FSLogix CloudKerberosTicketRetrievalEnabled Not Working with Azure AD Joined VMs - Per-User Authentication Issue

Question

Environment:

• Azure Virtual Desktop (AVD) Pooled Host Pool
• Windows 11 Enterprise 25H2 (build 26100.1150)
• VMs: Azure AD Joined (pure cloud, no on-premises AD or Hybrid Join)
• FSLogix Version: 3.26.126.19110
• Storage: Azure Files with Private Endpoint
• Authentication: Azure AD Kerberos (AADKERB) enabled on storage account
• Tenant: Cloud-only environment (Microsoft 365/Entra ID, no AD DS)

Issue Description:

We are unable to establish per-user authentication between FSLogix and Azure Files storage account in a pure Azure AD-joined environment. Users receive error 0xf ("The graphics display components in the remote session failed to start up") when connecting to AVD, which is caused by FSLogix failing to mount user profiles.

FSLogix Error Details:

Event ID: 26
LoadProfile failed. 
FrxStatus: 31 (The system cannot contact a domain controller to service the authentication request. Please try again later.)

Event ID: 26
No Create access: \\storageaccount.file.core.windows.net\profiles\[user]_
(The system cannot contact a domain controller to service the authentication request. Please try again later.)

Configuration Details:

FSLogix Configuration:

• Enabled = 1
  • VHDLocations = \storageaccount.file.core.windows.net\profiles
    • CloudKerberosTicketRetrievalEnabled = 1
      • VolumeType = VHDX (dynamic)

Storage Account Configuration:

• directoryServiceOptions: AADKERB
• domainName: [DOMAIN NAME REMOVED]
• domainGuid: [TENANT ID REDACTED]
• defaultSharePermission: StorageFileDataSmbShareContributor
  • Private Endpoint: Enabled (VMs access via private IP)
  VM Configuration:

  - Azure AD Join Status: YES (verified via dsregcmd /status)
  - Hybrid Join: NO    
  - Domain Join: NO
  - Kerberos Tickets: 0 (verified via klist - no tickets are retrieved)

1. Network Connectivity:
   • DNS resolves storage FQDN to private IP (10.0.0.x)
   • Port 445 accessible
   • Private endpoint configured in same VNet/subnet as VMs
2. RBAC Permissions:
   • Azure AD security group has "Storage File Data SMB Share Contributor" role
   • User is member of the security group

Troubleshooting Performed:

1. Verified all registry settings for FSLogix (CloudKerberosTicketRetrievalEnabled=1)
2. Configured storage account with proper Azure AD Kerberos settings (domainName, domainGuid)
3. Verified private endpoint connectivity and DNS resolution
4. Verified RBAC permissions for users
5. Restarted FSLogix service and Terminal Services
6. Rebooted VMs multiple times
7. Confirmed VMs are properly Azure AD joined
8. Verified no Group Policies overriding settings

Result: FSLogix still cannot retrieve Kerberos tickets from Azure AD, and users cannot authenticate to Azure Files storage.

Workaround (Not Acceptable for Production):

Setting AccessNetworkAsComputerObject=1 allows FSLogix to work by using the VM's managed identity instead of per-user authentication. However, this creates a critical security vulnerability in our Pooled Host Pool:

• All users can potentially access \storageaccount.file.core.windows.net\profiles
• Users can see and potentially download other users' VHDX files
• VHDX files contain sensitive user data (credentials, documents, browser history)

This workaround is not acceptable for production use.

Questions for Microsoft Support:

Is CloudKerberosTicketRetrievalEnabled=1 designed to work with pure Azure AD-joined VMs, or does it require Hybrid Azure AD Join?

What is the officially supported configuration for FSLogix + Azure Files in a cloud-only environment (no on-premises AD, no Hybrid Join)?

Is Azure AD Domain Services (AADDS) required to achieve per-user authentication with FSLogix in cloud-only scenarios?

If AADDS is required, are there any alternative solutions that provide per-user authentication without the additional cost and complexity of AADDS?

Why are Kerberos tickets not being retrieved from Azure AD despite:

• VMs being properly Azure AD joined
  • Storage account having AADKERB with correct domainName and domainGuid
    • All network connectivity verified
      • All RBAC permissions in place

Expected Outcome:

We need a secure, production-ready solution for FSLogix profile management in our cloud-only AVD environment that provides:

• Per-user authentication (not per-machine)
• User isolation (users cannot access other users' profiles or VHDX files)
• Compatibility with pure Azure AD-joined VMs (no on-premises AD)

Please advise on the correct configuration or confirm if Azure AD Domain Services is mandatory for this scenario.

Answer 1

Hello Sergey,

In a pure Azure AD-joined (cloud-only) Azure Virtual Desktop environment, per-user FSLogix authentication to Azure Files using Azure AD Kerberos is currently supported in preview. It does not require Hybrid Join or on-prem AD, but it has strict prerequisites and limitations. Azure AD Domain Services is not mandatory, however it is still the only fully GA and production-proven option for per-user FSLogix authentication without preview constraints.

The behavior you’re seeing typically means Azure AD Kerberos tickets are not being issued. That explains why klist shows zero tickets, FSLogix reports it cannot contact a domain controller, and sessions fail with 0xF errors. In cloud-only setups, Azure AD Kerberos replaces the domain controller. If ticket retrieval fails for any reason, profiles will not mount.

Please check the following required configurations are as mentioned:

• Make sure the CloudKerberosTicketRetrievalEnabled setting is deployed through Intune Settings Catalog. OMA-URI does not work reliably on AVD multi-session and can silently fail.
• Confirm these Windows services are running on the session hosts: WinHttpAutoProxySvc and IP Helper (iphlpsvc). If either is disabled, Kerberos tickets will not be retrieved.
• Verify that admin consent has been granted to the enterprise application created for your storage account, in the format storageaccount.file.core.windows.net.
• If you are using Private Endpoints, ensure the app registration also includes storageaccount.privatelink.file.core.windows.net in the identifier URIs. This is a common cause of failure even when DNS and port 445 are working.
• Confirm the storage account enterprise app is excluded from Conditional Access policies that enforce MFA. Azure AD Kerberos does not support MFA.

To answer your specific questions:

• CloudKerberosTicketRetrievalEnabled works with pure Azure AD Join and cloud-only remains in preview.
• Hybrid Join is not required.
• Azure AD Domain Services is not mandatory, but it is the only fully globally available (GA) option today.
• There is no GA alternative for cloud-only FSLogix with Azure Files.
• If no Kerberos tickets are issued, the issue is usually policy delivery, required services, app consent, Private Endpoint configuration, or Conditional Access, not RBAC or networking alone.

References:

• https://learn.microsoft.com/en-us/azure/virtual-desktop/fslogix-profile-containers
• https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cintune