Azure AD Kerberos Server object missing — Azure Files AADKERB stuck (urbacon.net)

Question

Azure AD Kerberos Server object missing — Azure Files AADKERB stuck (urbacon.net)

Richard Hilton 5

We are trying to enable Azure AD Kerberos authentication for our Storage Account:

Storage Account: fileshareurb1 (canadacentral)

Domain: urbacon.net (Hybrid joined)

DirectoryServiceOptions: AADKERB

OnPremisesSyncEnabled: Yes

AD Connect: OK

Permissions: All fixed and verified:

Replicating Directory Changes

  Replicating Directory Changes All
  
     Write userPrincipalName
     
        Write mS-DS-ConsistencyGuid
        
           (checked via PowerShell and GUI — confirmed inheritance correct)
           
           **Sync:** Full sync run several times
           
           **Federation:** No legacy federation — domain is Managed
           
           **Inheritance:** Now applied to all user objects under CN=Users and OUs

Issue: The required AzureADKerberosServer object is missing — verified by running:

powershell
Copy
Get-MgBetaDirectorySetting | Where-Object { $_.DisplayName -match "Kerberos" }

Result: no object found — even after 12+ hours and toggling AADKERB OFF/ON again.

Request: Please check backend state and force creation of the AzureADKerberosServer object for domain urbacon.net — so we can complete AADKERB configuration for Azure Files.

1 answer

Your answer

Answer 1

Nandamuri Pranay Teja 3,610 Microsoft External Staff Moderator

Hello Richard Hilton

Thank you for your question!

If CheckEntraObject fails, disable and re-enable AADKERB on the storage account.

Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -EnableAzureActiveDirectoryKerberosForFile $false
Set-AzStorageAccount -ResourceGroupName $ResourceGroupName -Name $StorageAccountName -EnableAzureActiveDirectoryKerberosForFile $true

If CheckRegKey fails, set the registry key. Reboot the client machine after this change.

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

Since OnPremisesSyncEnabled is Yes and full syncs have been run, verify that the hybrid identity sync is working correctly

In the Microsoft Entra admin center, go to Azure AD Connect > Health and check for sync errors. Ensure the mS-DS-ConsistencyGuid and userPrincipalName attributes are syncing correctly for users.

Check if the storage account’s service principal exists in Entra ID

Get-MgServicePrincipal -Filter "displayName eq 'fileshareurb1'"

If the AzureADKerberos object is created but authentication still fails, rotate the Kerberos key Wait a few hours for key propagation. Use -Force if rotation is needed within 24 hours.

Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -DomainCredential $domainCred -RotateServerKey

Please refer to the below article on Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune

Prerequisites: Confirm that client devices are running supported OS versions (Windows 11 Enterprise, Windows 10 Enterprise, or Windows Server 2019/2022).
Verify that urbacon.net is synchronized with Microsoft Entra ID using AD Connect, and OnPremisesSyncEnabled is Yes (as you confirmed).
Ensure the storage account (fileshareurb1) is in the same Azure region (canadacentral) as the domain’s synced identities.

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

User's image

Richard Hilton 5 Reputation points

2025-06-20T13:05:06.06+00:00
Subject: AzureADKerberosServer object is not provisioning — for Azure Files AADKERB (hybrid domain urbacon.net)

Details: We are enabling Azure Files AADKERB on Storage Account fileshareurb1 (region: canadacentral). The domain urbacon.net is hybrid-synced (AAD Connect Password Hash Sync, no federation). All user permissions are now correct (mS-DS-ConsistencyGuid and UPN synced), and user export errors are cleared.

We enabled Azure Files AADKERB on 2025-06-12, and after 12+ hours, the AzureADKerberosServer object is still not present in Microsoft Graph Directory Settings or AzureADPreview module:

powershell Copy Get-MgBetaDirectorySetting | Where-Object { $_.DisplayName -match "Kerberos" } # → Returns nothing

Also verified with Get-AzureADKerberosServer — also not present. We also disabled/re-enabled AADKERB on the storage account — no change.

Request: Please assist with forcing the provisioning of the AzureADKerberosServer object for domain urbacon.net.
Nandamuri Pranay Teja 3,610 Reputation points Microsoft External Staff Moderator

2025-06-23T07:14:57.26+00:00
Hello Richard Hilton

Please check that Azure AD Connect is fully operational and syncing correctly. Run a full sync cycle:

Start-ADSyncSyncCycle -PolicyType Initial

And Check the Synchronization Service Manager for errors. Ensure OnPremisesSyncEnabled is set to Yes for the domain. Please check that the account used to enable AADKERB has Global Administrator or Hybrid Identity Administrator role in Azure AD. Domain Admin and Enterprise Admin privileges in the on-premises Active Directory (AD) for the urbacon.net domain. Confirm AADKERB is enabled correctly on the storage account

Get-AzStorageAccount -ResourceGroupName <ResourceGroupName> -Name fileshareurb1 | Select-Object EnableAzureActiveDirectoryKerberosForFile

Since the object is not provisioning automatically, attempt to create it manually using the Set-AzureADKerberosServer cmdlet from the AzureADHybridAuthenticationManagement module. This requires line-of-sight to a domain controller and internet access.

