question

DaanPoleij-1444 avatar image
1 Vote"
DaanPoleij-1444 asked cjm888-7105 edited

Azure Files with ADDS Authentication - Can't connect from most on-premise devices

Hi all,

We have been in a POC for Azure Files with ADDS authentication for a while, yet I still come across a lot of errors where I can't seem to get a hold of.

The environment is as follows.

3x DC (2x On-premise, 1x Azure)
Storage account with a file share
Private DNS Zone with a Private Endpoint
Site to Site VPN between on-premise and Azure
AD Connect configured
Storage account AD Domain joined

Edited DNS configurations as follows,
Added privatelink.file.core.windows.net as a new Forward Lookup zone, with a A record inside which refers to the Private IP of the private endpoint associated with the share.
For the on-premises DNS servers a Conditional forwarder of "core.windows.net", with the private ip address of the DC thats located in Azure.
For the Azure DNS server a conditional forwarder of "core.windows.net", with the Azure Private DNS address, "168.63.129.169"

The traffic seems to flow over the vpn, and other data is correctly being pushed through. But it isn't possible to mount the File share except for one server, that is the secondary DC that is located on-premise.

The subnet that resides in Azure starts with 10.192.x.x
The subnet that resides on-premise is 192.168.x.x

From the DC in Azure I can connect to the share, which seems logical because they are in the same subnet.
From 1 DC on-premise I can connect to the share, from the other DC on-premise I get the error "The specified network password is not correct" while I used the same credentials for the other DC's.


Anyone able to point me out in the right direction to fix this or maybe came across this issue while configuring the Azure Files solution? Would love to hear from you guys, thanks in advance.

azure-files
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered Sumarigo-MSFT edited

@DaanPoleij-1444 Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused.

Azure Files supports identity-based authentication over Server Message Block (SMB) through two types of Domain Services: on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS). We strongly recommend you to review the How it works section to select the right domain service for authentication. The setup is different depending on the domain service you choose. These series of articles focus on enabling and configuring on-premises AD DS for authentication with Azure file shares: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable

Also make sure you have the proper role assigned to the 1 DC.

Enable Azure Active Directory Domain Services authentication on Azure Files

After re-verify the pre-requites, permission and following the above article, If you are still facing the same issue, I would love to work closer on this issue you can reach me via AZCommunity[AT]microsoft.com with a link to this Issue as well as your subscription ID and we can help get a support ticket opened for this issue. Please mention "ATTN subm" in the subject field. We would like to work closer with you on this matter.

Additional information: We managed to make this work by following the documentation below:
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-networking-overview
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-networking-dns#using-the-azure-files-hybrid-module-to-configure-dns-forwarding
https://docs.microsoft.com/en-us/azure/storage/files/storage-files-networking-dns#confirm-dns-forwarders

Tip: you have to make the *.file.core.windows.net resolve for the AD authentication to work


Thank you for your patience and co-operation! Looking forward for your reply!

Kindly let us know if the above helps or you need further assistance on this issue.


Please don’t forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaanPoleij-1444 avatar image
1 Vote"
DaanPoleij-1444 answered

No problem at all!


"Also make sure you have the proper role assigned to the 1 DC."

What do you actually mean with this question? There isn't a specific role I have to assign to a DC right? If this is about the Storage RBAC permissions, these have already been assigned.

The resolving also works as it should. When doing nslookup for the following it correctly returns an private ip,
nslookup "storageaccount".file.core.windows.net

The networking part seems to be correctly setup if I am correct.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

cjm888-7105 avatar image
0 Votes"
cjm888-7105 answered cjm888-7105 edited

Hi,

Did you resolve this issue as I am experiencing similar issue ?

I can connect to the Azure file share from on premise via the internet "storageaccount".file.core.windows.net but when i try via the privatelink I am prompted and cant connect.

I followed a couple of user guides and I can't see why its failing.

Running the Test-Netconnection command returns the correct details.

I haven't got a DC in the Azure Vnet just on prem DC's I have a lookup zone and conditional forwards setup on my on prem DC's.

The issue is on both on prem clients and azure vnet clients.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.