You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/files/storage-files-identity-auth-azure-active-directory-enable.md
+18-2Lines changed: 18 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to enable identity-based Kerberos authentication for hybr
4
4
author: khdownie
5
5
ms.service: storage
6
6
ms.topic: how-to
7
-
ms.date: 12/05/2022
7
+
ms.date: 03/22/2023
8
8
ms.author: kendownie
9
9
ms.subservice: files
10
10
ms.custom: engagement-fy23
@@ -152,7 +152,7 @@ After enabling Azure AD Kerberos authentication, you'll need to explicitly grant
152
152
153
153
4. Select the application with the name matching **[Storage Account]`<your-storage-account-name>`.file.core.windows.net**.
154
154
5. Select **API permissions** in the left pane.
155
-
6. Select **Grant admin consent for "DirectoryName"**.
155
+
6. Select **Grant admin consent**.
156
156
7. Select **Yes** to confirm.
157
157
158
158
## Disable multi-factor authentication on the storage account
@@ -202,6 +202,22 @@ Use one of the following three methods:
202
202
203
203
Changes are not instant, and require a policy refresh or a reboot to take effect.
204
204
205
+
> [!IMPORTANT]
206
+
> Once this change is applied, the client(s) won't be able to connect to storage accounts that are configured for on-premises AD DS integration without configuring Kerberos realm mappings. If you want the client(s) to be able to connect to storage accounts configured for AD DS as well as storage accounts configured for Azure AD Kerberos, follow the steps in [Configure coexistence with storage accounts using on-premises AD DS](#configure-coexistence-with-storage-accounts-using-on-premises-ad-ds).
207
+
208
+
### Configure coexistence with storage accounts using on-premises AD DS
209
+
210
+
If you want to enable client machines to connect to storage accounts that are configured for AD DS as well as storage accounts configured for Azure AD Kerberos, follow these steps. If you're only using Azure AD Kerberos, skip this section.
211
+
212
+
Add an entry for each storage account that uses on-premises AD DS integration. Use one of the following three methods to configure Kerberos realm mappings:
213
+
214
+
- Configure this Intune [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) and apply it to the client(s): [Kerberos/HostToRealm](/windows/client-management/mdm/policy-csp-admx-kerberos#hosttorealm)
215
+
- Configure this group policy on the client(s): `Administrative Template\System\Kerberos\Define host name-to-Kerberos realm mappings`
216
+
- Configure the following registry value on the client(s): `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\domain_realm /v <DomainName> /d <StorageAccountEndPoint>`
217
+
- For example, `reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\domain_realm /v contoso.local /d <your-storage-account-name>.file.core.windows.net`
218
+
219
+
Changes are not instant, and require a policy refresh or a reboot to take effect.
220
+
205
221
## Disable Azure AD authentication on your storage account
206
222
207
223
If you want to use another authentication method, you can disable Azure AD authentication on your storage account by using the Azure portal, Azure PowerShell, or Azure CLI.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments