Document Details

Storage Files Identity Multiple Forests
Home / Scan 41 / Storage Files Identity Multiple Forests
This page contains Windows bias

About This Page

This page is part of the Azure documentation. It contains code examples and configuration instructions for working with Azure services.
GitHub View on GitHub 📚 View on Microsoft Learn

Bias Analysis

Bias Types:
⚠️ windows_first
⚠️ windows_tools
⚠️ powershell_heavy
⚠️ missing_linux_example
Summary:
The documentation is heavily oriented toward Windows environments, with all examples, tools, and instructions assuming the use of Windows-based systems and Active Directory management consoles. There are no Linux or cross-platform instructions for managing trusts, mounting SMB shares, or configuring permissions. All command-line examples use Windows tools (icacls, net use, klist, setspn), and PowerShell is referenced for AD queries and sync operations. There is no mention of Linux equivalents or how to perform these tasks from non-Windows clients.
Recommendations:
  • Provide equivalent instructions and examples for Linux environments, such as using Samba tools (e.g., smbclient, mount.cifs) for mounting SMB shares and managing permissions.
  • Include guidance on managing Active Directory trusts and DNS from Linux-based AD management tools or via command-line utilities where possible.
  • Offer examples of how to validate Kerberos tickets and credentials on Linux (e.g., using klist, kinit, or realm commands).
  • Clarify any limitations or requirements for Linux clients accessing Azure Files with AD authentication in multi-forest scenarios.
  • If certain features are only supported on Windows, explicitly state this and provide workarounds or alternatives for Linux users.
GitHub Create pull request

Scan History

Date Scan ID Status Bias Status
2025-08-19 00:01 #85 completed ✅ Clean
2025-07-13 21:37 #48 completed ❌ Biased
2025-07-12 23:44 #41 in_progress ❌ Biased

Flagged Code Snippets

net use <driveletter> \\storageaccount.file.core.windows.net\sharename /user:AZURE\<storageaccountname> <storageaccountkey>
Client: onprem1user @ ONPREMAD1.COM Server: cifs/onprem2sa.file.core.windows.net @ ONPREMAD2.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 11/22/2022 18:45:02 (local) End Time: 11/23/2022 4:45:02 (local) Renew Time: 11/29/2022 18:45:02 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION Kdc Called: onprem2.onpremad2.com
setspn -s cifs/<storage-account-name>.<DomainDnsRoot> <storage-account-name>
Client: onprem2user @ ONPREMAD2.COM Server: krbtgt/ONPREMAD2.COM @ ONPREMAD2.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40e10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 11/22/2022 18:46:35 (local) End Time: 11/23/2022 4:46:35 (local) Renew Time: 11/29/2022 18:46:35 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x1 -> PRIMARY Kdc Called: onprem2 Client: onprem2user @ ONPREMAD2.COM Server: cifs/onprem1sa.file.core.windows.net @ ONPREMAD1.COM KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96 Ticket Flags 0x40a10000 -> forwardable renewable pre_authent name_canonicalize Start Time: 11/22/2022 18:46:35 (local) End Time: 11/23/2022 4:46:35 (local) Renew Time: 11/29/2022 18:46:35 (local) Session Key Type: AES-256-CTS-HMAC-SHA1-96 Cache Flags: 0x200 -> DISABLE-TGT-DELEGATION Kdc Called: onpremad1.onpremad1.com