Trouble connecting to Azure Files Share via Entra ID hybrid account "...cannot contract a domain controller..."

mark aldridge 0 Reputation points
2024-08-22T13:53:09.8666667+00:00

Going through the process of trying to setup a Azure Files share authenticating with Entra Ids with hybrid accounts, as specified here:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal

The client is:

  1. a new windows 11 VM in a remote Azure subscription
  2. Entra Id joined to the Entra Id subscription with the file share
  3. Logged in with hybrid Entra ID in the same Entra with the file share and client joined
  4. Attempting to run the script provided in the portal for the Files configuration to map a drive.

Working:

  1. Mapping drive using a storage account - so SMB port access is successful.

Failing:

  1. Prior to applying the registry key CloudKerberosTicketRetrievalEnabled I receive the error New-PSDrive : The specified network password is not correct
  2. After applying the registry key I receive the error New-PSDrive : The system cannot contact a domain controller to service the authentication request. Please try again later

So, SMB appears to be communicating since I can establish a usable drive via the storage account. The Entra Id is able to log into the client, and so appears good. What is the error "...cannot contact a domain controller..." actually trying to convey as the error? Is there some other port and or protocol being blocked which performs the authentication?

Thanks in advance for any assistance

--Mark

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,273 questions
{count} votes

3 answers

Sort by: Most helpful
  1. Nehruji R 7,131 Reputation points Microsoft Vendor
    2024-08-23T16:28:07.3233333+00:00

    Hello mark aldridge,

    Welcome to Microsoft Q&A. Thanks for posting your query

    The error message "The system cannot contact a domain controller to service the authentication request" suggests that the client's machine is unable to reach a domain controller to validate with the Kerberos ticket. Here are some possible causes and solutions

    Check the network connectivity that the VM has the proper connectivity with domain controllers. You can test this by pinging the domain controller.

    Check that the DNS settings on the VM are correctly configured to resolve the domain controllers. Incorrect DNS settings can prevent your system from locating the domain controller.

    Ensure that the domain controller is up and running. You can check the status of the domain controller in the Azure portal.

    Ensure that the client machine is properly configured for Kerberos authentication. that is correct DNS server settings, time synchronization, and Kerberos configuration.

    Make sure that no firewall is blocking that preventing the authentication process. make sure that necessary ports for Kerberos authentication such as port 88 for Kerberos and port 389 for LDAP are open.

    Some steps to do Troubleshoot:

    On the server and the client machine, flush the DNS cache and restart the DNS server service.

    Check the Event Viewer on both the client machine and the domain controller for relevant error messages.

    Once try unjoining the client machine from the domain and then re-joining it.

    Recheck the registry key is correctly set without any typos

    Ensure that the network security groups (NSGs) associated with your VM and subnet you can refer this Microsoft documentation if you have any issues.

    Hope the above information helps! Please let us know if you have any further queries. I’m happy to assist you further.


    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


  2. mark aldridge 0 Reputation points
    2024-08-27T22:04:59.37+00:00

    Resolution found.

    In our case, the issue was a misconfigured Conditional Access Policy that overwrote the storage account exception setup per the documentation, and which prevented this account from gaining access to any resources without MFA.

    The lesson learned here is:

    The error:

    New-PSDrive : The system cannot contact a domain controller to service the authentication request. Please try again later

    Is a red herring that can be caused by the user in question requiring MFA for the storage account.

    Test:

    Perform a What If on the Conditional Access Policies for this user to determine if the MFA exception is clear.

    Resolution:

    Review and correct the Conditional Access Policies to allow and enact the exception for the storage account in question as detailed in the Microsoft documentation covering this authentication option.

    0 comments No comments

  3. Sumarigo-MSFT 45,776 Reputation points Microsoft Employee
    2024-08-28T07:47:51.53+00:00

    @mark aldridge I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: The user is trying to set up an Azure Files share with authentication using Entra IDs and hybrid accounts on a new Windows 11 VM in a remote Azure subscription. The VM is joined to the Entra ID subscription that contains the file share. They are attempting to map a drive using a script provided in the Azure portal.

    What's Working:

    • The user can map a drive using a storage account, indicating that SMB port access is successful.

    What's Failing:

    • Before applying the registry key CloudKerberosTicketRetrievalEnabled, they receive the error: "New-PSDrive : The specified network password is not correct."
    • After applying the registry key, they receive a different error: "New-PSDrive : The system cannot contact a domain controller to service the authentication request. Please try again later."

    Key Issue:

    • SMB communication seems functional, as evidenced by the successful drive mapping. The Entra ID login is also successful. However, the error "cannot contact a domain controller" suggests there might be an issue with the authentication process, potentially due to blocked ports or protocols that are necessary for domain controller communication.The user is trying to set up an Azure Files share with authentication using Entra IDs and hybrid accounts on a new Windows 11 VM in a remote Azure subscription. The VM is joined to the Entra ID subscription that contains the file share. They are attempting to map a drive using a script provided in the Azure portal. What's Working:
      • The user can map a drive using a storage account, indicating that SMB port access is successful.
      What's Failing:
      • Before applying the registry key CloudKerberosTicketRetrievalEnabled, they receive the error: "New-PSDrive : The specified network password is not correct."
      • After applying the registry key, they receive a different error: "New-PSDrive : The system cannot contact a domain controller to service the authentication request. Please try again later."
      Key Issue:
      • SMB communication seems functional, as evidenced by the successful drive mapping. The Entra ID login is also successful. However, the error "cannot contact a domain controller" suggests there might be an issue with the authentication process, potentially due to blocked ports or protocols that are necessary for domain controller communication.

    Error: New-PSDrive : The system cannot contact a domain controller to service the authentication request. Please try again later

    Solution:
    In this scenario there was misconfigured Conditional Access Policy that overwrote the storage account exception setup per the documentation, and which prevented this account from gaining access to any resources without MFA.

    Perform a What If on the Conditional Access Policies for this user to determine if the MFA exception is clear.

    Review and correct the Conditional Access Policies to allow and enact the exception for the storage account in question as detailed in the Microsoft documentation covering this authentication option.


    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.