Share via

Global Secure Access: File Share prompts for credentials on Member Server but works on DC (from Client Device -Entra ID Joined)

mani 45 Reputation points
2025-12-11T21:05:04.38+00:00

Hi everyone,

I am testing Microsoft Global Secure Access (Private Access) in a lab environment and encountering an inconsistent authentication issue with SMB file shares.

My Environment:

  • On-Premises:
    • Domain Controller (AD DS).
    • Member Server (File Server).
    • Entra Private Access Connector (installed on a separate member server).
    Identity: Azure AD Connect is syncing users from On-Prem AD to Entra ID. The Problem: When I access a file share on the Domain Controller (e.g., \\DC01.corp.local), it opens silently without a password prompt (SSO works). However, when I access a file share on the Member File Server (e.g., \\FS01.corp.local), it prompts for credentials.

Windows Hello for Business (Cloud Kerberos Trust) is NOT configured yet; relying on NTLM.

If I manually type the on-prem credentials in the prompt, it works, so network connectivity is good.

I want the File Server to experience the same silent SSO behavior as the DC.

Troubleshooting Performed:

  1. Connectivity: Run Test-NetConnection (tnc) from the Connector VM to the File Server on port 445 -> True.
  2. Connector Access: I can map the file share locally from the Connector VM itself without issues.
  3. GSA Configuration: I have added the Private DNS suffix (e.g., corp.local) to the Quick Access application in the Entra ID portal.
  4. SPN Checks: Verified SPNs on the file server using setspn -L. The HOST/ and CIFS/ classes exist for the server name.

Has anyone experienced this difference between DC and Member Server behavior with GSA?

Any insights would be appreciated!

Azure Advisor
Azure Advisor
An Azure personalized recommendation engine that helps users follow best practices to optimize Azure deployments.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Praveen Bandaru 9,250 Reputation points Microsoft External Staff Moderator
    2025-12-12T07:40:57.49+00:00

    Hello mani

    It seems like you're running into a puzzling issue with Microsoft Global Secure Access and SMB file shares where accessing the file share on your Domain Controller works seamlessly, but the Member Server prompts for credentials. That inconsistency can definitely be frustrating!

    Here are a few things you could check to troubleshoot the issue further:

    Check DNS Resolution: Make sure that the DNS resolution works properly for your Member File Server. Ensure that you can resolve the hostname from the Connector VM.

    Verify Security Policies: Sometimes, domain policies or security policies might differ between the Domain Controller and the Member Server. Check group policies related to authentication and network access.

    Authentication Mechanisms: Since you're using NTLM and not yet Cloud Kerberos, it’s worth verifying if your Member File Server has the necessary NTLM settings enabled.

    SPN Configuration: You mentioned you've checked the SPNs on the file server. Double-check that they are correctly associated with the service account and that the service account has the right permissions.

    Connector Configuration: Since the Connector is properly configured (as per your tests), ensure that there are no additional settings that might be different for the Member Server compared to your Domain Controller.

    Windows Firewall: Make sure any firewalls are not blocking SMB traffic between the Connector and the Member Server.

    Logs: Review the logs on your File Server and Connector for any errors or warnings that might give a clue about the authentication issue.

    As for the documentation, here's a list that may help you with troubleshooting related issues:

    Troubleshoot issues with Azure Files On-premises AD DS authentication

    Configuring Networking Endpoints for Azure Files

    How to enable Microsoft Entra authentication for Azure Files

    Troubleshoot Azure Files identity-based authentication and authorization issues (SMB)

    I hope the above answer helps! Please let us know if you have any further questions.

    Please don't forget to "accept the answer" and "up-vote" wherever the information provided helps you, this can be beneficial for other community members.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.