Share via

Azure File Share Authorization and Auditing

Niteesh G S 1 Reputation point
2022-05-18T18:16:57.103+00:00

Hii,

I am trying to audit events from Azure File Share events. I do this by creating a diagnostic setting in the storage account to stream all file share events to a event hub. And then process those log events by subscribing to the event hub.

I was successfully able to collect the logs but I am a bit confused in the authorization of azure file share. I have configured my file share to use Azure ADDS for authentication and I am successfully able to authentic with the same.

AFAIU there are 4 ways to authenticate users to the azure file share.

  1. Azure ADDS
  2. On prem ADDS
  3. Connection string
  4. SAS token

When a user perform an action for eg file creation I get an event specifying the action along with the authorization type. For eg A file creation event is as the following (Skipping irrelevant fields). 

{  
  "records": [{  
    "time": "2022-04-26T06:59:16.8994535Z",  
    "operationName": "Create",  
    "operationVersion": "0x311",  
    "schemaVersion": "1.0",  
    "statusCode": 0,  
    "durationMs": 8,  
    "callerIpAddress": "10.0.1.4",  
    "correlationId": "fc2bdeb9-101d-001f-003b-590c03000000",  
    "identity": {  
      "type": "Kerberos",  
      "requester": {  
        "smbPrimarySID": "S-1-5-21-2494376262-2334712497-2019463181-1348"  
      }  
    },  
    "location": "East US",  
    "properties": {  
      "accountName": "adapazureadds",  
      "etag": "0x8da275247a1bbd6",  
      "serviceType": "file",  
      "objectKey": "\\\\adapazureadds.file.core.windows.net\\testshare1\\New Text Document.txt",  
      "smbMessageID": "0X44",  
      "smbCommandMajor": 5,  
      "smbCommandMinor": "FileCreate",  
      "smbStatusCode": "0"  
    },  
    "uri": "\\\\adapazureadds.file.core.windows.net\\testshare1\\New Text Document.txt",  
    "protocol": "SMB",  
    "resourceType": "Microsoft.Storage/storageAccounts/fileServices"  
  }]  
}

I use smbPrimarySID field to find the user responsible for this event.

Similarly when using connection string and SAS tokens I get the following identity types 

"identity": {  
    "type": "SAS",  
    "tokenHash": "key1(2C67174B5D20100031BCB3D57D683CBA39C698779027FF8346C32DF7F09A8358),SasSignature(FFEB305868EFACB05700C7AA4D3D8F8B9FC2D1CB511B33214A6FE503DF33315B)"  
}  
  

"identity": {  
  "type": "AccountKey",  
  "tokenHash": "key1(2C67174B5D20100031BCB3D57D683CBA39C698779027FF8346C32DF7F09A8358)"  
},

Question 1) What are these values "key1(2C67174B5D20100031BCB3D57D683CBA39C698779027FF8346C32DF7F09A8358)" and "SasSignature(FFEB305868EFACB05700C7AA4D3D8F8B9FC2D1CB511B33214A6FE503DF33315B)"?
This microsoft document mentions this as the SHA256 of the key. What key is the document talking about?
In case of the SasSIgnature the document mentions it as the SHA256 of the SAS token but when I tried calculating the SHA256 of the SAS token I use but I get a different result.

Question 2) Sometimes I get events with NTLMv2 as the authentication from bogus(Not real machines) IP addresses. What/Who is generating those events and why? 

{  
  "category": "StorageRead",  
  "operationName": "QueryInfo",  
  "operationVersion": "0x311",  
  "schemaVersion": "1.0",  
  "durationMs": 0,  
  "callerIpAddress": "10.0.0.37",  
  "correlationId": "cc76918f-501d-006c-00df-6a5490000000",  
  "identity": {  
    "type": "NTLMv2"  
  },  
  "location": "East US",  
  "properties": {  
    "objectKey": "\\\\adapazureadds.file.core.windows.net\\testshare1\\",  
    "lastModifiedTime": "1601/01/01 00:00:00.0000000",  
    "metricResponseType": "Success",  
    "smbCreditsConsumed": 1,  
    "smbMessageID": "0X15",  
    "smbCommandMajor": 16,  
    "smbCommandMinor": "QueryFsAttributeInformation",  
    "smbStatusCode": "0"  
  },  
  "protocol": "SMB",  
    "resourceType": "Microsoft.Storage/storageAccounts/fileServices"  
}

Here the IP Address 10.0.0.37 is bogus no such machine exists in my VNET.

Question 3) Can I a real user authenticate using NTLMv2, If so how? And Is it possible to have the user information during an NTLMv2 request? i.e. Something like the user SID similar to Kerberos.

UPDATE: I have also configured Azure File Sync for the file share. Hope this helps in providing more context.

Azure Files
Azure Files
An Azure service that offers file shares in the cloud.
1,420 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sumarigo-MSFT 47,466 Reputation points Microsoft Employee Moderator
    2022-06-08T05:18:12.843+00:00

    @Niteesh G S Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

    >Question 1) What are these values "key1(2C67174B5D20100031BCB3D57D683CBA39C698779027FF8346C32DF7F09A8358)" and "SasSignature(FFEB305868EFACB05700C7AA4D3D8F8B9FC2D1CB511B33214A6FE503DF33315B)"?

    “key1” refers to SHA-256 hash of Storage Account’s Key1 (This is the key1 listed under “Access Keys” for the storage account).
    “SasSignature” refers to SHA-256 hash of the signature part of the Shared Access Signature. Ex: the XXXXX part in the token here “?sv=2020-08-04&ss=bfqt&srt=o&sp=rwdlacupitfx&se=2022-06-02T12:45:45Z&st=2022-06-02T04:45:45Z&spr=https&sig=XXXXX”

    >Question 2) Sometimes I get events with NTLMv2 as the authentication from bogus(Not real machines) IP addresses. What/Who is generating those events and why?

    This is not a bogus request. It was a successful request made with an open handle on an authenticated session. While I can’t speak to any oddities associated with private VNETs, in general when the “callerIpAddress” is V4 it very rarely corresponds to what the actual client thinks their IP address is. There’s is lot mirror between client and server when IPv4 is used. If you have the timestamp (and timezone) of the entry below, or a more recent repro, I can look it up if not too long ago. I should be able to get the Workstation/machine name, which is often a very big clue.

    > Question 3) Can real user authenticate using NTLMv2, If so how? And is it possible to have the user information during an NTLMv2 request? i.e. Something like the user SID similar to Kerberos.

    The answer is No. Support for domain joined user to access Azure Files over SMB is only via Kerberos. We do not support NTLMV2 for domain joined users.

    Please let us know if you have any further queries. I’m happy to assist you further.

    Please do not forget to 209295-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.