Azure Files: "The specified network password is not correct"

Question

Hello, fellow Azureheads,

If anyone has encountered the below, I need your lights.

Long story "short":

The setup

• AAD DS setup
• Kerberos Armouring enabled, NTLM disabled
• Storage account with Azure Files configured
• Storage public access is disabled
• VPN Gateway configured with P2S (not an always-on VPN)
• Private endpoint configured with the storage account

The issue

Connection to the network drives works but won't persist logoffs/restarts (using AD authentication instead of Storage account key) for the users logging into the managed domain-joined devices. The message returned is: "The specified network password is not correct".

However, on the same devices, network drives always persist logoffs/restarts for the local administrators using the credentials of any of the above users to map the drive.

DNS resolution for working and non-working connections is the same since the ipconfig /displaydns cmdlet returns the same records (e.g. resolving both domain controllers and the storage accounts with their local Virtual Network IPs).

To put it simply, if I log in with a local admin account to the managed domain-joined device and connect to the VPN, I can access the mapped drive without issues, but if I log in with an AAD/AAD DS user; it will not connect.

The only way to connect under this user's context would be to disconnect and reconnect the mapped drive.

Any ideas?

Answer 1

@Konstantinos Xanthopoulos Thank you for reaching out to Microsoft Q&A. I understand that you are having issues with connectivity to network drives when logoffs/restarts occur.

Here is a similar issue that I see that may help you- https://learn.microsoft.com/en-us/answers/questions/290947/network-password-incorrect-using-azure-ad-ds-ident.html

If this does not work, please open a support ticket with Azure Support Team so they can thoroughly investigate this issue.

Please let us know if you have any further questions and we will be glad to assist you further. Thank you!

Remember:

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

Want a reminder to come back and check responses? Here is how to subscribe to a notification.

Answer 2

Hi - I had a very similar problem with my users. PUBLIC Endpoint works fine however some of our users working from home have ISP's blocking 445 out. So we built the VPN Gateway and set up the private endpoint - but when connecting to the drive they would get "The specified network password is incorrect". I could confirm the name resolution working correctly NRPT (Name resolution policy table) was applying correctly by running

test-netconnection -computername <storageaccount>.file.core.windows.net -port 445

This would then return the PRIVATE endpoint IP Address. (NSLookup does not respect NRPT tables). Great, so the connection was "valid". Then I read something about the VPN using the cached credentials of the VPN to authenticate to the share which was causing the issue. To work around this set the registry subkey KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds - Set the value to 1 After doing this the drive mapped fine. My understand is with this registry subkey set to 1 - the device will always query the domain and not use the cached creds.