Azure Files
An Azure service that offers file shares in the cloud.
1,420 questions
Hello @Sumarigo-MSFT
Azure Storage File Authentication Issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(268.8, 92%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETD%3C/text%3E%3C/svg%3E)
TXS-DEV
1
Reputation point
I added AD DS authentication to my Azure Storage File account by following the article outlined here https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-ad-ds-enable?WT.mc_id=Portal-Microsoft_Azure_FileStorage I used step 1 auto option.
I selected the ServiceLogonAccount and also Computer Account both options don't seem to work.
I have line of sight to a DC using a point to site VPN connection and can RDP to the DC and can also see ping response to the DC.
I also configured a private IP for the storage account which is resolvable from the end user PC using the Point-to-Site VPN and Site-to-SIte VPN to on prem machines
Using a storage account key method works but AD does not.
Issue:
I'm getting the prompt to enter the AD credentials however, no matter what account or UPN combinations I try always seeing "The username or password is incorrect"
On-Prem DC/End user client outcome
From the on prem DC which has the route to the storage account vNET via a site-to-site VPN, I can get the file share to mount using the \filename.file.core.windows.net\sharename format using AD
However when using the \10.0.0.4\fileshare the login does not succeed.
From a Point-to-site VPN connected machine outcome
From the point to site VPN clients which have a line of sight to the DC, \filename.file.core.windows.net\sharename does not attempt to connect as expected, I have it limited to vNET and to some whitelisted IP's only. Just like the on-prem the \10.0.0.4\fileshare gets the login does not succeed.
To summarize, the private link access does not work on on-prem and VPN brokered (domain joined and non-domain joined) clients. I'm at my wits end in trying to troubleshoot this.
I ran the AzureFileDiagnostics and Debug-AZstorageAccountAuth and both of them attempt to connect using the FQFN of the share and on-prem shows all good and the VPN clients won't connect as expected because of SMB 445 block.
What am I missing?
Azure Files
Azure Storage
Azure Storage
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,529 questions
{count} votes
-
Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator2022-01-03T13:43:43.727+00:00 @TXS-DEV Thanks for raising this question! Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. Can you please share the screenshot the error message? Please shar ethe output of Azfilediag
Sign in to comment
1 answer
Sort by: Most helpful
-
TXS-DEV 1 Reputation point
2022-01-03T23:50:29.097+00:00 -
TXS-DEV 1 Reputation point
2022-01-04T00:00:37.583+00:00 Connection to private endpoint via SMB 445 is good and validated by netstat
-
TXS-DEV 1 Reputation point
2022-01-04T00:01:51.733+00:00 I can successfully telnet to 445 using local IP 10.0.0.7 which proves that it can get to the share but just not authenticate.
-
Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator
2022-01-08T14:21:57.363+00:00
Sign in to comment -