(Exactly) 200 Crappy Words on Cross-Forest AD-Joined Azure File Shares

In a client deployment recently we leveraged Azure Files, joined to a Domain in the client’s primary AD Forest. AVD Sessions are established from other Domains and Forests and all was well with the world – until we needed to deploy security baselines for compliance. After introducing the locked-down configuration, we were no longer able to authenticate AzFiles across AD Forests, and User GPO processing was failing. 

Part of the CIS L1 benchmark is to disable any authentication encryption except AES128/256 and “future” methods… – When handling authentication cross-Forest, this authentication method is not supported, even if the storage account has been properly configured for AES256 encryption. It appears this authentication will work only using the RC4 encryption method. – This also affects the ability to process User Policy if this is linked to the other Forest using the Loopback policy option to enable cross-Forest processing User Policies. 

The real fun was in the troubleshooting and investigation; Once the policy has been applied (GPO > Security > Local Policies), it seems to “tattoo” the machine, so that even when the policy is removed, the session host won’t climb down from the elevated security stance. – The session host must be recreated.