This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 89%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
We're attempting to setup SMB over QUIC. We've gotten everything setup per the documentation, and it works, except for one thing. The drive won't map unless you manually input credentials. It seems it's not taking the SSO from the user account logged into the machine.
This is a full cloud, no on-prem setup. Laptops are Azure joined/registered, and users are logging into the laptop using their 365 account. The Azure Server VM is joined to Entra Domain Services. SSO works with 365 web and desktop apps no problem. I can map the share using SMB across the VPN no problem, credentials not required.
However if I map it in the GUI, and the user is prompted to enter their PIN or biometrics, it won't work, get an error:
"We can't sign you in with this credential because your domain isn't available. Make sure yourt device is connected to your organizations network and try again."
However if I hit Use Another Account and manually type in the username/password, then it maps. Same if I try to map it via command line, I'm immediately asked for username/password to complete the mapping.
What are we missing here? This is a new Azure setup so it's entirely possible there could be issues elsewhere, but everything else at least seems to be working fine, no other authentication issues found. At first I set it up with the KDC Proxy disabled, since then I've enabled the KDC Proxy just to try and same issue.
One thing I did notice in the logs is when logging into the laptop, I get a Security-Kerberos error 11 "The Distinguished Name in the subject field of your smart card logon certificate does not contain enough information to identify the appropriate domain on an non-domain joined computer." But everything I can find on this error message talks about a hybrid setup and connecting to on-premise equipment, so I'm not even sure if this error actually means anything on a cloud-only deployment.
@Kyle Maulden It sounds like you are experiencing issues with Single Sign-On (SSO) when trying to map an SMB over QUIC drive on a cloud-only deployment. Here are some things you can try to resolve the issue:
Check the Azure AD authentication settings: Make sure that Azure AD authentication is enabled for the SMB over QUIC drive and that the correct authentication settings are configured. You can refer to the Azure Files documentation for more information on how to configure Azure AD authentication for SMB over QUIC.
Check the Windows Hello for Business settings: Make sure that Windows Hello for Business is enabled and configured correctly on the client machines. Windows Hello for Business is a biometric authentication feature that allows users to sign in to Windows using their face, fingerprint, or PIN. You can refer to the Microsoft documentation for more information on how to configure Windows Hello for Business.
Check the Kerberos settings: Make sure that the Kerberos settings are configured correctly on the client machines and the server VM. Kerberos is a network authentication protocol that is used to provide SSO for Windows clients. You can refer to the Microsoft documentation for more information on how to configure Kerberos.
Check the network connectivity: Make sure that there are no network connectivity issues between the client machines and the server VM. You can use the Azure Network Watcher service to diagnose network connectivity issues and troubleshoot them.
Check the Azure AD domain join settings: Make sure that the client machines are correctly Azure AD domain joined and that the correct domain join settings are configured. You can refer to the Microsoft documentation for more information on how to configure Azure AD domain join.
If none of these steps resolve the issue, you may need to contact Microsoft support for further assistance.
Make sure that Azure AD authentication is enabled for the SMB over QUIC
Can you point me to this documentation? I can't find any documentation that specifically mentions enabling Azure AD Authentication specifically for SMB over QUIC. We've already configured identity-based access for the SMB File share in Azure files, if that's what you're referring to though. However as far as I can find in documentation there's no specific AAD auth setting specifically for SMB over QUIC, as SMB over QUIC is configured on a server, not within Azure, and the server is joined to Entra Domain Services.
Check the Kerberos settings
SMB over QUIC also doesn't require Kerberos. We've tried it both without using the KDC Proxy which defaults to NTLMv2 authentication, as well as with the KDC Proxy for Kerberos auth and neither resolve the issue.
As far as I know there's no other issues with any of these items.
@Kyle Maulden Apologies for the delay response!
To use SMB over QUIC for windows server: https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-over-quic
SMB over QUIC for Azure File using File sync: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview#smb-over-quic
If the issue still persists, I would like to work closer on this issue. I’m happy to assist you further.
Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.