Cannot access on-prem file shares from Azure VM

Dave Erwin 96 Reputation points
2020-06-11T14:18:09.233+00:00

My google-fu has failed me on this one.

I setup an Azure VM (2016 Datacenter), remoted into it from my local network and joined it to the domain.

The vm cannot access any shares on an on-premises server without being prompted for authentication. The error shown is: "Cannot contact a domain controller to service the authentication request". If I enter a domain user and password I can access the share as long as the unc is \server\sharename. DFS shares like \domain.com\sharename never work.

However I can access a share on the vm from my local network with no problems.

Communication from local network <-> Azure is via a virtual network gateway. The local endpoint is a SonicWall TZ105. I set it up using the instructions from SonicWall on how to setup a VPN to Azure. Local network IP range is 192.168.0.0/24, the vnet gateway subnet is 10.10.0.0/24, the vnet vm subnet is 10.10.10.0/24.

My domain controllers (Server 2008/R2, don't judge, that's why we're testing Azure) are on-premises. The vnet DNS lists the two DCs.

Event viewer on the VM shows a couple of possibly relevant errors:

Event 40960 LSA (LsaSrv) The Security System detected an authentication error for the server cifs/servername. The failure code from authentication protocol Kerberos was "No authority could be contacted for authentication. (0x80090311)". This occurs on each attempt to access an on-premises share.

Event 1129 Group Policy lack of network connectivity to a domain controller. Occurs when the VM is started.

Klist on the vm only shows the tgt, no other tickets.

I'm not sure where to go from here. It's confusing that the domain join can find a DC to join but after that nothing else seems to be able to.

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
7,196 questions
0 comments
Accepted answer
  1. Dave Erwin 96 Reputation points
    2020-06-24T18:55:40.393+00:00

    The cause was an App Control rule on the SonicWall. After some real-time troubleshooting with SonicWall we determined that excluding the domain controllers from App Control eliminated the issue. I did some further testing and determined that the domain controllers only needed to be excluded from the Encrypted Key Exchange rule in the Proxy-Access category.

    Hope this helps someone else.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,986 Reputation points MVP
    2020-06-11T15:02:45.3+00:00

    Hello *anonymous user*Erwin-5787,

    This issue can occur if domain controllers have expired or missing domain controller authentication certificates. Make sure that all domain controllers have a certificate issued by the internal certification authority (CA) that includes the Server Authentication (1.3.6.1.5.5.7.3.1), Client Authentication (1.3.6.1.5.5.7.3.2), KDC Authentication (1.3.6.1.5.2.3.5), and Smart Card Logon (1.3.6.1.4.1.311.20.2.2) in Enhanced Key Usage field in certificate (open certificate and verify this and expiry)

    Please mark as "Accept the answer" if the above steps helps you. Others with similar issues can also follow the solution as per your suggestion

    Regards,

    Manu