We currently have SSO access to on-premise file shares working from Azure AD joined machine, we do however have an issue accessing resources in another trusted forest. When attempting to browse to these locations after a short pause we get Error Code: 0x80070035 - The network path was not found. Packet captures show the client is talking to the server as SMB negation takes place the issue seems to be authentication. What makes this interesting is that this only occurs when connected via a VPN (Microsoft RAS based) if the connection is made via a Cisco AnyConnect based VPN authentication works. What I have noted from the packet captures is that when connected by the native VPN client (Microsoft RAS) the DNS query to locate the KDC is for the wrong domain (the domain of the logged in user) so it's understandable that it would not be able to continue with Kerberos Auth. On the Cisco based VPN the KDC lookup uses the correct on-premise domain and Kerberos auth works. So if we ignore everything that comes after the DNS lookup why does one VPN (using the built-in facility) use one domain to lookup the KDC and the other VPN (Cisco AnyCOnnect - Virtual Ethernet Adapter?) use the correct one?