Sunday, February 14, 2021

Azure Files Identity based authentication - Active Directory on-premises

 

Azure Files Identity based authentication -Active Directory Domain Services (ADDS)

Azure Files supports identity-based authentication over Server Message Block (SMB) through on-premises Active Directory Domain Services (AD DS) and Azure Active Directory Domain Services (Azure AD DS).

This article focus on how to enable identity based authentication on Azure Files over SMB through on-premises active directory domain services.

Why Identity based authentication is important ?

Other authentication methods available in Azure storage are storage key and SAS signature based.

Storage Key - Provide root level access to the storage account once authentication succeeded ie, users will be able to access all the storage services Blob, Files, Tables and Queues

SAS Signature - Even though there are options to control access to the storage account, it doesn't really suitable for a File share.

Ex: How to setup authentication for 200 users those who needed different level of access to the same file share in Azure Files ? Would be the solution is to create 200 SAS signature each user ?

Also it is important how the users are going to access the azure file share, as of today in-order to access the file share from a workstation either use storage key to mount the file share into the machine over SMB or use azure storage explorer.

The following above concerns can be addressed by introducing identity based authentication into Azure storage account and Azure Files.

What you need to know before get start

If you think, what if I try mounting the File Share using storage key and configure ntfs permissions on the mounted File Share ?

It will not work in that way and you will be end up with below error 😊.





Yes this is how it is !

  • On-premises Active Directory mush be Sync to Azure AD 
  • Supports Kerberos authentication with AD with RC4-HMAC and AES 256 encryption. AES 256 encryption support is currently limited to storage accounts with names <= 15 characters in length. AES 128 Kerberos encryption is not yet supported.
Note : If you want to use AES 256 encryption the storage account name should be below 15 characters, so be careful with your storage account naming convention.
  • Supports only Windows 7 & Windows 2008 R2 above 
  • Supports only against the AD forest, storage account registered to
  • Does not support authentication against computer accounts created in AD DS.
  • Does not support authentication against Network File System (NFS) file shares

Steps to be followed

Part one: enable AD DS authentication on your storage account

Part two: assign access permissions for a share to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity

Part three: configure Windows ACLs over SMB for directories and files

Part four: mount an Azure file share to a VM joined to your AD DS

Update the password of your storage account identity in AD DS




Part one: enable AD DS authentication on your storage account

Straight forward and well explained in the below article


It would be good to create a separate OU for Azure storage and below command helps to get the OU distinguish name.


PS C:\Users\ladmin> Get-ADOrganizationalUnit -Filter 'Name -like "AzureStorage"'



Set-AzStorageAccount `
        -ResourceGroupName $ResourceGroupName `
        -Name $StorageAccountName `
        -EnableActiveDirectoryDomainServicesForFile $true `
        -ActiveDirectoryDomainName "fsstoreadint.test" `
        -ActiveDirectoryNetBiosDomainName "fsstoreadint" `
        -ActiveDirectoryForestName "fsstoreadint.test" `
        -ActiveDirectoryDomainGuid "84eda2fa-3279-45be-b5c3-63fa060b0291" `
        -ActiveDirectoryDomainsid "S-1-5-21-4076236781-4176507843-1324823733" `
        -ActiveDirectoryAzureStorageSid "S-1-5-21-4076236781-4176507843-1324823733-1112"

Once Part 1 is completed, login to azure portal and  navigate to storage account --> Configurations --> you could see Active Directory Domain Services (AD DS) is enabled.



Also navigate to your file share and check whether Active Directory is configured as the authentication method.



Part two: assign access permissions for a share to the Azure AD identity (a user, group, or service principal) that is in sync with the target AD identity

Follow the documentation


Navigate to Storage Account --> File Shares --> <share name> --> IAM

Assign one of the user (user synced from on-prem AD to Azure AD) as a "Storage File Data Share Contributor" role


Part three: configure Windows ACLs over SMB for directories and files

Steps to be followed


Administrator with full access to the share can mount the share into a domain joined computer and set necessary NTFS permissions using the following.

Configure Windows ACLs with Windows File Explorer or icals

Ex: icacls <mounted-drive-letter>: /grant <user-email>:(f)

The following permissions are included on the root directory of a file share:

·         BUILTIN\Administrators:(OI)(CI)(F)

·         BUILTIN\Users:(RX)

·         BUILTIN\Users:(OI)(CI)(IO)(GR,GE)

·         NT AUTHORITY\Authenticated Users:(OI)(CI)(M)

·         NT AUTHORITY\SYSTEM:(OI)(CI)(F)

·         NT AUTHORITY\SYSTEM:(F)

·         CREATOR OWNER:(OI)(CI)(IO)(F)

Note: Port 445 should be allowed in nsg/firewall rules

Similarly if you want to give read access to a group/users into Azure File Share assign them with the below role

  • Storage File Data SMB Share Reader allows read access in Azure Storage file shares over SMB.
Administrator can then configure NTFS permissions on the Mounted Share

Part four: mount an Azure file share to a VM joined to your AD DS


Login as the user with at least read permission to the share







User can access the share by calling the share UNC path from run command box without entering the password.







User can also access the share by calling the share UNC path from file explorer without entering the password.





Most convenient way is to MAP the share as a drive into the file explorer as shown below.


















Note: Ultimate access to the Shares will be based on the permissions applied from Azure file share IAM and more granular control applied on the windows ACL/ NTFS Permission to the subfolders and directories.

Part 5 Update the password of your storage account identity in AD DS

https://docs.microsoft.com/en-gb/azure/storage/files/storage-files-identity-ad-ds-update-password

If you registered the Active Directory Domain Services (AD DS) identity/account that represents your storage account in an organizational unit or domain that enforces password expiration time, you must change the password before the maximum password age. Your organization may run automated clean-up scripts that delete accounts once their password expires. Because of this, if you do not change your password before it expires, your account could be deleted, which will cause you to lose access to your Azure file share

Summary

With Active Directory Domain service integration of Azure storage customers can leverage Kerberos based authentication and SSO for their storage file share.

Share Permissions - Using Azure AD RBAC roles
NTFS Permissions - Can be configured on mounted file share by the users those who having contributor level access on the share.

Thanks for reading and sorry for not including all the step by step setup. If you would like to know more here are some references.




Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)