Azure AD Joined SSO to On-Prem File Share Across a Forest Trust

Daniel Gatley 1 Reputation point

We currently have SSO access to on-premise file shares working from Azure AD joined machine, we do however have an issue accessing resources in another trusted forest. When attempting to browse to these locations after a short pause we get Error Code: 0x80070035 - The network path was not found. Packet captures show the client is talking to the server as SMB negation takes place the issue seems to be authentication. What makes this interesting is that this only occurs when connected via a VPN (Microsoft RAS based) if the connection is made via a Cisco AnyConnect based VPN authentication works. What I have noted from the packet captures is that when connected by the native VPN client (Microsoft RAS) the DNS query to locate the KDC is for the wrong domain (the domain of the logged in user) so it's understandable that it would not be able to continue with Kerberos Auth. On the Cisco based VPN the KDC lookup uses the correct on-premise domain and Kerberos auth works. So if we ignore everything that comes after the DNS lookup why does one VPN (using the built-in facility) use one domain to lookup the KDC and the other VPN (Cisco AnyCOnnect - Virtual Ethernet Adapter?) use the correct one?

Azure Active Directory
Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,545 questions
No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Jeevan Desarda 91 Reputation points Microsoft Employee

    I think if Cisco AnyConnect with Azure AD using SAML then this should solve the issue. In my understanding this might be using the NPS connector right now.
    So when the authentication is done the Cisco app is trying to get the user details from the on premise AD.