Azure VPN Gateway P2S Issues Acces Storage SMB Share

Question

Azure VPN Gateway P2S Issues Acces Storage SMB Share

rr-4098 2,211

We have a storage account setup without a public endpoint but is restricted by IP's. We had a request to setup a P2S VPN for 5 users who will need to be able to access the smb share over the VPN. I have tried allow the Gateway subnet and made sure the Storge Service Endpoint is enabled, allowed the public IP for the gateway.. No matter what I do, I cannot connect to the VPN with out issue but as soon as I try to browse the share in the portal or mount it I get access denied. Please note, test-netconnect does pass.

Thoughts???

rr-4098 2,211 Reputation points

2026-03-11T20:01:11.3566667+00:00

Well I added a private endpoint, update my local host file and still not able to connect. It is only when I change from using user creds to the storage account key. Please note, the accounts are synced from onprem there are no DC's in Azure. Thoughts???
rr-4098 2,211 Reputation points

2026-03-12T00:25:29.87+00:00

So using a private end point is not needed even with kerberos support enabled?
rr-4098 2,211 Reputation points

2026-03-12T14:12:09.2566667+00:00

I believe the only option I have to mount the SMB share while user are on devices not on the domain but connecting with a P2S VPN is using the storage account key. I tried it and it works, but I have not way to control the NTFS permissions since the user are using the key
Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-03-12T16:11:20.9733333+00:00
Hello rr-4098

This behavior is explicitly documented by Microsoft:

Using the storage account key grants administrator permissions to all files and folders in the share, and NTFS ACLs cannot be enforced per user.

Could you please provide your storage account name so I can investigate further?

Additionally, could you run the following command and let me know the results?

net use <DriveLetter>: \\<storage-account-name>.file.core.windows.net\<fIle-share-name>

Could you please provide the output result of the command below?

dsregcmd /status

Could you share all the details mentioned above in Private Messages, please?

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Answer accepted by question author

1 additional answer

Your answer

rr-4098 2,211 Reputation points

2026-03-11T20:01:11.3566667+00:00

Well I added a private endpoint, update my local host file and still not able to connect. It is only when I change from using user creds to the storage account key. Please note, the accounts are synced from onprem there are no DC's in Azure. Thoughts???
rr-4098 2,211 Reputation points

2026-03-12T00:25:29.87+00:00

So using a private end point is not needed even with kerberos support enabled?
rr-4098 2,211 Reputation points

2026-03-12T14:12:09.2566667+00:00

I believe the only option I have to mount the SMB share while user are on devices not on the domain but connecting with a P2S VPN is using the storage account key. I tried it and it works, but I have not way to control the NTFS permissions since the user are using the key
Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-03-12T16:11:20.9733333+00:00

Hello rr-4098

This behavior is explicitly documented by Microsoft:

Using the storage account key grants administrator permissions to all files and folders in the share, and NTFS ACLs cannot be enforced per user.

Could you please provide your storage account name so I can investigate further?

Additionally, could you run the following command and let me know the results?

net use <DriveLetter>: \\<storage-account-name>.file.core.windows.net\<fIle-share-name>

Could you please provide the output result of the command below?

dsregcmd /status

Could you share all the details mentioned above in Private Messages, please?

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Answer 1

Hello rr-4098

Thanks for the reply!

In your scenario Azure Files does not authenticate SMB access using Entra ID tokens or OAuth. All identity‑based SMB access requires Kerberos authentication.

To issue Kerberos tickets, Azure Files must be able to authenticate users against one of the following supported identity sources:

On‑premises Active Directory Domain Services (AD DS)
Microsoft Entra Domain Services (AAD DS)
Microsoft Entra Kerberos (preview)

In your current setup, the on-premises domain controllers are not accessible from Azure, AAD DS has not been deployed, and Entra Kerberos is not enabled.

Because of this, there is no Kerberos Key Distribution Center (KDC) available to issue a ticket for:

cifs/<storageaccount>. file.core.windows.net

Microsoft docs:

Enable Microsoft Entra Kerberos authentication for hybrid and cloud-only identities (preview) on Azure Files

Enable Microsoft Entra Kerberos authentication for hybrid identities on Azure Files

NOTE: There is no supported Kerberos authentication source configured for Azure Files SMB access**.**

Until a valid Kerberos identity source is provided, Azure Files cannot authenticate user credentials, and access will continue to fail.

The Recommended scenarios is to Enable Microsoft Entra Kerberos for Azure Files

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

If these answer your question, click "Upvote" and "Accept Answer" which may be beneficial to other community members reading this thread.

Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-03-17T14:50:36.6833333+00:00

Hello rr-4098

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

If these answer your question, click "Upvote" and click "Accept Answer" which may be beneficial to other community members reading this thread.

Answer 2

Q&A Assist

AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

For SMB over P2S VPN, the VPN connectivity test succeeding but SMB access being denied typically indicates an authentication/identity issue rather than pure network reachability.

From the provided context, a common cause is how SMB/Kerberos/NTLM behave when the client is connected over VPN and cannot properly reach a domain controller or use cached domain credentials. In this situation, the client may fail to fall back from Kerberos to NTLM and ends up with access denied when trying to reach file shares.

The documented workaround is to disable caching of domain credentials on the client so that SMB authentication can proceed correctly over the VPN:

On the Windows client, open Registry Editor.
Navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Create or edit the DisableDomainCreds DWORD value.
Set DisableDomainCreds to 1.
Reboot the client and test SMB access to the Azure file share again over the P2S VPN.

This change forces the client not to rely on cached domain credentials, which helps SMB authentication succeed when the client is connected via VPN and cannot use normal Kerberos flows.

If SMB access is still denied after this change, verify separately (outside the VPN issue) that the storage account permissions and firewall/IP rules allow the client IPs or private endpoints used by the P2S clients, and that the correct credentials (storage key/SAS/identity) are used when mounting the share.

References:

rr-4098 2,211 Reputation points

2026-03-11T20:35:52.4433333+00:00

I forgot to mention when I try to map the drive manually I am using the user UPN \ email address format listed in Entra.
rr-4098 2,211 Reputation points

2026-03-12T10:45:47.7033333+00:00

I did enable Kerbose auth for the share using the links provides but under the API permission for the App created the the storage account, I do not see anything with our Directory Name listed
rr-4098 2,211 Reputation points

2026-03-12T13:33:01.6533333+00:00

Well Kerberos it not an option since the DC's are not running 2025 which i see is a requirement.
Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-03-13T19:13:55.36+00:00
Hello rr-4098

This behavior is explicitly documented by Microsoft:

Using the storage account key grants administrator permissions to all files and folders in the share, and NTFS ACLs cannot be enforced per user.

Could you please provide your storage account name so I can investigate further?

Additionally, could you run the following command and let me know the results?

Azure CLI

net use <DriveLetter>: \\<storage-account-name>.file.core.windows.net\<fIle-share-name>

Could you please provide the output result of the command below?

Azure CLI

dsregcmd /status

Could you share all the details mentioned above in Private Messages, please?

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.
rr-4098 2,211 Reputation points

2026-03-13T19:42:05.59+00:00

I was talking with my team internally and do to specific limitation resource, money etc... we many disable SMB identity i.e authentication using user id and use the key. Not the best option but we do know if will mount for user who have devices that are not on the network
Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-03-13T21:50:22.14+00:00
Hello rr-4098

Thank you for your confirmation.

We understand that you have discussed this internally and have decided not to proceed with identity-based authentication for the file share, as it does not align with your setup and requirements.

If you have any further questions or concerns, please feel free to let us know. We are happy to assist.

We look forward to your response.

Please click Accept Answer and upvote if the above was helpful.

Thank you!
rr-4098 2,211 Reputation points

2026-03-14T02:29:29.3933333+00:00

I just ran across an odd issue. As I mentioned before our smb share is not using a private endpoint and i locked downed via the storage account firewall. RIght now the VPN Gateway subnet and gateway public IP are allowed. Now when I try to mount the share I get access denied. It is only when I add my clients public IP to the allow list that I can mount the share. I was working before. The purpose of the P2S is so user from various remote location can access the share and we do not have to manage the changing client public IP's.
Ganesh Patapati 11,835 Reputation points Microsoft External Staff Moderator

2026-03-16T17:52:55.66+00:00
Hello rr-4098

Thanks for the reply!

Microsoft documents that Point‑to‑Site VPN is split‑tunnel by default and only routes VNet address spaces through the tunnel. Public Azure service endpoints (like *.file.core.windows.net) are not routed via the VPN gateway unless a private endpoint is used.

Note:

Azure Files public endpoint traffic does not traverse the VPN gateway

Storage firewall does not see the VPN Gateway public IP

Storage firewall sees the client’s real public IP

This exactly matches what you are observing

Please click Accept Answer and upvote if the above was helpful.

Thank you!

Share via

Azure VPN Gateway P2S Issues Acces Storage SMB Share

1 additional answer

Your answer