Windows 10 AAD Azure ad domain joined & SMB share
I have a number of Windows 10 clients domain joined to azure ad, I still have a local Windows 2012 r2 server onsite with a number of shares i wish to map to from the windows 10 clients. Bu if I try accessing the UNC path from a client I get "you do not have permissions to access the server", if I add the credentials in to credential manager. If I try to use the drive map wizard it shows the "Network folder is mapped using a different user" even though there re no other connections to the server.
I have encountered this question before. Essentially you are expecting to be able to get rid of your on premise domain controller (DC) because you can join you laptops and workstations to Azure.
That is an incorrect understanding of Azure.
You still need a DC (a virtual machine (VM) in the cloud or a physical server).
That DC has Azure Active Directory (AAD) Connect installed and configured on it. That creates an account in AD that synchronizes accounts and passwords with AAD.
When a computer joined to AAD logs in it sends the login request to AAD. AAD then validates that authentication request against the information synchronized from AD.
So if you have workstations and laptops joined to AAD and they try to access a share on a server that is in a different domain than what AAD synchronizes with you are going to need to provide credentials that exist in the server which hosts the resources you are trying to access.
There are a few right ways to do this and I will give you two.
- If the clients are in a single location and will always be in the same location as the DC then join them to the domain regularly. For clients that will be used in other locations join those computers to AAD and install AAD Connect in the DC.
- If you want to move all of the servers out of your office spin up a VM for your DC in Azure and deploy a cloud firewall in front of your VM. Create a Site-to-Site Virtual Private Network (VPN) between the cloud firewall and your office firewall. Now join computers that will always be in the office to the domain like normal, join computers that are going to be used remotely to AAD, and install AAD Connect on the DC.
After much research and testing, here's the solution that worked for me! This is how to connect to a local network resource (such as an SMB share, local server, etc.) from an AzureAD connected Windows 10 Pro computer, logged in as the end user:
1) Search 'cred' and open Credentials Manager
2) Choose Windows Credentials
3) Click 'Add a Windows credential'
- Internet or network address: enter the network location, such as a LAN IP address or network share
- User name: domain\User
- Password: enter user's password
Example:
- Internet or network address: \fileserver\share
- User name: example.local\Administrator
- Password: admin password
With the above in place, Windows will check the credentials against the local domain server (in this case example.local) and grant or deny access to the network share.