I think I found the secret sauce. We put the GPO in for this setting to map to correct Kerberos Realm.
Did OURDOMAIN.LOCAL to .file.core.windows.net everything was happy after.
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I have an Azure storage account being used for an Azure Files share. Its is a hybrid situation and the storage account was created using the procedure from here:
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable
This works sometimes but intermittently fails to map. I have run the debug script:
Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose
All checks pass except:
Debug-AzStorageAccountAuth : CheckGetKerberosTicket - FAILED
If I run:
klist get cifs/<snip>.file.core.windows.net
I get:
Current LogonId is 0:0x153eb2
Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x6fb
klist failed with 0xc000018b/-1073741429: The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
Then if I wait a while, it will suddenly start working again temporarily.
Interestingly, it seems to work close to 100% of the time in my Azure VMs. It seems to work 20% of the time on physical devices.
I have tried recreating the storage account over and over. Always the same result.
In the SMB security settings, I have tried turning off kerberos and going with just ntlm v2 as below. This has had no effect on the issue.
I think I found the secret sauce. We put the GPO in for this setting to map to correct Kerberos Realm.
Did OURDOMAIN.LOCAL to .file.core.windows.net everything was happy after.
Hello Rayan,
Thanks for posting your question in the Microsoft Q&A forum.
Here are some troubleshooting steps to help resolve this issue:
Debug-AzStorageAccountAuth
cmdlet to check the status of your AD configuration and identify any issues.Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful
@Ryan P Welcome to Microsoft Q&A Forum, Thank you for posting your query here!
Based on your scenario, we need to find the Root cause of the issue. This may require a deeper investigation I would suggest you open a support ticket as described in this link How to create an Azure support request. The ticket will help you work closely with the support for speedy resolution. If you have a support plan, I request you file a support ticket, else please do let us know, If you don't have support plan.
Additional information:
Based on the error code: Please refer to this article Troubleshooting article .
This article provides a solution to an error that occurs when Domain Controller does not allow interactive logon.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Hey, looks like the same issue I'm facing since some time. Any solution from your side?