FsLogix with Hybrid AD and Full Trusted Cross Domain

%3CLINGO-SUB%20id%3D%22lingo-sub-1498607%22%20slang%3D%22en-US%22%3EFsLogix%20with%20Hybrid%20AD%20and%20Full%20Trusted%20Cross%20Domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1498607%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone!%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20been%20trying%20without%20any%20luck%20the%20following%20architecture%20with%20FsLogix.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETwo%20domains%20in%20full%20trusted%20mode%20in%20on%20premise%20environment.%26nbsp%3B%3C%2FP%3E%3CP%3EAzure%20AD%20Connect%20for%20both%20domains%20to%20the%20cloud%20synced%20without%20any%20issue%3C%2FP%3E%3CP%3EAzure%20File%20Storage%20Premium%20in%20an%20Azure%20Subscription.%20Inside%20there%20is%20a%20File%20Share.%20The%20File%20Storage%20was%20configured%20to%20accept%20Active%20Directory%20Domain%20Services%20(AD%20DS)%20and%20show%20me%20the%20on%20premise%20domain%20joined%20that%20is%20Domain%201.%3C%2FP%3E%3CP%3EConfigure%20the%20Windows%20Virtual%20Desktop%20Spring%202020.%3C%2FP%3E%3CP%3EAdded%20to%20VM%20to%20the%20hosted%20pool.%3C%2FP%3E%3CP%3EThe%20VM%20are%20configured%20to%20be%20access%20with%20any%20users%20from%20both%20domains%3C%2FP%3E%3CP%3EProfiles%20from%20domain%201%20are%20being%20created%20on%20the%20Azure%20File%20Storage%20as%20VHD%3C%2FP%3E%3CP%3EProfiles%20from%20domain%202%20are%20not%20being%20created%20on%20the%20Azure%20File%20Storage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ELast%20point%2C%20the%20user%20with%20domain%202%20can%20login%20to%20any%20VM%20that%20the%20hosted%20pool%20accepted%20when%20doing%20a%20Remote%20Desktop%20Session.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20Azure%20File%20Storage%20had%20been%20configured%2C%20in%20the%20IAM%20section%2C%20with%20all%20users%20from%20both%20domain%20with%20RBAC%20Storage%20SMB%20Contributor%20Role.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20the%20user%20of%20the%20domain%202%20access%20via%20explorer%20to%20the%20Azure%20File%20Storage%20%5C%5Cxxxx.files.core.windows.net%5Cprofile%20it%20can%20see%20the%20content%20and%20even%20create%20folder%20or%20files%2C%20so%20permission%20are%20ok.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20even%20added%20the%20user%20from%20domain%202%20using%20icacls%20and%20when%20I%20see%20the%20security%20properties%20from%20File%20Explorer%20I%20can%20see%20the%20user%20is%20listed%20and%20had%20Read%2FWrite%20permission.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20at%20the%20end%2C%20FsLogix%20show%20me%20in%20the%20logs%20that%20the%20user%20is%20incorrect%20or%20bad%20password.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%5B12%3A39%3A22.039%5D%5Btid%3A00000d90.00001d90%5D%5BERROR%3A0000052e%5D%20FindFile%20failed%20for%20path%3A%20%5C%5Calephfslogicprofile.file.core.windows.net%5Cprofiles%5Cluis_S-1-5-21-1097050234-716937435-442771084-3145%5CProfile*.vhd%20(The%20user%20name%20or%20password%20is%20incorrect.)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20about%20security%20about%20the%20user%20on%20the%20second%20domain%20and%20perhaps%20FSLogix%20don't%20support%20cross-domain%20on%20premise%20to%20storage%20the%20profile%20in%20Azure%20File%20Storage.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWell%2C%20if%20someone%20has%20any%20idea%20of%20this%20scenario%20is%20possible%2C%20let%20me%20know.%20I%20didn't%20find%20any%20answer%20searching%20on%20the%20net.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EJavier.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1538302%22%20slang%3D%22es-ES%22%3ERe%3A%20FsLogix%20with%20Hybrid%20AD%20and%20Full%20Trusted%20Cross%20Domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538302%22%20slang%3D%22es-ES%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1497%22%20target%3D%22_blank%22%3E%40Javier%20Ibarra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20having%20the%20same%20exact%20issue%20as%20you.%20Did%20you%20find%20a%20way%20to%20fix%20it%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1830160%22%20slang%3D%22en-US%22%3ERe%3A%20FsLogix%20with%20Hybrid%20AD%20and%20Full%20Trusted%20Cross%20Domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1830160%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1497%22%20target%3D%22_blank%22%3E%40Javier%20Ibarra%3C%2FA%3E%26nbsp%3B%20I%20have%20the%20same%20issue.%20Did%20anyone%20find%20any%20resolution%20yet%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2204994%22%20slang%3D%22en-US%22%3ERe%3A%20FsLogix%20with%20Hybrid%20AD%20and%20Full%20Trusted%20Cross%20Domain%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2204994%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1497%22%20target%3D%22_blank%22%3E%40Javier%20Ibarra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20the%20same%20issue.%20Dou%20have%20the%20solution%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi everyone! 

 

I had been trying without any luck the following architecture with FsLogix.

 

Two domains in full trusted mode in on premise environment. 

Azure AD Connect for both domains to the cloud synced without any issue

Azure File Storage Premium in an Azure Subscription. Inside there is a File Share. The File Storage was configured to accept Active Directory Domain Services (AD DS) and show me the on premise domain joined that is Domain 1.

Configure the Windows Virtual Desktop Spring 2020.

Added to VM to the hosted pool.

The VM are configured to be access with any users from both domains

Profiles from domain 1 are being created on the Azure File Storage as VHD

Profiles from domain 2 are not being created on the Azure File Storage.

 

Last point, the user with domain 2 can login to any VM that the hosted pool accepted when doing a Remote Desktop Session.

 

The Azure File Storage had been configured, in the IAM section, with all users from both domain with RBAC Storage SMB Contributor Role.

 

If the user of the domain 2 access via explorer to the Azure File Storage \\xxxx.files.core.windows.net\profile it can see the content and even create folder or files, so permission are ok.

 

I have even added the user from domain 2 using icacls and when I see the security properties from File Explorer I can see the user is listed and had Read/Write permission.

 

But at the end, FsLogix show me in the logs that the user is incorrect or bad password.

 

[12:39:22.039][tid:00000d90.00001d90][ERROR:0000052e] FindFile failed for path: \\alephfslogicprofile.file.core.windows.net\profiles\luis_S-1-5-21-1097050234-716937435-442771084-3145\Profile*.vhd (The user name or password is incorrect.)

 

This is about security about the user on the second domain and perhaps FSLogix don't support cross-domain on premise to storage the profile in Azure File Storage.

 

Well, if someone has any idea of this scenario is possible, let me know. I didn't find any answer searching on the net.

 

Thanks a lot!

 

Regards,

Javier.

 

 

3 Replies

@Javier Ibarra 

I'm having the same exact issue as you. Did you find a way to fix it?

 

Thanks

@Javier Ibarra  I have the same issue. Did anyone find any resolution yet?

@Javier Ibarra 

 

I have the same issue. Dou have the solution?