Install-Module -Name AzureADHybridAuthenticationManagement -AllowClobber Import-Module -Name AzureADHybridAuthenticationManagement

If running on a domain-joined machine with Domain Admin privileges, you can omit -DomainCredential to use the current Windows credentials.

The -SetupCloudTrust parameter is critical for establishing the trust between on-premises AD and Azure AD.

$domain = "urbacon.net" $userPrincipalName = "<GlobalAdmin>@<Tenant>.onmicrosoft.com" # Replace with your Global Admin UPN $cloudCred = Get-Credential -Message "Enter Azure AD Hybrid Identity Administrator credentials" $domainCred = Get-Credential -Message "Enter Domain Admin credentials" Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -CloudCredential $cloudCred -DomainCredential $domainCred -SetupCloudTrust If the AzureADKerberosServer object exists but is not functioning, rotate the server keys to ensure synchronization:

Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey

Wait several hours for key propagation. If urgent, use the -Force parameter:

Set-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName -CloudCredential $cloudCred -DomainCredential $domainCred -RotateServerKey -Force

Verify key rotation:

Get-AzureADKerberosServer -Domain $domain -UserPrincipalName $userPrincipalName | Select-Object KeyUpdatedOn, CloudKeyUpdatedOn

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.
Nandamuri Pranay Teja 3,610 Reputation points Microsoft External Staff Moderator

2025-06-24T01:27:02.9733333+00:00

Hello Richard Hilton

Just checking in to see if the provided answer helped. If this answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.
Nandamuri Pranay Teja 3,610 Reputation points Microsoft External Staff Moderator

2025-06-25T01:36:37.5633333+00:00

Hello Richard Hilton

I wanted to follow up and see if the given answer was helpful. If this resolves your issue, please click "Accept the answer" for it, which could help other community members who read this thread. And, if you have any more questions, please let us know.
Richard Hilton 5 Reputation points

2025-06-26T16:32:27.01+00:00
Hi Nandamuri,

Thanks for the detailed instructions. I’ve completed all the suggested steps as follows:

Azure AD Connect: Verified to be fully operational, and I ran a full sync cycle using Start-ADSyncSyncCycle -PolicyType Initial. No sync errors were observed in Synchronization Service Manager.

Account Roles: The account used to run the AADKERB commands has both Global Administrator rights in Azure AD and Domain Admin rights on-prem.

Storage Account: Confirmed AADKERB is enabled using:

(Get-AzStorageAccount -ResourceGroupName "Urb-FileShare" -Name "fileshareurb1").AzureFilesIdentityBasedAuth

This returned: AADKERB

Kerberos Server Setup: I successfully ran Set-AzureADKerberosServer with -SetupCloudTrust and rotated the server key using -RotateServerKey -Force. Both KeyUpdatedOn and CloudKeyUpdatedOn now show the expected timestamps.

However, I'm still encountering an issue: The object returned from Get-AzureADKerberosServer is missing key fields, specifically Domain, DomainFQDN, and DomainSid, which remain empty even after waiting over an hour.

I've also confirmed our domain details manually via Get-ADDomain and attempted re-running Set-AzureADKerberosServer with -TopLevelNames, but received a Collision setting top level names on trust KERBEROS.MICROSOFTONLINE.COM error.

Finally, Get-MgBetaDirectorySetting returns no relevant objects (or times out), which suggests the configuration is incomplete or not fully propagated in Microsoft Graph.

Can you please advise next steps or escalate this as a possible backend issue with object creation or synchronization?

Thanks again, Richard
Richard Hilton 5 Reputation points

2025-06-26T16:42:11.0266667+00:00
Conclusion: The absence of Kerberos settings indicates the tenant-level feature flag for Entra Kerberos is not enabled, preventing the AzureADKerberosServer object creation and Cloud Kerberos Trust establishment.

Action Plan:

Escalate to Microsoft support via your existing support case, referencing the troubleshooting document and this finding.

Provide:

Tenant ID: 3ee98630-b6a4-440f-bbe7-502cc156a63e.

Domain: urbacon.net.

Issue: No Kerberos-related directory settings found via Get-MgBetaDirectorySetting, and AzureADKerberos$ object missing in ADUC.

Request: Enable the Entra Kerberos tenant-level feature flag and verify AzureADKerberosServer object creation.

Share via

Azure AD Kerberos Server object missing — Azure Files AADKERB stuck (urbacon.net)

1 answer

Your answer