Azure Files: "The specified network password is not correct"

Konstantinos Xanthopoulos 21 Reputation points
2022-04-16T17:21:07.823+00:00

Hello, fellow Azureheads,

If anyone has encountered the below, I need your lights.

Long story "short":

The setup

  • AAD DS setup
  • Kerberos Armouring enabled, NTLM disabled
  • Storage account with Azure Files configured
  • Storage public access is disabled
  • VPN Gateway configured with P2S (not an always-on VPN)
  • Private endpoint configured with the storage account

The issue

Connection to the network drives works but won't persist logoffs/restarts (using AD authentication instead of Storage account key) for the users logging into the managed domain-joined devices. The message returned is: "The specified network password is not correct".

However, on the same devices, network drives always persist logoffs/restarts for the local administrators using the credentials of any of the above users to map the drive.

DNS resolution for working and non-working connections is the same since the ipconfig /displaydns cmdlet returns the same records (e.g. resolving both domain controllers and the storage accounts with their local Virtual Network IPs).

To put it simply, if I log in with a local admin account to the managed domain-joined device and connect to the VPN, I can access the mapped drive without issues, but if I log in with an AAD/AAD DS user; it will not connect.

The only way to connect under this user's context would be to disconnect and reconnect the mapped drive.

Any ideas?

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,220 questions
Azure DNS
Azure DNS
An Azure service that enables hosting Domain Name System (DNS) domains in Azure.
631 questions
Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,910 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
492 questions
Microsoft Entra
{count} votes

2 answers

Sort by: Most helpful
  1. Chris Robb 11 Reputation points
    2023-04-20T09:00:07.29+00:00

    Hi - I had a very similar problem with my users. PUBLIC Endpoint works fine however some of our users working from home have ISP's blocking 445 out. So we built the VPN Gateway and set up the private endpoint - but when connecting to the drive they would get "The specified network password is incorrect". I could confirm the name resolution working correctly NRPT (Name resolution policy table) was applying correctly by running

    test-netconnection -computername <storageaccount>.file.core.windows.net -port 445
    
    

    This would then return the PRIVATE endpoint IP Address. (NSLookup does not respect NRPT tables). Great, so the connection was "valid". Then I read something about the VPN using the cached credentials of the VPN to authenticate to the share which was causing the issue. To work around this set the registry subkey KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds - Set the value to 1 After doing this the drive mapped fine. My understand is with this registry subkey set to 1 - the device will always query the domain and not use the cached creds.

    2 people found this answer helpful.

  2. SaiKishor-MSFT 17,221 Reputation points
    2022-04-21T18:01:31.563+00:00

    @Anonymous Thank you for reaching out to Microsoft Q&A. I understand that you are having issues with connectivity to network drives when logoffs/restarts occur.

    Here is a similar issue that I see that may help you- https://learn.microsoft.com/en-us/answers/questions/290947/network-password-incorrect-using-azure-ad-ds-ident.html

    If this does not work, please open a support ticket with Azure Support Team so they can thoroughly investigate this issue.

    Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

    Remember:

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    Want a reminder to come back and check responses? Here is how to subscribe to a notification.

    1 person found this answer helpful.
    0 comments No comments