SOLVED Cannot Authenticate with Microsoft Account [Truenas Scale 22.02.2.1]

[abishur]

I've been hitting my head against the wall for a couple of days on this now.

I'm using TrueNAS Scale 22.02.2.1

I've created a user account, given it the e-mail address of my microsoft account that I use with windows 10, and clicked the boxes that say Microsoft Account and Samba Authentication.

I've set the user's password to the same password I use to log into my microsoft account. (Though I use a pin to log into windows)

I've given the user access permissions to a share I set up and can access it if I manually enter the username and password I made, but it will not automatically authenticate with my microsoft credentials.

Is there an additional setting or step I need to take to get it to log in?

 

[mgoulet65]

I've been hitting my head against the wall for a couple of days on this now.

I'm using TrueNAS Scale 22.02.2.1

I've created a user account, given it the e-mail address of my microsoft account that I use with windows 10, and clicked the boxes that say Microsoft Account and Samba Authentication.

I've set the user's password to the same password I use to log into my microsoft account. (Though I use a pin to log into windows)

I've given the user access permissions to a share I set up and can access it if I manually enter the username and password I made, but it will not automatically authenticate with my microsoft credentials.

Is there an additional setting or step I need to take to get it to log in?

Following

 

[abishur]

I've done some more testing this morning, no luck so far, but I've made sure the my login does have the same password as the account on my truenas server and that the password was synced up on my computer. I've confirmed that I can access the share using the username or e-mail address of the user account I set up, the only hold up is it's not automatically supplying that information to truesnas or getting processed correctly for some reason

 

[shadofall]

If i recall, and maybe this has changed, if your using a Pin, Windows Hello, fingerprint scanner etc for login. then it doesn't work right.

 

[anodos]

If i recall, and maybe this has changed, if your using a Pin, Windows Hello, fingerprint scanner etc for login. then it doesn't work right.

This is an old hack from FreeNAS 9 days. I've been considering removing it for a future version (maybe I will finally do that for 22.12). All it does is map an email address to a local user account. It requires the client to do NTLMv2 auth (not peer-to-peer kerberos and such things) and of course isn't integrated with MS infrastructure.

 

[abishur]

If i recall, and maybe this has changed, if your using a Pin, Windows Hello, fingerprint scanner etc for login. then it doesn't work right.

Finally, that did the trick! In sign in options under "Require Windows Hello sign-in for Microsoft Accounts, I changed the option for "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device" to off. Then it passed along my password with no issues. So glad I finally got this working. I know it's just as easy to save my credentials, but I really like having the ability to seamlessly access things like this.

 

[itet]

This is an old hack from FreeNAS 9 days. I've been considering removing it for a future version (maybe I will finally do that for 22.12). All it does is map an email address to a local user account. It requires the client to do NTLMv2 auth (not peer-to-peer kerberos and such things) and of course isn't integrated with MS infrastructure.

Hi anodos, just one question have you now removed this feature, because it is not working.

And in the samba4/auth_audit.log I get the info NT_STATUS_NO_SUCH_USER

Code:

{"timestamp": "2022-12-19T21:34:10.405749+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:xx.xx.xx.xx:445", "remoteAddress": "ipv4:xx.xx.xx.xx:60035", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MicrosoftAccount", "clientAccount": "xx@outlook.de", "workstation": "xxxx", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "xx@outlook.de", "mappedDomain": "MicrosoftAccount", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 1696}}

 

[anodos]

Hi anodos, just one question have you now removed this feature, because it is not working.

And in the samba4/auth_audit.log I get the info NT_STATUS_NO_SUCH_USER

Code:

{"timestamp": "2022-12-19T21:34:10.405749+0100", "type": "Authentication", "Authentication": {"version": {"major": 1, "minor": 2}, "eventId": 4625, "logonId": "0", "logonType": 3, "status": "NT_STATUS_NO_SUCH_USER", "localAddress": "ipv4:xx.xx.xx.xx:445", "remoteAddress": "ipv4:xx.xx.xx.xx:60035", "serviceDescription": "SMB2", "authDescription": null, "clientDomain": "MicrosoftAccount", "clientAccount": "xx@outlook.de", "workstation": "xxxx", "becameAccount": null, "becameDomain": null, "becameSid": null, "mappedAccount": "xx@outlook.de", "mappedDomain": "MicrosoftAccount", "netlogonComputer": null, "netlogonTrustAccount": null, "netlogonNegotiateFlags": "0x00000000", "netlogonSecureChannelType": 0, "netlogonTrustAccountSid": null, "passwordType": "NTLMv2", "duration": 1696}}

Right, what you need to do is use a local user account credentials and store it in windows credential manager. E.g. xx, not xx.outlook.de

 

[itet]

Right, what you need to do is use a local user account credentials and store it in windows credential manager. E.g. xx, not xx.outlook.de

thank you for the information. But it's a shame, because I found this function really great. Even at TrueCommand there is still the config part Microsoft Account and at TrueNAS Core was working last time.

 

[anodos]

thank you for the information. But it's a shame, because I found this function really great. Even at TrueCommand there is still the config part Microsoft Account and at TrueNAS Core was working last time.

It's working great for a certain subset of users, but for others the feature is significantly broken and not fixable. See text in this ticket for details: https://ixsystems.atlassian.net/browse/NAS-117437

 

[itet]

It's working great for a certain subset of users, but for others the feature is significantly broken and not fixable. See text in this ticket for details: https://ixsystems.atlassian.net/browse/NAS-117437

I have done now a lot of tests with my windows 11 PCs, also insider ... but this ticket is wrong. All my Windows 11 Pro PCs when they try to authenticate to a share are using the Microsoft account credentials. And this has also nothing todo with "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device"

There are a lot of advantages for this feature, hopfully you bring it back again.

 

[anodos]

I have done now a lot of tests with my windows 11 PCs, also insider ... but this ticket is wrong. All my Windows 11 Pro PCs when they try to authenticate to a share are using the Microsoft account credentials. And this has also nothing todo with "For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device"

There are a lot of advantages for this feature, hopfully you bring it back again.

Perhaps default changed. At the time I tested early in release cycles Windows 11 required altering group policy settings to allow NTLMv2 auth.

Regardless this feature isn't coming back. It encouraged storing high-value passwords in our local DB. In order for NTLMv2 auth to work from a server, the server needs to store an NT hash (unsalted MD4) in-memory. We encrypt these hashes by default before writing to our DB, but it would be amiss to have people store email creds in that way.