Files in Azure file share can only be opened as read-only on one specific Profile on Windows 10 - (DFS-N with Domain Based Authentication)

Question

[I will start by explaining how the Environment is setup] For the File share We use DFS-N mapping, EX- \\Domain.local\Storageaccount. This mapping is hosted with DFS-N role on a Windows Server 2012 R2 server.

On the DFS-N server, the folder that I am working is actually on azure for example, - \\Domain.local\Storageaccount\FolderA\SubforbderB --> This folder has a target pointed at \\storageaccount.file.core.windows.net.

There is a tunnel to Azure. The authentication is domain based authentication. So user access the \\Domain.local\Storageaccount\ with domain AD authentication and return the Kerberos ticket to Azure file and authenticate against Azure as well.

Now the odd thing here is, I do have a workaround, which is to map this folder directly with Azure file share path instead of AD path \\storageaccount.file.core.windows.net\FolderA\SubforbderB - this worked perfectly fine and user can open file with read-write access. which means the issue is with AD authentication. This issue doesn't happen on any other folder, which are setup in this same way but without inheritance, no other users have this issue.

[Now I will explain the issue]

Currently we have a folder \\Domain.local\Storageaccount\FolderA\SubforbderB - SubforbderB - This folder has inheritance turned OFF. We are explicitly assigning permissions. UserA is having issue accessing the files inside the \\Domain.local\Storageaccount\FolderA\SubforbderB folder, which file he opens it opens as read-only. UserA has full control as per NTFS as well as IAM RBAC roles. I did test UserA account on a different computer and confirmed the account does have read-write access. I tested UserB account with same access as UserA on a different user profile on the same Windows 10 computer, and UserB can access the files with read-write. This proves to me the issue is with the current user profile on the Windows 10 computer.

We are aware that we can simply re-create the profile on the Windows computer and backup and restore the data and this issue will be resolved. However, the user has a lot of custom user specific configurations, and it will be difficult to move to a new profile.

We worked with Microsoft Azure team and Windows team and they are not providing any solution other that recreating the profile.

I hope one of you have ran into this issue and resolved it in the past.

Here are the things we tried: Clear credentials manager, re-join domain, SFC, DISM scan, Windows Updates, looked for any file explorer map specific registry, cleared those as well.

Do you have any suggestion other than recreating the Windows user profile?

Answer 1

We had a On-prem DC at this location, Somehow after we decommission this DC and now the Clients are authenticating directly with the DC in Azure. I re-applied the NTFS permission using the "ACCESS KEY". Now everything is working as expected

Answer 2

Maybe you need to assign the Storage File Data Share Contributor Azure RBAC role, or a custom role with the following data actions. As shown below, for write Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write

{
  "assignableScopes": [
    "/"
  ],
  "description": "Allows for read, write, and delete access in Azure Storage file shares over SMB",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "name": "0c867c2a-1d8c-454a-a3db-ab2ea1bdc8bb",
  "permissions": [
    {
      "actions": [],
      "notActions": [],
      "dataActions": [
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/read",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/write",
        "Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete"
      ],
      "notDataActions": []
    }
  ],
  "roleName": "Storage File Data SMB Share Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

By the way, for user profile shares, I would recommend FSLogix. FSLogix utilizes profile containers to encapsulate user profiles. These containers are dynamically attached to user sessions, allowing users to have a consistent experience across different sessions. Profile containers store user-specific data, configurations, and settings, reducing logon times and improving performance.

PowerShell to get the acl

# Specify the path to the file or folder
$path = "C:\Path\To\Your\FileOrFolder"
Get the NTFS ACL
$ntfsAcl = Get-Acl -Path $path
Display the NTFS ACL
Write-Host "NTFS ACL:"
$ntfsAcl | Format-List