This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 23%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPL%3C/text%3E%3C/svg%3E)
I'm configuring Azure AD (Entra ID) Kerberos to let Azure AD computers with no line of sight to on-premises domain controllers access a local Windows network share. It works properly when the client computer has line of sight to a domain controller. But it fails when I configure the Hostname to Kerberos realm mappings policy.
I'm following the steps from the blog post Maxime Rastello | Use Azure AD Cloud Kerberos ticket for on-premises resources to create the Kerberos realm mapping myserver.mydomain.com KERBEROS.MICROSOFTONLINE.COM (e.g., the command is ksetup /addhosttorealmmap myserver.mydomain.com KERBEROS.MICROSOFTONLINE.COM).
But when I attempt to access the network share \\myserver.mydomain.com\share, the following error occurs:
Error code: 0x80004005 Unspecified error
The following events are logged into the Entra ID sign-in logs. I don't understand which appIdentifier it's looking for. The Windows share I'm attempting to access isn't Azure Files share, so there is no storage account for it and no app registration.
Authentication requirement: Single-factor authentication
Status: Failure
Continuous access evaluation: No
Sign-in error code: 700016
Failure reason: Application with identifier '{appIdentifier}' was not found in the directory '{tenantName}'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
Additional Details: The application named X was not found in the tenant named Y. This can happen if the application with identifier X has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have misconfigured the Identifier value for the application or sent your authentication request to the wrong tenant
User agent: kerberos/1.0
Hi @Pavel Lyalyakin ,can you please send me an email at "azcommunity@microsoft.com" with subject "ATTN: James Hamil" and your subscription ID? I can open a free support ticket for you.
Best,
James
Hi, Maxime here :)
Are you machines having an Entra Kerberos ticket and the ticket retrieval at logon is configured? ./Device/Vendor/MSFT/Policy/Config/Kerberos/CloudKerberosTicketRetrievalEnabled
Hello Maxime! Thank you for your response. :)
The client computer has the Cloud Kerberos TGT (the one from KDC Called: TicketSuppliedAtLogon). I don't have Intune, so I'm configuring this via local group policy (and I've also tried Windows Registry - both approaches work).
When there is line of sight with the domain controller, I can access the network share and Kerberos is used for authentication in this case. But when I add the "Hostname to Kerberos realm mappings" for that network share, I'm unable to access it (even though there is line of sight with the domain controller) and the error "Application with identifier '{appIdentifier}' was not found in the directory '{tenantName}'." is logged intro Entra ID sign in logs. At the same access to \DC1.mydomain.com\ remains.
Thank you!!
And I have an additional question. When you wrote the article about hostname to Kerberos realm mapping, did Kerberos auth work with on-premises IIS from AzureAD-joined computer with no line of sight with the domain controller?