Azure AD Joined SSO to On-Prem File Share Across a Forest Trust

Daniel Gatley 1 Reputation point
2020-06-11T20:19:58.843+00:00

We currently have SSO access to on-premise file shares working from Azure AD joined machine, we do however have an issue accessing resources in another trusted forest. When attempting to browse to these locations after a short pause we get Error Code: 0x80070035 - The network path was not found. Packet captures show the client is talking to the server as SMB negation takes place the issue seems to be authentication. What makes this interesting is that this only occurs when connected via a VPN (Microsoft RAS based) if the connection is made via a Cisco AnyConnect based VPN authentication works. What I have noted from the packet captures is that when connected by the native VPN client (Microsoft RAS) the DNS query to locate the KDC is for the wrong domain (the domain of the logged in user) so it's understandable that it would not be able to continue with Kerberos Auth. On the Cisco based VPN the KDC lookup uses the correct on-premise domain and Kerberos auth works. So if we ignore everything that comes after the DNS lookup why does one VPN (using the built-in facility) use one domain to lookup the KDC and the other VPN (Cisco AnyCOnnect - Virtual Ethernet Adapter?) use the correct one?

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,569 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jeevan Desarda 91 Reputation points Microsoft Employee
    2020-06-12T17:44:57.867+00:00

    I think if Cisco AnyConnect with Azure AD using SAML then this should solve the issue. In my understanding this might be using the NPS connector right now.
    So when the authentication is done the Cisco app is trying to get the user details from the on premise AD.

    0 comments