Merge pull request #232972 from khdownie/kendownie033123

prmerger-automator[bot] · web-flow · commit 35d7d497120c · 2023-03-31T16:48:21.000Z
clarifying NTLM support
diff --git a/articles/storage/files/files-smb-protocol.md b/articles/storage/files/files-smb-protocol.md
@@ -4,7 +4,7 @@ description: Learn about file shares hosted in Azure Files using the Server Mess
 author: khdownie
 ms.service: storage
 ms.topic: conceptual
-ms.date: 05/09/2022
+ms.date: 03/31/2023
 ms.author: kendownie
 ms.subservice: files
 ms.custom: devx-track-azurepowershell
@@ -155,7 +155,7 @@ Azure Files exposes settings that let you toggle the SMB protocol to be more com
 Azure Files exposes the following settings:
 
 - **SMB versions**: Which versions of SMB are allowed. Supported protocol versions are SMB 3.1.1, SMB 3.0, and SMB 2.1. By default, all SMB versions are allowed, although SMB 2.1 is disallowed if "require secure transfer" is enabled, because SMB 2.1 does not support encryption in transit.
-- **Authentication methods**: Which SMB authentication methods are allowed. Supported authentication methods are NTLMv2 and Kerberos. By default, all authentication methods are allowed. Removing NTLMv2 disallows using the storage account key to mount the Azure file share.
+- **Authentication methods**: Which SMB authentication methods are allowed. Supported authentication methods are NTLMv2 (storage account key only) and Kerberos. By default, all authentication methods are allowed. Removing NTLMv2 disallows using the storage account key to mount the Azure file share. Azure Files doesn't support using NTLM authentication for domain credentials.
 - **Kerberos ticket encryption**: Which encryption algorithms are allowed. Supported encryption algorithms are AES-256 (recommended) and RC4-HMAC.
 - **SMB channel encryption**: Which SMB channel encryption algorithms are allowed. Supported encryption algorithms are AES-256-GCM, AES-128-GCM, and AES-128-CCM.
 
diff --git a/articles/storage/files/files-troubleshoot-smb-authentication.md b/articles/storage/files/files-troubleshoot-smb-authentication.md
@@ -4,7 +4,7 @@ description: Troubleshoot problems using identity-based authentication to connec
 author: khdownie
 ms.service: storage
 ms.topic: troubleshooting
-ms.date: 03/28/2023
+ms.date: 03/31/2023
 ms.author: kendownie
 ms.subservice: files 
 ---
@@ -326,7 +326,7 @@ If you're connecting to a storage account via a private endpoint/private link us
 
 #### Cause 
 
-This is because the SMB client has tried to use Kerberos but failed, so it falls back to using NTLM authentication, which Azure Files doesn't support. The client can't get a Kerberos ticket to the storage account because the private link FQDN isn't registered to any existing Azure AD application.
+This is because the SMB client has tried to use Kerberos but failed, so it falls back to using NTLM authentication, and Azure Files doesn't support using NTLM authentication for domain credentials. The client can't get a Kerberos ticket to the storage account because the private link FQDN isn't registered to any existing Azure AD application.
 
 #### Solution
 
