, according to which:

"Applying Conditional Access policies to Private Access traffic is not currently supported. To model this behavior, you can apply a Conditional Access policy at the application level for Quick Access and Global Secure Access apps. For more information, see Apply Conditional Access to Private Access apps."

However, if above mentioned is not the case, then kindly share the sign in logs with CA evaluation information by eliminating the PII say username, UPN or tenant id.

Please "Accept the answer", "Upvote" and rate your experience. This will help us and others in the community as well. Thanks, Akshay Kaushik

Rich Bouchard 40 Reputation points

2024-01-29T12:52:29.47+00:00

Thank you for your response. We do have cloud Kerberos trust in place. I was able to confirm this by way of without it, when same client was attempting to access SMB share while connected via VPN I would get a credential prompt following Hello pin login. Following the setup of CKT access was seamless following same Hello pin login. For CA, I'm not sure I understand the distinction between CA policies against Private Access traffic and CA policies and CA policies applied at the application level for QA and GSA apps.
Akshay-MSFT 17,956 Reputation points Microsoft Employee Moderator

2024-02-05T09:14:10.38+00:00
@Rich Bouchard

For CA, I'm not sure I understand the distinction between CA policies against Private Access traffic and CA policies and CA policies applied at the application level for QA and GSA apps. This means connecting through the Global Secure Access Client is required to acquire Private Access traffic.

You need to Enable the Private access traffic forwarding profile but the conditional access policy will be applied to the defined application.

Select Conditional Access from the side menu. Any existing Conditional Access policies appear in a list.

Select Create new policy. The selected app appears in the Target resources details. Note that we are selecting cloud apps in Target resources here and not the traffic profile. Thanks, Akshay Kaushik
Xander Oortgiesen 0 Reputation points

2024-09-06T10:23:47.53+00:00

This doesn't seem to work for me. I've chosen require to be compliant (Grant). Still no access to smb shares when using the PIN option, username & password works fine although..
Mehboob Ahmad 25 Reputation points

2024-11-06T17:28:11.06+00:00

Hi @xander Please make sure that you are logging in as a non-domain admin user - Cloud Kerberos does not apply to high privileged accounts. Se here: https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune#microsoft-entra-kerberos-and-cloud-kerberos-trust-authentication
Boehi Dario 0 Reputation points

2025-01-22T10:14:33.8666667+00:00

Hi
Did someone managed to fix this? I'm also getting the Username Prompt with GSA but when I connect a VPN everything works.
Cloud Kerberos Trust is configured and my Devices are Entra Joined.

Answer 2

you also need to publish your Domain Controllers. Instructions at https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-kerberos-sso.

If you don't have the Cloud trust and the line of sight with a DC the following will occur:

If you logon with username\password you will use NTLM. Seamless. Klist will show no keys and you will have acces to the SMB share. No Conditional access is triggered. Same behavior as in the NT4 days when you wanted to have access across domains without trust. Same username\passord will give you access.
If you logon with Windows Hello (face,finger, fido2) you will get prompted for credentials and you will get the same behavior as above.

The cloud trust together with line of sight with a DC will get you the desired effect.

Share via

Global Secure Access for SMB doesn't recognize Windows Hello Authentication or Conditional Access Policies

2 answers

Your answer