Troubleshooting Access Issues with Azure Files: Net Use Command vs Azure Portal Script

Accessing Azure File Shares can sometimes result in errors, especially when using the mount script copied from the Azure Portal. A common issue is the “Access Denied” error, which may occur when configuring Azure Files as part of an Azure Virtual Desktop (AVD) environment. This guide explores the root cause of the issue and provides a resolution, comparing the Net Use command method with the Azure Portal script approach.


Key Use Case

This troubleshooting scenario typically arises in environments where:

  • FSLogix Profile Containers are used with Azure Files.
  • The Azure Storage Account is joined to on-premises Active Directory (AD).
  • Group Policy Objects (GPOs) restrict credential storage, causing authentication failures.

Problem Overview

When attempting to mount Azure File Shares using the script provided by the Azure Portal, users may encounter an “Access Denied” error. This issue persists even when:

  • Using a new AVD host.
  • Testing with different user accounts.

Observations

  1. Error in Logs
    • The backend logs (collected via DGrep and Log Collector) show an Access Denied error.
    • The error includes “KerberosClientOtherError”, which indicates that Kerberos authentication is being used instead of the Storage Account Key credential.
  2. Working vs Non-Working Methods
    • Net Use Command: Successfully mounts the Azure File Share using the Storage Account Key.
    • Azure Portal Script: Fails due to Kerberos authentication being used instead of the provided Storage Account Key.

Root Cause

The issue is caused by the following factors:

  1. Credential Manager Behavior
    • The Azure Portal script saves the Storage Account credentials to the Windows Credential Manager.
    • If the credentials cannot be cached (due to GPO restrictions or cache failures), the script defaults to using the current user’s credentials for authentication.
  2. Group Policy Restriction
    • The GPO setting “Network access: Do not allow storage of passwords and credentials for network authentication” prevents the Credential Manager from storing credentials.
    • As a result, Kerberos authentication is attempted, which fails due to insufficient NTFS permissions.

Troubleshooting Steps

Step 1: Verify the Error

Perform network trace analysis for both methods:

  • Net Use Command: Establishes SMB connection successfully using the Storage Account Key.
  • Azure Portal Script: Attempts Kerberos authentication, resulting in an Access Denied error.

    Step 2: Test with Net Use Command

    The following Net Use command bypasses Credential Manager and directly provides the Storage Account Key for authentication:

    net use <desired-drive-letter>: \\<storage-account-name>.file.core.windows.net\<share-name> <storage-account-key> /user:Azure\<storage-account-name>
    

    Why This Works:

    • The credentials are explicitly provided in the command.
    • No dependency on Credential Manager or Kerberos authentication.

    Step 3: Analyze Group Policy Settings

    Run the following command to check the Group Policy configuration:

    gpresult /h c:\temp\computer.html
    

    Inspect the resulting HTML file for the GPO setting:
    “Network access: Do not allow storage of passwords and credentials for network authentication”

    If this setting is enabled, the Azure Portal script cannot save credentials in the Credential Manager, causing authentication failures.

    Network access Do not allow storage of passwords and credentials for network authentication – Windows 10 | Microsoft Learn


    Step 4: Resolution

    Disable the Restrictive GPO

    • Open Group Policy Management on the domain controller.
    • Locate the policy: 

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

    • Network access: Do not allow storage of passwords and credentials for network authentication.
    • Set the policy to Disabled.

    Once this policy is disabled, the Azure Portal script can store credentials in the Credential Manager, allowing successful authentication.


    Comparison: Net Use Command vs Azure Portal Script

    MethodAuthentication MechanismDependencyOutcome
    Net Use CommandStorage Account KeyNo Credential ManagerSuccessful
    Azure Portal ScriptKerberos (fallback if cache fails)Credential ManagerFails if GPO restricts cache

    Additional Tips

    1. Testing in Lab Environments
      Simulate the issue by enabling the GPO setting:
      Network access: Do not allow storage of passwords and credentials for network authentication.
    2. Documentation Reference
      Follow the official guide: Set up FSLogix Profile Container with Azure Files and AD DS or Microsoft Entra Domain Services.
    3. Network Configuration
      Ensure port 445 is open for SMB traffic. If blocked, use Azure VPN or ExpressRoute to tunnel SMB traffic.

    Conclusion

    The Access Denied error when using the Azure Portal script to mount Azure File Shares is often caused by restrictive GPO settings that prevent credential caching. Using the Net Use command provides a reliable workaround by bypassing Credential Manager and directly supplying the Storage Account Key. Disabling the restrictive GPO resolves the issue for the Azure Portal script method.

    Leave a Comment