Hybrid AADJ Windows 11 clients not obtaining Entra Kerberos ticket for Azure Files (cifs/<storage>.file.core.windows.net)

Question

Hybrid AADJ Windows 11 clients not obtaining Entra Kerberos ticket for Azure Files (cifs/<storage>.file.core.windows.net)

Eric Cote - adm 0

We are deploying Azure Files with Microsoft Entra Kerberos authentication in a hybrid environment. Our Windows 11 Pro 25H2 hybrid-joined device meets all prerequisites:

DSREGCMD /STATUS

AzureAdJoined = YES

DomainJoined = YES

AzureAdPrt = YES

CloudTgt = YES

NgcSet = YES (WHfB provisioned successfully)

Executing Account Name = domain.local\username, ******@domain.com

Device is Intune-enrolled

Zscaler Private Access forwarding SMB/445 to the private endpoint

DNS resolution correctly returns privatelink IP

Storage account uses Standard tier, identity enabled

Azure Files Entra Kerberos enabled

Required RBAC roles assigned (user + storage MI)

However:

Connecting to: \\storage-account-name.file.core.windows.net\<share> always prompts for credentials.
klist never shows a cloud Kerberos ticket for: cifs/storage-account-name.file.core.windows.net
Authentication falls back to NTLM and fails.
All local device prerequisites appear healthy.
This persists even after WHfB provisioning and CloudKerberos-enabled registry configuration.

Does someone know why we can't get Entra Kerberos Ticket? Whatever we log in with domain\username or ******@domain.com or PIN (WHfB), kerberos request are ALWAYS answered by local AD.

We've even created a reg key on a test device to make sure kerberos request to domain.com are sent to Entra and not local AD but it still fails.

Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T18:55:34.7366667+00:00
Hi @ Eric Cote - adm,

Welcome to Microsoft Q&A Platform.

Kerberos tickets can contain up to 1,010 group SIDs. With Microsoft Entra Kerberos (preview) supporting cloud-only identities, both on-premises and cloud group SIDs are included. If the combined SIDs exceed 1,010, the ticket can't be issued. To avoid authentication failures for cloud-only identities, update the Tags section in your application manifest, Follow these instructions to update the tag in your application manifest.

As stated in Configure the clients to retrieve Kerberos tickets , set the following registry value on the client(s) by running this command from an elevated Admin Command Prompt.

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

After running the command, the changes are not applied instantly ,a policy refresh or a reboot is required for them to take effect.

Ref: Configure coexistence with storage accounts using on-premises AD DS

Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities (preview) on Azure Files

Please reply back with your confirmation or upvote ,if the information helped you. This will assist us and other users in the community as well.
Eric Cote - adm 0 Reputation points

2025-12-05T19:07:04.56+00:00

this reg key has already been enabled on the device. The issue is not caused by this.
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T19:13:39.6033333+00:00

Hi @ Eric Cote - adm,

Cloud-only identities are currently in preview. Please try changing the default share permissions for authenticated users to “Allow all,” along with assigning the required RBAC role.

Since Microsoft Entra Kerberos (preview) includes both on-premises and cloud group SIDs, the combined SIDs may exceed the 1,010 limit, which prevents the Kerberos ticket from being issued.

If you're using Microsoft Entra Kerberos to authenticate cloud-only identities, ensure you update the Tags section in your application manifest, otherwise authentication will fail.

Follow these instructions to update the tag in your application manifest.

Ref: Enable cloud-only groups support (mandatory for cloud-only identities)
Eric Cote - adm 0 Reputation points

2025-12-05T19:27:11.2166667+00:00

I am not using cloud-only identitities. I am currently send to hybrid mode (local AD synched to Entra). However, I don't want to use ADDS on the file share because I am planning to go cloud based only next year. Until then, I still need this to work with hybrid identities.

With that being said, I don't understand this; "Please try changing the default share permissions for authenticated users to “Allow all,” along with assigning the required RBAC role."

How do I do this? I can assign role to user or managed application. I can't see authenticated users - Allow All.
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T19:40:43.3566667+00:00

Hi @ Eric Cote - adm,

Go to your Storage Account → File shares → Select your Azure File Share → Identity-based access: Not configured.

Note: If you're authenticating hybrid identities and want to configure directory and file-level permissions through Windows File Explorer, then you must specify the domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or by running the following Active Directory PowerShell cmdlet from an on-premises AD-joined client: Get-ADDomain. Your domain name should be listed in the output under DNSRoot and your domain GUID should be listed under ObjectGUID. If you'd prefer to configure directory and file-level permissions using icacls, you can skip this step. However, if you want to use icacls, the client will need unimpeded network connectivity to the on-premises AD. Configuring directory and file-level permissions using Windows File Explorer isn't currently supported for cloud-only identities (preview).
Eric Cote - adm 0 Reputation points

2025-12-05T19:46:28.85+00:00

thanks. It is already set like this.

