Intermittent kerberos failures when trying to access Azure files

Ryan P 16 Reputation points
2024-03-28T13:12:36.94+00:00

I have an Azure storage account being used for an Azure Files share. Its is a hybrid situation and the storage account was created using the procedure from here:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable

This works sometimes but intermittently fails to map. I have run the debug script:

Debug-AzStorageAccountAuth -StorageAccountName $StorageAccountName -ResourceGroupName $ResourceGroupName -Verbose

All checks pass except:

Debug-AzStorageAccountAuth : CheckGetKerberosTicket - FAILED

If I run:

klist get cifs/<snip>.file.core.windows.net

I get:

Current LogonId is 0:0x153eb2

Error calling API LsaCallAuthenticationPackage (GetTicket substatus): 0x6fb

klist failed with 0xc000018b/-1073741429: The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.

Then if I wait a while, it will suddenly start working again temporarily.

Interestingly, it seems to work close to 100% of the time in my Azure VMs. It seems to work 20% of the time on physical devices.

I have tried recreating the storage account over and over. Always the same result.

In the SMB security settings, I have tried turning off kerberos and going with just ntlm v2 as below. This has had no effect on the issue.

User's image

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,158 questions
{count} vote

4 answers

Sort by: Most helpful
  1. Jeff Johnson (IT) 5 Reputation points
    2024-08-12T19:59:12.2466667+00:00

    I think I found the secret sauce. We put the GPO in for this setting to map to correct Kerberos Realm.

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal#configure-coexistence-with-storage-accounts-using-on-premises-ad-ds

    Did OURDOMAIN.LOCAL to .file.core.windows.net everything was happy after.

    1 person found this answer helpful.

  2. hossein jalilian 7,055 Reputation points
    2024-03-28T19:08:10.86+00:00

    Hello Rayan,
    Thanks for posting your question in the Microsoft Q&A forum.

    Here are some troubleshooting steps to help resolve this issue:

    1. Ensure that the Azure Storage account is properly configured for Azure AD DS authentication as per the steps outlined in the Enable AD DS authentication for Azure file shares guide.
    2. Run the Debug-AzStorageAccountAuth cmdlet to check the status of your AD configuration and identify any issues.
    3. Ensure that the client device is properly joined to the on-premises Active Directory domain or has the necessary line-of-sight to the domain controllers
    4. If the issue persists, you can try disabling and then reconfiguring the Microsoft Entra Kerberos authentication for the storage account

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

    0 comments No comments

  3. Sumarigo-MSFT 46,126 Reputation points Microsoft Employee
    2024-03-29T10:51:18.5833333+00:00

    @Ryan P Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

    Based on your scenario, we need to find the Root cause of the issue. This may require a deeper investigation I would suggest you open a support ticket as described in this link How to create an Azure support request. The ticket will help you work closely with the support for speedy resolution.  If you have a support plan, I request you file a support ticket, else please do let us know, If you don't have support plan.

    Additional information:

    Based on the error code: Please refer to this article Troubleshooting article .
    This article provides a solution to an error that occurs when Domain Controller does not allow interactive logon.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

  4. Philip Stone 1 Reputation point
    2024-06-11T10:03:38.5333333+00:00

    Hey, looks like the same issue I'm facing since some time. Any solution from your side?


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.