configure coexistence for ADDS and AAD Kerb

khdownie · khdownie · commit 5866b2b13784 · 2023-03-22T10:28:37.000-07:00
diff --git a/articles/storage/files/storage-files-identity-auth-azure-active-directory-enable.md b/articles/storage/files/storage-files-identity-auth-azure-active-directory-enable.md
@@ -4,7 +4,7 @@ description: Learn how to enable identity-based Kerberos authentication for hybr
 author: khdownie
 ms.service: storage
 ms.topic: how-to
-ms.date: 12/05/2022
+ms.date: 03/22/2023
 ms.author: kendownie
 ms.subservice: files
 ms.custom: engagement-fy23
@@ -202,6 +202,20 @@ Use one of the following three methods:
 
 Changes are not instant, and require a policy refresh or a reboot to take effect.
 
+> [!IMPORTANT]
+> Once this change is applied, the client won't be able to connect to storage accounts using on-premises AD DS integration without configuring Kerberos realm mappings. If you want the client(s) to be able to connect to storage accounts using both authentication methods, follow the steps in [Configure coexistence with storage accounts using on-premises AD DS](#configure-coexistence-with-storage-accounts-using-on-premises-ad-ds).
+
+### Configure coexistence with storage accounts using on-premises AD DS
+
+If you want to enable client machines to connect to storage accounts using Azure AD Kerberos and AD DS, follow these steps. If you're only using Azure AD Kerberos, skip this section.
+
+Add an entry for each storage account that uses on-premises AD DS integration. Use one of the following three methods to configure Kerberos realm mappings:
+
+- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/HostToRealm](/windows/client-management/mdm/policy-csp-admx-kerberos#hosttorealm)
+- Configure this group policy on the client(s): `Administrative Template\System\Kerberos\Define host name-to-Kerberos realm mappings`
+- Configure the following registry value on the client(s): `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\domain_realm /v <DomainName> /d <StorageAccountEndPoint>`
+  - For example, `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\domain_realm /v contoso.local /d <your-storage-account-name>.file.core.windows.net`
+
 ## Disable Azure AD authentication on your storage account
 
 If you want to use another authentication method, you can disable Azure AD authentication on your storage account by using the Azure portal, Azure PowerShell, or Azure CLI.
