I'm having trouble connecting to our Azure File Shares from one computer in the office. We set up Kerberos ticket authentication and configured an Azure P2S VPN, just in case any ISPs are blocking port 445. We verified that port 445 is open using the test-connection cmdlet, and DNS resolution works fine too. However, the connection just times out after several minutes without any specific error messages. Has anyone experienced something similar? What could be blocking the connection on that particular computer? Additionally, it appears that the Kerberos tickets are being generated from the PDC that's linked to Azure via Entra AD Connect. Is there any way to ensure these tickets come from kdcproxy:login.microsoftonline.com instead?
3 Answers
It sounds like the Windows firewall might be blocking port 445 on that computer. You could also check if the Kerberos ticket was properly updated by the group policies—sometimes that can cause connection issues too.
First, check if you can mount using the storage account key. This will help determine if the issue is with AD connectivity or Kerberos. Also, look into the SMB client logs and use the Azure files AD debug cmdlet. Capturing a network trace while you reproduce the issue could provide valuable insights. What’s the exact error message you’re getting? Using 'net use' usually gives the best output for troubleshooting.
The error indicates that the target resource name is incorrect, which might be linked to Kerberos. We're getting Kerberos tickets for the storage account and from our PDC, but could having those tickets from a PDC impact communications with the storage account?
I've seen something similar happen when a device hasn't been rebooted in a long time. What’s the uptime on that computer?
The uptime was only a few hours; they rebooted earlier today.
I did test it with the cmdlet and confirmed the response on port 445. The connection just hangs when trying to access the file shares. The tickets are being received fine, but they come from the PDC, and outside the office, they originate from 365. I wonder if this is causing the issue?