We created an Azure Storage File Share and are trying to set up Identity-based authentication. We followed the GitHub sample for this that is available here: Azure Files Samples on GitHub
We were able to successfully run the following command to set up a user account corresponding to the storage account.
Join-AzStorageAccountForAuth `
-ResourceGroupName $ResourceGroupName `
-Name $StorageAccountName `
-DomainAccountType "ServiceLogonAccount" `
-OrganizationalUnitDistinguishedName "ou-distinguishedname-here"
After this, we mounted the Storage Account via Storage access keys and assigned the NTFS permissions on the file share. We also ensured that the SMB related contributor permission is also assigned on the File Share in the Storage Account in the Azure portal.
When we try to mount the file share we are getting prompted for the credentials and it is not connecting. We are trying to use the below command to try and connect:
net use Y: \\storageAccountName.file.core.windows.net\testShare
We ensured that we are trying these steps from a domain-joined computer with a domain user. The on-prem AD is connected to Azure AD via AD Connect that runs every 30 minutes. We ensured that this domain user is part of the AD groups that were assigned access on the File share in the Azure portal and also NTFS permissions on the share itself. The storage account has the Private Endpoint enabled and to reduce complexity, we are testing using the IP address that is assigned to the storage account.
Why is the command still asking for the credentials and not connecting to the File share? Anything we could be missing?
Found the resolution after more troubleshooting. The solution was that the DNS should be set up first. After setting up the DNS and trying to connect to the "storageAccountName.file.core.windows.net" instead of the IP address, the connection worked fine. It did not ask for any credentials and leveraged the logged-in domain user to connect.
I believe the Kerberos authentication requires the connection to the DNS name (instead of the direct IP address) as the object corresponding to the storage is set up to the name of the storage account.
Hopefully, this helps someone else facing this issue.