However, I found this on the test device in the event viewer, under Applicationd and Services Logs - Microsoft - AAD - Operational:

Error: 0xCAA5001C Token broker operation failed.

Operation name: GetTokenSilently, Error: -895352830 (0xcaa20002), Description: AADSTS65002: Consent between first party application '<obsfuscated>' and first party resource '<obsfuscated>' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 94b4611d-f683-4218-b2a8-be7fb2f40a00 Correlation ID: 0b09886e-83b0-461c-a497-d4b5c7e760b8 Timestamp: 2025-12-05 18:30:54Z

Logged at WebAccountProcessor.cpp, line: 723, method: AAD::Core::WebAccountProcessor::ReportOperationError.

It looks like if something has not been enabled in our Entra Tenant...
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T19:56:03.01+00:00
Hi @ Eric Cote - adm,

Thanks for sharing the System Event Logs.

It appears that the Storage Account’s Microsoft Entra application (service principal) did not have admin consent granted. Granting admin consent for the storage account service principal resolves the issue.

You can configure the API permissions from the Azure portal by following these steps:

Open Microsoft Entra ID.

In the service menu, under Manage, select App registrations.

Select All Applications.

Select the application with the name matching [Storage Account] <your-storage-account-name>.file.core.windows.net.

In the service menu, under Manage, select API permissions.

Select Grant admin consent for [Directory Name] to grant consent for the three requested API permissions (openid, profile, and User.Read) for all accounts in the directory.

Select Yes to confirm.

Ref: Grant admin consent to the new service principal
Eric Cote - adm 0 Reputation points

2025-12-05T20:08:27.95+00:00

yes it has been granted.
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T20:11:54.0533333+00:00
As I can see, you have granted permissions for Microsoft Graph, not for the Azure Storage permission on your (<your-storage-account-name>.file.core.windows.net) application.

Make sure to add Storage permission by following the steps.

If the above steps do not resolve your issue, the problem may be caused by missing permissions or incorrect ownership on one or both of the following registry keys:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR HKEY_USERS\<User-SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR

Resolution Steps:

Take ownership of the registry key if needed (Owner should be SYSTEM).

Fix the permissions by enabling inheritance on the key(s). Updating one key should automatically fix the other, unless multiple users log on to the same device.

Make sure both keys have correct permissions and inheritance enabled to allow the Microsoft AAD Broker Plugin to function properly.

Ref: Event 1098: Error: 0xCAA5001C Token broker operation failed
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T20:33:23.7633333+00:00

Hi @ Eric Cote - adm,

If none of the above steps resolve the issue, please share your details in a private message so we can schedule a Teams call.

1 answer

Your answer

Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T18:55:34.7366667+00:00

Hi @ Eric Cote - adm,

Welcome to Microsoft Q&A Platform.

Kerberos tickets can contain up to 1,010 group SIDs. With Microsoft Entra Kerberos (preview) supporting cloud-only identities, both on-premises and cloud group SIDs are included. If the combined SIDs exceed 1,010, the ticket can't be issued. To avoid authentication failures for cloud-only identities, update the Tags section in your application manifest, Follow these instructions to update the tag in your application manifest.

As stated in Configure the clients to retrieve Kerberos tickets , set the following registry value on the client(s) by running this command from an elevated Admin Command Prompt.

reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters /v CloudKerberosTicketRetrievalEnabled /t REG_DWORD /d 1

After running the command, the changes are not applied instantly ,a policy refresh or a reboot is required for them to take effect.

Ref: Configure coexistence with storage accounts using on-premises AD DS

Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities (preview) on Azure Files

Please reply back with your confirmation or upvote ,if the information helped you. This will assist us and other users in the community as well.
Eric Cote - adm 0 Reputation points

2025-12-05T19:07:04.56+00:00

this reg key has already been enabled on the device. The issue is not caused by this.
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T19:13:39.6033333+00:00

Hi @ Eric Cote - adm,

Cloud-only identities are currently in preview. Please try changing the default share permissions for authenticated users to “Allow all,” along with assigning the required RBAC role.

Since Microsoft Entra Kerberos (preview) includes both on-premises and cloud group SIDs, the combined SIDs may exceed the 1,010 limit, which prevents the Kerberos ticket from being issued.

If you're using Microsoft Entra Kerberos to authenticate cloud-only identities, ensure you update the Tags section in your application manifest, otherwise authentication will fail.

Follow these instructions to update the tag in your application manifest.

Ref: Enable cloud-only groups support (mandatory for cloud-only identities)
Eric Cote - adm 0 Reputation points

2025-12-05T19:27:11.2166667+00:00

I am not using cloud-only identitities. I am currently send to hybrid mode (local AD synched to Entra). However, I don't want to use ADDS on the file share because I am planning to go cloud based only next year. Until then, I still need this to work with hybrid identities.

