FsLogix with Hybrid AD and Full Trusted Cross Domain

Copper Contributor

Hi everyone! 

 

I had been trying without any luck the following architecture with FsLogix.

 

Two domains in full trusted mode in on premise environment. 

Azure AD Connect for both domains to the cloud synced without any issue

Azure File Storage Premium in an Azure Subscription. Inside there is a File Share. The File Storage was configured to accept Active Directory Domain Services (AD DS) and show me the on premise domain joined that is Domain 1.

Configure the Windows Virtual Desktop Spring 2020.

Added to VM to the hosted pool.

The VM are configured to be access with any users from both domains

Profiles from domain 1 are being created on the Azure File Storage as VHD

Profiles from domain 2 are not being created on the Azure File Storage.

 

Last point, the user with domain 2 can login to any VM that the hosted pool accepted when doing a Remote Desktop Session.

 

The Azure File Storage had been configured, in the IAM section, with all users from both domain with RBAC Storage SMB Contributor Role.

 

If the user of the domain 2 access via explorer to the Azure File Storage \\xxxx.files.core.windows.net\profile it can see the content and even create folder or files, so permission are ok.

 

I have even added the user from domain 2 using icacls and when I see the security properties from File Explorer I can see the user is listed and had Read/Write permission.

 

But at the end, FsLogix show me in the logs that the user is incorrect or bad password.

 

[12:39:22.039][tid:00000d90.00001d90][ERROR:0000052e] FindFile failed for path: \\alephfslogicprofile.file.core.windows.net\profiles\luis_S-1-5-21-1097050234-716937435-442771084-3145\Profile*.vhd (The user name or password is incorrect.)

 

This is about security about the user on the second domain and perhaps FSLogix don't support cross-domain on premise to storage the profile in Azure File Storage.

 

Well, if someone has any idea of this scenario is possible, let me know. I didn't find any answer searching on the net.

 

Thanks a lot!

 

Regards,

Javier.

 

 

5 Replies

@Javier Ibarra 

I'm having the same exact issue as you. Did you find a way to fix it?

 

Thanks

@Javier Ibarra  I have the same issue. Did anyone find any resolution yet?

@Javier Ibarra 

 

I have the same issue. Dou have the solution?

I have found a solution to this issue that should work for everyone experiencing this.  If you use AD Connect to sync accounts and groups to Azure, make sure you create a group on-premise to use with FSLogix, sync it to Azure, and assign it the SMB Contributor role in the File Share.  Then (as with anything that you do in Azure) wait between 5 to 30 minutes for the change to take effect  Also make sure you copy the FSLogix Group Policy template from the FSLogix installer to the DC on-premise, create an FSLogix Group Policy Object, makes sure it's enabled and set all other settings you need (like VHDLocations, Delete local profile, etc.) and assign that Group Policy to the container that contains the VMs in Azure.  This will create the registry settings needed for FSLogix when a user logs in.

 

What I found is that if you use a group that you create in Azure, even though it contains your AD Connect synced users, it won't apply the SMB Contributor role properly and you will get the "Access is denied" error.

@plwells42 thank you. I'll create a lab to test it.