Issues mapping Azure file share using Entra Kerberos

Question

Issues mapping Azure file share using Entra Kerberos

Chase Griffin 0

So our scenario is that we are testing mapping Azure File Shares using only Entra credentials.

I've set up a storage account and file share, configured identity based access for Entra Kerberos, and followed all of the instructions in this knowledgebase article:

https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-hybrid-identities-enable?tabs=azure-portal%2Cregkey#grant-admin-consent-to-the-new-service-principal

Granted admin consent
Excluded the storage account from CA
Updated the manifest of the Storage account
Enabled kerberos retrieval on the client

When I attempt to map the drive using Net Use, it automatically gives me a credential error and then prompts for credentials. If I enter the credentials, I get an error 1326.

Does anyone know what could be causing this/what I'm doing wrong?

Chase Griffin 0 Reputation points

2025-12-03T20:00:45.88+00:00

I resolved this by changing the default Share Permissions to "Allow all by default". When I did this, I was instantly able to map the drive. I'm not sure what exactly the issue is because I assigned the same default role to my test user that I had already assigned it, but it must have been something to do with my RBAC role assignment.

Closing question out at this time.

1 answer

Your answer

Chase Griffin 0 Reputation points

2025-12-03T20:00:45.88+00:00

I resolved this by changing the default Share Permissions to "Allow all by default". When I did this, I was instantly able to map the drive. I'm not sure what exactly the issue is because I assigned the same default role to my test user that I had already assigned it, but it must have been something to do with my RBAC role assignment.

Closing question out at this time.

Answer 1

Vallepu Venkateswarlu 1,065 Microsoft External Staff Moderator

Hi @ Chase Griffin,
Welcome to Microsoft Q&A Platform

It sounds like you're running into some issues mapping Azure File Shares using Entra Kerberos authentication. This can be a bit tricky, so let's walk through a few things that might help resolve the credential error and the error code 1326 you're encountering.

Here are some steps you can try:

Double-Check Permissions:
- Ensure that the role assigned to your user account includes the necessary permissions to interact with the Azure File Shares. You could try assigning the Storage File Data Privileged Reader or Storage File Data Privileged Contributor roles.
MFA Configuration:
- If your organization uses Multi-Factor Authentication (MFA), ensure that you've excluded the Microsoft Entra app corresponding to your storage account from any conditional access policies. Otherwise, it can lead to sign-in issues when mapping the share.
Private Link Configuration:
- If you're using a private endpoint for your storage account, make sure that the private link FQDN is registered in your Microsoft Entra application. Any entry pointing to <storageAccount>.file.core.windows.net should also have a corresponding entry for <storageAccount>.privatelink.file.core.windows.net in the identifierUris field of the app registration.
Network Configuration:
- Check if the necessary ports (especially port 445 for SMB) are open on your network setup, as issues here can sometimes lead to authentication failures.
Kerberos Ticket Retrieval:
- Ensure that the clients you're using are set up to retrieve Kerberos tickets correctly. You may need to configure the clients via Intune, Group Policy, or a registry key as specified in the Microsoft docs.
Consult the Error Logs:
- Look at the Azure sign-in logs, which can sometimes provide additional details regarding what may be preventing successful authentication.

Relevant Documentation:

Please do not forget to and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

Chase Griffin 0 Reputation points

2025-12-03T17:13:39.02+00:00
I have the necessary RBAC roles

The storage account is excluded from our CA policy

I am not using private endpoint

The test on port 445 to the share succeeds

I have enabled kerberos retrieval as I specified in my initial post

Sign in logs show that I'm able to access the fileshare successfully and pass CA
Vallepu Venkateswarlu 1,065 Reputation points Microsoft External Staff Moderator

2025-12-03T19:22:12.1533333+00:00

Hi @ Chase Griffin,

Microsoft Entra ID supports Kerberos authentication for Azure Files only for hybrid identities (users synced from on-premises Active Directory via Azure AD Connect). Cloud-only Entra ID users aren’t supported.

Reference: https://learn.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

For common SMB Azure Files authentication issues and fixes: https://learn.microsoft.com/en-us/troubleshoot/azure/azure-storage/files/security/files-troubleshoot-smb-authentication?tabs=azure-portal

Additional known issues: https://learn.microsoft.com/answers/questions/1031080/authentication-issues-using-aad-kerberos-for-azure

Azure AD Kerberos for Azure Files works only on supported OS versions, such as Windows 11 Enterprise/Pro (single or multi-session).

Before enabling Kerberos authentication, ensure all prerequisites are completed. If mapping fails, test using the storage account key and run AzFileDiagnostics to validate the client configuration. You can also use the Debug-AzStorageAccountAuth cmdlet (AzFilesHybrid v0.1.2+) to check AD configuration and permissions.

More details on Kerberos/NTLM behavior: https://learn.microsoft.com/windows-server/security/kerberos/ntlm-overview

Kindly let us know if the above helps or you need further assistance on this issue.

Please "upvote" if the information helped you. This will help us and others in the community as well.
Chase Griffin 0 Reputation points

2025-12-03T19:59:04.12+00:00

That actually isn't true. Cloud Only identities is currently in preview. I've just gotten this working by changing the default share permissions for authenticated users to "Allow all". It must have been something with my RBAC role assignment. I'll close this question out right now.
Gøran Fjermedal 0 Reputation points

2025-12-04T13:28:20.91+00:00

I'm testing the same exact thing and I'm having the same problem as you, Chase.
It doesn't matter if I assign the RBAC role "Storage File Data SMB Share Contributor" to a test users or a group that the test user is a member of, I still have to enable default permissions.
That means my whole organization gets access to the file share, and we can't use it for data that in any way is valuable (since we can't control who accesses it).

This feature should have been in place a loooong time ago, and unless we both missed something then MS just fumbled the ball right in front of the goal...
Chase Griffin 0 Reputation points

2025-12-04T14:37:59.66+00:00

Yep, I even gave elevated privileges to my test user to no success. If this isn't just a misconfiguration on my part in some way this is a pretty severe oversight on Microsoft's part. Good luck in finding a working solution!
Gøran Fjermedal 0 Reputation points

2025-12-04T16:48:40.1366667+00:00

Yeah, I tried the same. I also hoped giving "Reader" as default then assigning "Contributor" via groups could work, but it doesn't look like it.
I don't believe it to be a misconfiguration. Either lack of communication within MS has caused the guide to be incomplete, or they haven been able to make it work as of yet.
It's like selling a car with only 3 out of 4 wheels, so I hope they add the functionality asap.

Share via

Issues mapping Azure file share using Entra Kerberos

1 answer

Here are some steps you can try:

Relevant Documentation:

Your answer