Error 86 When Trying to Access an Azure Storage Account File Share

Question

Our company has users scattered across the country and we want to make a File Share that each of these users can access through a mapped drive using their Azure username and password authentication. We want to be able to use the NTFS capabilities so we can locked down who has access to what folders.

I have created the Storage Account and File Share to do this and I have Enabled Azure Active Directory Domain Service (AAD DS). I can map the drive using the storage key without issue but when we try to map the drive with our Azure accounts we get Error 86 (Network password is not correct). I have tried this on many Windows 10 computers and our on-premise server (Windows Server 2012) and we get the same error everywhere.

Any help on this would be much appreciated.

Thank you,

Damon

Answer 1

Hi Damon,

You cannot use this functionality the way you described.

The only systems that can access Azure File Service shares by using Azure AD authentication are Azure VMs running Windows OS which are joined to Azure AD DS domain. 

You could potentially consider using AD-joined computers to accomplish the same, but this functionality is currently in preview.

Details at https://docs.microsoft.com/en-us/azure/storage/files/storage-files-active-directory-overview

hth
Marcin

Answer 2

Hi DamonKS,
As Marcin Policht informed you need to meet the prerequisites to perform this operation: Domain-join an on-premises machine or an Azure VM to AD (also referred as AD DS), Region and more.
This article will explain how to Enable Active Directory authentication over SMB for Azure file shares

Hope this helps! 

Kindly let us know if the above helps or you need further assistance on this issue.
------------------------------------------------------------------------------------------

Do click on "Mark as Answer" and Upvote on the post that helps you, this can be beneficial to other community members.

Answer 3

Ok, good to know that I need to follow this article: Enable Active Directory authentication over SMB for Azure file shares. Which I have followed this article and from everything I can see I meet all the prerequisites. I have done everything in this article but I cannot map the drive using my AD account. I have worked with an Azure tech support and from everything he sees that I am setup correctly. Do you all have any ideas how to I can test to make sure that everything I did is correct?

Damon

Answer 4

@DamonKS Can you share me the SR number, let me check your what all troubleshooting steps they have provide and  the status of the issue 

Answer 5

This was done through a chat session last night and very unfortunately I do not seem to have any record of that conversation. Nothing in my email either. :(

The support person I spoke with had me Ask a Question here in this forum and he said he would escalate it. He also had me email azurefiles@microsoft.com which I have not gotten a response back from yet.

Answer 6

Also, last night I setup a VM to see if I could get this working through a VM but when I try to join my domain I get an error that my account is locked but it isn't. I even tried other domain administrator accounts to join to the domain but still get the same locked error. Any ideas on this?

Answer 7

Ok, I got the VM to work. This is what I finally found on another thread and it worked:

You need to change your password and wait 20 minutes. After that, you can logon to any Azure ADDS domain joined machine.

To authenticate users on the managed domain, Azure Active Directory Domain Services needs password hashes in a format that's suitable for NTLM and Kerberos authentication. Azure AD does not generate or store password hashes in the format that's required for NTLM or Kerberos authentication, until you enable Azure Active Directory Domain Services for your tenant. For obvious security reasons, Azure AD also does not store any password credentials in clear-text form. Therefore, Azure AD does not have a way to automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

I was hoping that would resolve this Error 86 error but it did not.

Answer 8

Not sure what is going on here but I later went back to the VM and I could no longer access my map drive. I disconnected and and tried to map it again with my AD domain account and I am now getting the Error 86 again. Do I have to reset my password yet again?

I am done with this for now, time for the weekend. Back at it Monday.

Answer 9

Is there any update on the issue?

Answer 10

I do have a support ticket open on this now, 120033022003762. The tech told me that supposedly I will be able to login to a file share from a computer that is not on a domain using my Azure AD credentials but that this service is not fully implemented and for this reason is not supported. I am try to see if I can get in touch with the developers on this new service to at least ask what I might being doing wrong here or help to be a guinea pig. Being this is in development makes since why sometimes it works and sometimes it does not.

Answer 11

Copying the steps from the support which helped @ DamonKS to resolve the issue which to beneficial other community member who are reading this thread.

Issue Definition:

Getting error 86 when trying to map a drive to storage account file share.  

Cause of the Issue:

Trying to mount a Azure files share with AAD authentication in on-prem computer, what is an scenario not supported.

 

Resolution: 

Provide the information regarding the scope of Azure File share with Azure AD authentication and explained why the current scenario is not supported.

Azure files with Azure AD authentication is supported only when the share is mapped on a VM running on Azure and joined to Azure AD as per below documentation:

https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable

Is there anyway to create some kind of User roles to access the File Share in the way you can map a drive using Azure\StorageAccountName with the password being the Storage Key? So somehow create other Azure\username with a key/password that can also access the Sotrage Account/File Share.

 When you go to the file share on portal and click on connect option it will show you a script to map the file share using a default connection credentials for the file share (totally independent of Azure AD credentials), those credentials provide superuser/admin/root access to the file share, so no restrictions at all. That are the default user for the storage account and no other user of this kind can be created.

$connectTestResult = Test-NetConnection -ComputerName snapshotstest.file.core.windows.net -Port 445
if ($connectTestResult.TcpTestSucceeded) {
    # Save the password so the drive will persist on reboot
    cmd.exe /C "cmdkey /add:`"snapshotstest.file.core.windows.net`" /user:`"Azure\snapshotstest`" /pass:`"StorageAcountKey`""
    # Mount the drive
    New-PSDrive -Name Z -PSProvider FileSystem -Root "\\snapshotstest.file.core.windows.net\snapshotstest"-Persist
} else {
    Write-Error -Message "Unable to reach the Azure storage account via port 445. Check to make sure your organization or ISP is not blocking port 445, or use Azure P2S VPN, Azure S2S VPN, or Express Route to tunnel SMB traffic over a different port."
}