Join Log in
Score:0
alexander7567 avatar Server

Azure P2S killing Kerberos Connection

id flag
alexander7567

EDIT: I can confirm that doing the registry change as mentioned here and here does in fact Band-Aid the issue. But why? Why do I need this work around just because I am using a laptop on the VPN when I dont need it on VMs in the subnet?

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\DisableDomainCreds - Set the value to 1

Original post:

I have a weird issue with accessing file shares on a VM hosted in Azure. This includes accessing either of the domain controller's SYSVOL folders.

Here is my setup: I have a laptop that is connected to our Azure VNET via Azure P2S VPN. Inside of the Azure VNET, I have several VMs. Both of my domain controllers are in that same vnet, as well as a couple Windows servers. My laptop and all these VMs are joined to the domain, lets say ad.domain.com. I seem to be getting this from all of our user's laptops as well.

When I attempt to access in windows explorer the domain controller file share via \\dc1.ad.domain.com, it connects as it should. I can see the SYSVOL folder, access it, etc. If I attempt to access it via \\ad.domain.com (which is how GPO works) then I get the below error:

\\ad.domain.com is not accessible.  You might not have permission to use this network resource.  
Contact the administrator of this server to find out if you have access permissions."

The user name could not be found.

If I try and access the same share from a VM within azure, it works as expected. So I know its something networking. if I try to access \\vm1.ad.domain.com, it works as expected. But if I try to access \\vm1, it fails with the same error.

Doing a Wireshark, I see that everything is trying to access the right IPs. So it's not DNS. I can telnet into 445, and 88. So its not a simple firewall blocking. But, I am getting this error when looking at Wireshark several times:

KDC_ERR_C_PRINCIPAL_UNKNOWN

I am at a loss. It appears to be something with the network, but I can access it perfectly as long as I use the FQDN, but with GPOs, that is not an option and clearly this indicates something is broken.

I see other people with this issue back in 2015, 2017, etc., but I have yet to find a resolution. Does anyone have any ideas?

To add, if I etner "net use \\ad.domain.com" in cmd, I get this error:

System error 2221 has occurred.

The user name could not be found.
84
0 + 1
alexander7567 avatar
id flag
alexander7567
For anyone in the future... When I switched to Azure VPN Azure AD Authentication, it resolved this issue and the fix I mentioned in my edit isn't needed anymore. This still doesn't answer my first question, but it at least got me past the issue I was having. Hope this helps someone in the future!
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.