AD Authentication - Azure files over the Internet RRS feed

All replies

  • Firstly, apologies for the delay in responding here and any inconvenience this issue may have caused. 

    NTLM V2 = Storage Account Key

    AD = Kerberos. Kerberos is the auth protocol used for connecting over SMB. So technically you do not need a VPN to talk SMB and authenticate over Kerberos. SMB 3.0 is an internet safe protocol. (SSL encrypted) However, most customers / ISPs have blocked port 445. So SMB through the DMZ of any corpnet most likely won't work. So the solution is to tunnel your SMB traffic through a VPN (Site-to-Site VPN (Express Route is such a thing) or normal VPN.

    So, in that case you put your storage account in a VNET, and connect a site-to-site VPN to it, that tunnels all traffic, including SMB. There won’t be any port 445 issues.

    how to set up a site-to-site VPN:  https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-s2s-vpn

    Windows Specific: https://docs.microsoft.com/en-us/azure/storage/files/storage-files-configure-p2s-vpn-windows

    Hope this helps! 

    Kindly let us know if the above helps or you need further assistance on this issue. 

    Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members

    Tuesday, May 26, 2020 7:18 PM
  • Hi Sumanth,

    So I already have this authentication working with a S2S VPN. I would like to have kerb authentication over the internet but this has not been working. How will Kerberos work over the internet if the client does not have access to a Domain Controller? This diagram does not show this...

    Overview - Azure Files identity-based authorization | Microsoft Docs

    Also, port 445 over the internet is open as I have tested with the storage account key and it works fine.

    • Edited by Eddie_d4 Wednesday, May 27, 2020 11:52 PM
    Wednesday, May 27, 2020 11:49 PM
  • Hi Eddie_d4,

    Sumanth's answer is very close to correct - the subtlety that your point out is that you can use NTLMv2 to send AD credentials with Windows file server. In this particular scenario, this is not currently a supported scenario because Azure Files does not have the ability to talk back to your domain controller as a Windows Server would.

    I would strongly discourage you from pursuing this scenario simply because NTLMv2 is not a secure protocol. There are well documented attacks, such as "pass-the-hash" attacks, that NTLMv2 is vulnerable to. Kerberos is our recommended authentication protocol for SMB.

    In general, when I talk to customers who are exploring this, its because they're trying to prevent their clients from having two VPN connections: one to the on-premises network and one to Azure. Aside from customers who insist on using full tunnel VPNs, I have yet to hear a satisfying explanation for why this is a goal. If you have one - I would seriously like to hear about it.

    As a mitigation, one easy thing to consider is put a domain controller in an Azure VM. Doing this allows your client to have a single VPN connection to Azure, but still be able to talk to a domain controller.

    I'm implicitly assuming you have at least one VPN connection to Azure, because you *should not* assume that because you are able to mount a file share over SMB from your office or with your ISP that all of your users will be able to. Most ISPs block port 445. Unless your users are all accessing from a network you control, or you're all on the same ISP and working from somewhere else (a different home, from a hotel, etc.), you should not assume port 445 will be open.

    Please don't hesitate to reach out if you have any further questions. You can reach us at AzureFiles@microsoft.com.


    Will Gries
    Program Manager, Azure Files

    Friday, June 5, 2020 3:59 AM
  •  Just checking in to see if the above answer helped. If this answers your query, do click “Mark as Answer” and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
    Monday, June 8, 2020 9:05 AM