Error connecting to storage account using Entra Domain services authentication

Question

Hello,

I am trying to connect to a Azure files using a non-domain joined device. getting the error: "Specified password not correct"

-Entra Domain services configured on Azure.

-Identity based access configured to Entra Domain Services on the Azure File Share.

-Confirmed that authentication is working on domain joined VM (file share successfully mounted using Entra ID credentials).

-The non-domain joined device has network connectivity to the domain

• Point 2 site connection configured
• Can ping to the domain

Referred to this document - https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-domain-services-enable?tabs=azure-portal

where it clearly says, "Non-domain-joined VMs can access Azure file shares using Microsoft Entra Domain Services authentication only if the VM has unimpeded network connectivity to the domain controllers for Microsoft Entra Domain Services. Usually this requires either site-to-site or point-to-site VPN."

Trying to figure out what is missing when connecting from a non-domain joined device. Let me know if anyone has succeeded in this scenario.

Thank You.

Answer 1

Hi tharushi shehara,

I Understand the main issue seems to be related to the authentication process when trying to connect to the Azure file share from a non-domain joined device, you are already made significant progress in troubleshooting this issue. I Suggest a few more steps you might consider,

Ensure that the non-domain joined device can resolve the Fully Qualified Domain Name (FQDN) of the Azure file share. Sometimes, DNS resolution issues can cause authentication failures, When connecting from a non-domain joined device, make sure you are providing explicit credentials in the format username@domainFQDN

Double-check that there are no network restrictions or firewalls blocking the connection between the non-domain joined device and the domain controllers, Verify that the user account you're using has the necessary permissions to access the Azure file share. Sometimes, share-level permissions might not be correctly configured

Use the AzFileDiagnostics tool to validate the client environment and identify any potential issues

For more information,
https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/security/files-troubleshoot-smb-authentication?tabs=azure-portal

---

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.   Your contribution is highly appreciated.
        

If you have any other questions or are still running into more issues, let me know in the "comments". We will be glad to assist you further.

Answer 2

Hi Tharushi,

Lets check step by step and first of all network connectivity, ensure that the non-domain joined device has proper network connectivity to the domain controllers. This includes verifying that the vpn connection is stable and that there are no firewall rules blocking the necessary ports.

Next is credentials check the credentials you are using. Be sure that the username and password are correct and that the account has the necessary permissions to access the Azure file share. So it may be at dns config side verify that the dns settings on the non-domain joined device are correctly configured to resolve the domain controllers. As well kerberos tickets make sure that the device can obtain a kerberos ticket from the domain controllers. U can use tools like klist to check for existing tickets and kinit to request new ones. Next check the storage account config and confirm that the storage account is correctly configured to allow access from non-domain joined devices using Entra Domain Services authentication. And of coz logs and diagnostics let's check the logs on the domain controllers and the storage account for any error messages or warnings that might provide more insight into the issue.

rgds,

Alex