question

DanielGatley-2289 avatar image
0 Votes"
DanielGatley-2289 asked ·

Azure AD Joined SSO to On-Prem File Share Across a Forest Trust

We currently have SSO access to on-premise file shares working from Azure AD joined machine, we do however have an issue accessing resources in another trusted forest. When attempting to browse to these locations after a short pause we get Error Code: 0x80070035 - The network path was not found. Packet captures show the client is talking to the server as SMB negation takes place the issue seems to be authentication. What makes this interesting is that this only occurs when connected via a VPN (Microsoft RAS based) if the connection is made via a Cisco AnyConnect based VPN authentication works. What I have noted from the packet captures is that when connected by the native VPN client (Microsoft RAS) the DNS query to locate the KDC is for the wrong domain (the domain of the logged in user) so it's understandable that it would not be able to continue with Kerberos Auth. On the Cisco based VPN the KDC lookup uses the correct on-premise domain and Kerberos auth works. So if we ignore everything that comes after the DNS lookup why does one VPN (using the built-in facility) use one domain to lookup the KDC and the other VPN (Cisco AnyCOnnect - Virtual Ethernet Adapter?) use the correct one?

azure-ad-single-sign-on
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

JeevanDesarda-0592 avatar image
0 Votes"
JeevanDesarda-0592 answered ·

I think if Cisco AnyConnect with Azure AD using SAML then this should solve the issue. In my understanding this might be using the NPS connector right now.
So when the authentication is done the Cisco app is trying to get the user details from the on premise AD.

·
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.