question

MadinaGotova-3743 avatar image
0 Votes"
MadinaGotova-3743 asked MadinaGotova-3743 commented

Access to Azure File Share one tenant multiple forests

We have a scenario: One tenant and two forests syncing to one Azure AD, hybrid environment. Two-way forest trust is configured. Storage account A is configured for Forest A, and storage account B is configured for Forest B. On-prem AD authentication is required to access Azure File shares. Now user from forest A needs to be able to access Azure FS of forest/storage account B. I have added azure file share-level permission. What else needs to be done in this scenario. User from forest A keeps getting an error message the network password is incorrect.
Please kindly advise

azure-files
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SumanthMarigowda-MSFT avatar image
0 Votes"
SumanthMarigowda-MSFT answered MadinaGotova-3743 commented

@MadinaGotova-3743 Firstly, apologies for the delay in responding here! Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

Azure Files on-premises AD DS authentication only integrates with the forest of the domain service that the storage account is registered to. To support authentication from another forest, your environment must have a forest trust configured correctly. The way Azure Files register in AD DS almost the same as a regular file server, where it creates an identity (computer or service logon account) in AD DS for authentication. The only difference is that the registered SPN of the storage account ends with "file.core.windows.net" which does not match with the domain suffix. Consult your domain administrator to see if any update to your suffix routing policy is required to enable multiple forest authentication due to the different domain suffix. We provide an example below to configure suffix routing policy.

Example: When users in forest A domain want to reach an file share with the storage account registered against a domain in forest B, this will not automatically work because the service principal of the storage account does not have a suffix matching the suffix of any domain in forest A. We can address this issue by manually configuring a suffix routing rule from forest A to forest B for a custom suffix of "file.core.windows.net". First, you must add a new custom suffix on forest B. Make sure you have the appropriate administrative permissions to change the configuration, then follow these steps:

Logon to a machine domain joined to forest B
- Open up "Active Directory Domains and Trusts" console
- Right click on "Active Directory Domains and Trusts"
- Click on "Properties"
- Click on "Add"
- Add "file.core.windows.net" as the UPN Suffixes
- Click on "Apply", then "OK" to close the wizard
- Next, add the suffix routing rule on forest A, so that it redirects to forest B.


Logon to a machine domain joined to forest A
- Open up "Active Directory Domains and Trusts" console
- Right-click on the domain that you want to access the file share, then click on the "Trusts" tab and select forest B domain from outgoing trusts. If you haven't configure trust between the two forests, you need to setup the trust first
- Click on "Properties…" then "Name Suffix Routing"
- Check if the ".file.core.windows.net" suffix shows up. If not, click on 'Refresh'
- Select "
.file.core.windows.net", then click on "Enable" and "Apply"

**Note:**To use the AD credential for authentication, you need to make sure that the AD credential is synced to Azure AD, and that Azure AD is fully synced to Azure AD DS. If not, AAD DS will not be able to perform authentication against an AD credential. Please check the sync status and let us know if you continue to run into issue.

Refer to this article on Built-in RBAC : https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
assign share-level permissions to an identity

Additional information: A sync group can contain server endpoints that have different Active Directory memberships, even if they are not domain-joined. Although this configuration technically works, we do not recommend this as a typical configuration because access control lists (ACLs) that are defined for files and folders on one server might not be able to be enforced by other servers in the sync group. For best results, we recommend syncing between servers that are in the same Active Directory forest, between servers that are in different Active Directory forests but which have established trust relationships, or between servers that are not in a domain. We recommend that you avoid using a mix of these configurations.


Multiple forests with AD DS and Azure AD: https://docs.microsoft.com/en-us/azure/architecture/example-scenario/wvd/multi-forest

Please let us know if you have any further queries. I’m happy to assist you further.


Please do not forget to 195394-screenshot-2021-12-10-121802.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.



· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for your reply, I have read about this before but wasn't sure if we can apply it in our case: we have storage account A registered with Forest A and storage account B registered with Forest B, File Shares with different storage accounts are connected within two forests. In our scenario we have multiple forests (two-way forest trust) syncing via one AD Connect to one Azure AD tenant, password hash sync is enabled, on-prem AD is configured for authentication on Azure FS:
users from domain/forest A connected to \\a.file.core.windows.net\share_a,
users from domain/forest B connected to \\b.file.core.windows.net\share_b

We need forest A users to be able to access/map \\b.file.core.windows.net\share_b

So question here, if we configure UPN suffix routing, would it break/loop access users from domain/forest A connected to \\a.file.core.windows.net\share_a,
OR users from domain/forest B connected to \\b.file.core.windows.net\share_b
Hope I described it clear

0 Votes 0 ·

@Sumarigo-MSFT please advise on my comment above

0 Votes 0 ·