Azure File share Kerberos authentication failing for Entra joined machines.

Akbar Raen 0 Reputation points
2024-08-12T19:43:25.3566667+00:00

I'm facing an issue with Azure Files Kerberos authentication where AD DS is enabled. Our environment includes a mix of hybrid Entra joined and domain joined machines. While domain joined machines can authenticate using Kerberos, Entra joined machines are unable to do so.

Has anyone encountered this issue? Any insights or troubleshooting steps would be greatly appreciated.

Key details:

  • Azure Files with AD DS
  • Hybrid environment (Entra joined and domain joined)
  • Kerberos authentication failing for Entra joined machines

#azurefiles #kerberos #azuread #hybridjoin #troubleshooting

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,272 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Nehruji R 7,046 Reputation points Microsoft Vendor
    2024-09-02T10:42:43.9533333+00:00

    Hello Akbar Raen,

    Greetings! Welcome to Microsoft Q&A Platform.

    Microsoft Entra ID (formerly Azure AD) allows Kerberos authentication without the need for line-of-sight to domain controllers. However, the support is limited to hybrid user identities (identities created in AD DS and synced to Azure AD using Azure AD Connect). Cloud-only identities aren't currently supported.

    For reference: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

    This article lists common problems when using SMB Azure file shares with identity-based authentication. It also provides possible causes and resolutions for these problems. Identity-based authentication isn't currently supported for NFS Azure file shares: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files-troubleshoot-smb-authentication?tabs=azure-portal

    Additional information: https://learn.microsoft.com/en-us/answers/questions/1031080/authentication-issues-using-aad-kerberos-for-azure

    The Azure AD Kerberos functionality for hybrid identities is only available on the following operating systems:

    • Windows 11 Enterprise/Pro single or multi-session.
    • Just for cross-verifying: Before you enable Azure AD Kerberos authentication over SMB for Azure file shares, make sure you've completed the following prerequisites.

    This article lists common problems that are related to Microsoft Azure Files when you connect from Windows clients.

    Second, try mounting Azure file share with storage account key. If the share fails to mount, download AzFileDiagnostics to help you validate the client running environment, detect the incompatible client configuration which would cause access failure for Azure Files, give prescriptive guidance on self-fix, and collect the diagnostics traces.

    Third, you can run the Debug-AzStorageAccountAuth cmdlet to conduct a set of basic checks on your AD configuration with the logged-on AD user. This cmdlet is supported on AzFilesHybrid v0.1.2+ version. You need to run this cmdlet with an AD user that has owner permission on the target storage account.

    Reference doc's: https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview.

    Please consider checking below following steps to resolve the issue,

    • Ensure that the machine is correctly joined to the Microsoft Entra domain. You can check this by going to Settings > Accounts > Access work or school and verifying the domain join status.
    • For hybrid identities, you might need to enable Microsoft Entra Kerberos authentication for Azure file shares. This allows users to access Azure file shares using Kerberos tickets issued by Microsoft Entra ID. Ensure that your storage account is configured to use Microsoft Entra Kerberos authentication.

    https://learn.microsoft.com/en-us/windows-server/security/kerberos/ntlm-overview

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

    https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-assign-permissions?tabs=azure-portal

    Hope this answer helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.