Azure Files
An Azure service that offers file shares in the cloud.
1,424 questions
Kerberos authentication for azure files not working on intune laptops
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 21%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EC%3C/text%3E%3C/svg%3E)
ccoxadm
0
Reputation points
Hi, We are attempting to set up Kerberos authentication for azure files, and we're not really getting anywhere.
Here's what we did:
-Created new test file share under non-prod subscription
-enabled kerberos auth
-entered domain information
-granted admin consent to app registration
-ensured MFA was not required for the app
-remoted into domain joined vm, mounted share with storage key, configured ntfs permissions
-attempted to mount on intune aad joined laptop
-configured machines to receive kerberos tickets (tried both registry and intune policy)
And that's where we're stuck. Attempting to mount the drive with any of our accounts, whether they are contributor, reader, etc. and whether or not they have NTFS permissions fails with "incorrect credentials" which seems to be the default error message for SMB, and doesn't really tell us much.
The machines are receiving aad kerberos tickets on logon, but i'm not certain that they're the right ones, i'm not sure what they're supposed to look like. I have no experience troubleshooting kerberos.
We've verified that the network connection is set up properly, DNS is resolving and the ports are open. Not sure what else to try here.
Azure Files
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 6%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKD%3C/text%3E%3C/svg%3E)
Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator2025-05-16T18:18:09.5566667+00:00 Hi ccoxadm ,
You are definitely on the right track. I suggest key points and troubleshooting steps that might help resolve your issue with Kerberos authentication for Azure Files on Intune-managed, Azure AD-joined devices:
This error typically means the machine is not configured to use an external KDC, which is required for Kerberos Host-to-Realm mappings.
The message Machine is not configured to log on to an external KDC confirms this. This is expected behavior for Azure AD-joined devices, which do not support ksetup-based mappings unless explicitly configured for external KDC trust.
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be glad to assist you.
-
Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator
2025-05-19T19:32:03.9533333+00:00 Hi ccoxadm ,
Just checking in to see if the response helped. If you have any questions, let me know in the "comments" and I would be glad to assist you.
-
ccoxadm 0 Reputation points
2025-05-19T20:20:29.58+00:00 Hi, I went through the steps provided and have not gotten much further.
I have verified that the reg key CloudKerberosTicketRetrievalEnabled =1
CloudKerberosTicketStorageEnabled is not a real reg key, this post is the only result on google. Likely an AI hallucination.
I have one ticket supplied at logon for Server: krbtgt/KERBEROS.MICROSOFTONLINE.COM @ KERBEROS.MICROSOFTONLINE.COM
but the ticket does not mention CIFS anywhere in it.I have confirmed that my accounts are all hybrid identities and that I have LOS to a domain controller.
I have checked the SMB client logs in event viewer but found nothing related to the Kerberos file share other than the same errors from earlier. "Password incorrect"
Ensure the storage account is configured for Azure AD DS authentication and Kerberos authentication is enabled.
These are two different things. Please verify your AI results before postingAdditionally, I need to be able to access AD DS file shares on azure as well, which requires configuring Kerberos Host-to-Realm mappings. running
ksetup /addhosttorealmmap <fileshare> <domain>fails withFailed to create Kerberos key: 5 (0x5)Failed /AddHostToRealmMap : 0xc0000001running
KSETUPgivesMachine is not configured to log on to an external KDC. Probably a workgroup memberFailed to create Kerberos key: 5 (0x5) -
Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator
2025-05-20T19:47:03.19+00:00 Hi ccoxadm
Ensure the Azure Storage account is configured with Azure AD Kerberos authentication, not just AD DS, Confirm the storage account’s service principal is excluded from all Conditional Access policies, especially those requiring MFA
Run klist after attempting to access the share. If no cifs/... ticket appears, the client is not requesting it or the SPN is not registered correctly. Confirm the device is Azure AD-joined and has a PRT .Look under Device State and SSO State.
ksetup is for domain-joined or workgroup machines configured to use an external KDC. It won’t work on pure AAD-joined Intune devices unless you’ve configured external trust (which is rare and complex).
For accessing AD DS-based file shares, you’ll need a line-of-sight to a domain controller and a domain-joined device or a hybrid-joined device
If you have any other questions, please let me know.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 30%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECC%3C/text%3E%3C/svg%3E)
Cory Cox 5 Reputation points2025-05-20T20:37:23.2933333+00:00 Okay, so let's go back a couple steps...
We have a mixed environment of intune AAD laptops and AD DS workstations and servers, as well as linux servers that require access to the same Azure file shares.
What is the recommended authentication method in this sort of an environment?
Because so far it seems like:
AD DS: Only works on AD joined and Hybrid joined machines
Entra id: only works for pure cloud environments
Kerberos: only works on azure ad joined(?) the documentation made it seem like it could work on both AD and local machines
-
Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator
2025-05-21T19:44:28.3166667+00:00 Hi ccoxadm
Use Azure AD DS Authentication (Kerberos/NTLM)
It supports AD DS-joined, hybrid-joined, and Linux (Kerberos) clients.
- Deploy (AAD DS).
- Join your Azure Files storage account to the AAD DS domain.
- Configure NTFS and share permissions using AD identities.
- Linux clients can use Kerberos with keytab to authenticate.
This is the most compatible method across all your device type.
If you have any other questions, please let me know.
-
Keshavulu Dasari 4,840 Reputation points Microsoft External Staff Moderator
2025-05-21T19:47:07.56+00:00 @ ccoxadm
If you have any other questions or are still running into more issues, let me know in the "comments" and I would be glad to assist you.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 95%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator2025-05-22T07:06:36.61+00:00 Hi Cory Cox
According to this MS-Document,
Kerberos: only works on azure ad joined(?) the documentation made it seem like it could work on both AD and local machines
Microsoft Entra Kerberos only works on:
- Azure AD-joined or Hybrid Azure AD-joined Windows devices
- It does not support domain-joined-only machines or Linux clients.
- You will not see CIFS service tickets unless the system is trying to access a file share using Kerberos.
- The ticket you’re seeing:
krbtgt/KERBEROS.MICROSOFTONLINE.COM @ KERBEROS.MICROSOFTONLINE.COMThis confirms you have an Entra Kerberos TGT (ticket-granting ticket), but it doesn’t mean a service ticket for accessing the Azure File Share (e.g.,cifs/<storageaccount>.file.core.windows.net) has been successfully issued.
We have a mixed environment of intune AAD laptops and AD DS workstations and servers, as well as linux servers that require access to the same Azure file shares.
You’ve indicated a mix of:
- AAD Intune-managed laptops
- AD DS workstations/servers
- Linux servers
This introduces complexity because no single identity model will work natively across all of them.
For your cross-platform, mixed identity environment, the most compatible and recommended path is:
Enable AD DS authentication on your Azure File Share
- Use an Azure AD DS instance (or sync your on-premises AD DS via Azure AD Connect).
- This allows both:
- AD DS-joined machines (Windows, Linux) to authenticate via traditional Kerberos.
- Hybrid AAD-joined devices to authenticate using their AD DS identity.
- You’ll manage access via NTFS permissions and AD security groups.
I hope by following the above recommendations will help in resolving the issue.
Please let us know in the comments below, if the issue is resolved or still persists. We will be glad to assist you closely.
Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
-
Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator
2025-05-23T03:52:31.8466667+00:00 Hi Cory Cox
I would like to inquire whether the provided response was beneficial to you. Please let us know do you have any further queries. We are here to assist you. Please do consider to “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Sign in to comment
Sign in to answer