Hello Akbar Raen,
Greetings! Welcome to Microsoft Q&A Platform.
Microsoft Entra ID (formerly Azure AD) allows Kerberos authentication without the need for line-of-sight to domain controllers. However, the support is limited to hybrid user identities (identities created in AD DS and synced to Azure AD using Azure AD Connect). Cloud-only identities aren't currently supported.
For reference: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
This article lists common problems when using SMB Azure file shares with identity-based authentication. It also provides possible causes and resolutions for these problems. Identity-based authentication isn't currently supported for NFS Azure file shares: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?tabs=azure-portal
Additional information: https://learn.microsoft.com/en-us/answers/questions/1031080/authentication-issues-using-aad-kerberos-for-azure
The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems:
- Windows 11 Enterprise/Pro single or multi-session.
- Just for cross-verifying: Before you enable Azure AD Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.
This article lists common problems that are related to Microsoft Azure Files when you connect from Windows clients.
Second, try mounting Azure file share with storage account key. If the share fails to mount, download AzFileDiagnostics to help you validate the client running environment, detect the incompatible client configuration which would cause access failure for Azure Files, give prescriptive guidance on self-fix, and collect the diagnostics traces.
Third, you can run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your AD configuration with the logged-on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. You need to run this cmdlet with an AD user that has owner permission on the target storage account.
Reference doc's: https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview.
Please consider checking below following steps to resolve the issue,
- Ensure that the machine is correctly joined to the Microsoft Entra domain. You can check this by going to Settings > Accounts > Access work or school and verifying the domain join status.
- For hybrid identities, you might need to enable Microsoft Entra Kerberos authentication for Azure file shares. This allows users to access Azure file shares using Kerberos tickets issued by Microsoft Entra ID. Ensure that your storage account is configured to use Microsoft Entra Kerberos authentication.
https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview
https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview
Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.
Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.