With that being said, I don't understand this; "Please try changing the default share permissions for authenticated users to “Allow all,” along with assigning the required RBAC role."

How do I do this? I can assign role to user or managed application. I can't see authenticated users - Allow All.
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T19:40:43.3566667+00:00

Hi @ Eric Cote - adm,

Go to your Storage Account → File shares → Select your Azure File Share → Identity-based access: Not configured.

Note: If you're authenticating hybrid identities and want to configure directory and file-level permissions through Windows File Explorer, then you must specify the domain name and domain GUID for your on-premises AD. You can get this information from your domain admin or by running the following Active Directory PowerShell cmdlet from an on-premises AD-joined client: Get-ADDomain. Your domain name should be listed in the output under DNSRoot and your domain GUID should be listed under ObjectGUID. If you'd prefer to configure directory and file-level permissions using icacls, you can skip this step. However, if you want to use icacls, the client will need unimpeded network connectivity to the on-premises AD. Configuring directory and file-level permissions using Windows File Explorer isn't currently supported for cloud-only identities (preview).
Eric Cote - adm 0 Reputation points

2025-12-05T19:46:28.85+00:00

thanks. It is already set like this.

However, I found this on the test device in the event viewer, under Applicationd and Services Logs - Microsoft - AAD - Operational:

Error: 0xCAA5001C Token broker operation failed.

Operation name: GetTokenSilently, Error: -895352830 (0xcaa20002), Description: AADSTS65002: Consent between first party application '<obsfuscated>' and first party resource '<obsfuscated>' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API. Trace ID: 94b4611d-f683-4218-b2a8-be7fb2f40a00 Correlation ID: 0b09886e-83b0-461c-a497-d4b5c7e760b8 Timestamp: 2025-12-05 18:30:54Z

Logged at WebAccountProcessor.cpp, line: 723, method: AAD::Core::WebAccountProcessor::ReportOperationError.

It looks like if something has not been enabled in our Entra Tenant...
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T19:56:03.01+00:00

Hi @ Eric Cote - adm,

Thanks for sharing the System Event Logs.

It appears that the Storage Account’s Microsoft Entra application (service principal) did not have admin consent granted. Granting admin consent for the storage account service principal resolves the issue.

You can configure the API permissions from the Azure portal by following these steps:

Open Microsoft Entra ID.

In the service menu, under Manage, select App registrations.

Select All Applications.

Select the application with the name matching [Storage Account] <your-storage-account-name>.file.core.windows.net.

In the service menu, under Manage, select API permissions.

Select Grant admin consent for [Directory Name] to grant consent for the three requested API permissions (openid, profile, and User.Read) for all accounts in the directory.

Select Yes to confirm.

Ref: Grant admin consent to the new service principal
Eric Cote - adm 0 Reputation points

2025-12-05T20:08:27.95+00:00

yes it has been granted.
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T20:11:54.0533333+00:00

As I can see, you have granted permissions for Microsoft Graph, not for the Azure Storage permission on your (<your-storage-account-name>.file.core.windows.net) application.

Make sure to add Storage permission by following the steps.

If the above steps do not resolve your issue, the problem may be caused by missing permissions or incorrect ownership on one or both of the following registry keys:

HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR HKEY_USERS\<User-SID>\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy\PSR

Resolution Steps:

Take ownership of the registry key if needed (Owner should be SYSTEM).

Fix the permissions by enabling inheritance on the key(s). Updating one key should automatically fix the other, unless multiple users log on to the same device.

Make sure both keys have correct permissions and inheritance enabled to allow the Microsoft AAD Broker Plugin to function properly.

Ref: Event 1098: Error: 0xCAA5001C Token broker operation failed
Vallepu Venkateswarlu 3,060 Reputation points Microsoft External Staff Moderator

2025-12-05T20:33:23.7633333+00:00

Hi @ Eric Cote - adm,

If none of the above steps resolve the issue, please share your details in a private message so we can schedule a Teams call.

Answer 1

Hi @ Eric Cote - adm,

From the backend, it appears the storage account was deleted. Can you confirm this or let me know if a new account was set up with the same settings?

However, when discovered that when a computer is in hybrid mode, even if an Azure storage account is configured to use Entra Kerboros as authentication, ADDS will ALWAYS have precedence to Entra Kerberos.

So, even if you can log on your pc with your Entra credentials (not your local AD credentials), the authentication toket will still be provied by local AD and not Entra Kerberos.

In other words, what I was trying to achieve would never work.

I'll need to set my storage account to use ADDS until all my computers are only Entra joined.

Hope this clarifies!

If above is unclear and/or you are unsure about something add a comment below.

Share via

Hybrid AADJ Windows 11 clients not obtaining Entra Kerberos ticket for Azure Files (cifs/<storage>.file.core.windows.net)

1 answer

Your answer