Troubleshoot Azure Files connectivity and access issues (SMB)

When you try to connect to an Azure file share in Windows, you might receive the following error messages.

• System error 5 has occurred. Access is denied.

For security, connections to Azure file shares are blocked if the communication channel isn't encrypted and the connection attempt isn't made from the same datacenter where the Azure file shares reside. If the Secure transfer required setting is enabled on the storage account, unencrypted connections within the same datacenter are also blocked. An encrypted communication channel is only provided if the end-user's client OS supports SMB encryption.

Windows 8, Windows Server 2012, and later versions of each system negotiate requests that include SMB 3.x, which supports encryption.

1. Connect from a client that supports SMB encryption (Windows 8/Windows Server 2012 or later).
2. Connect from a virtual machine (VM) in the same datacenter as the Azure storage account that's used for the Azure file share.
3. Verify the Secure transfer required setting is disabled on the storage account if the client doesn't support SMB encryption.

Network traffic is denied if the virtual network (VNET) and firewall rules are configured on the storage account, unless the client IP address or virtual network is allow-listed.

Verify that virtual network and firewall rules are configured properly on the storage account. To test if the virtual network or firewall rules are causing the issue, temporarily change the setting on the storage account to Allow access from all networks. To learn more, see Configure Azure Storage firewalls and virtual networks.

If users are accessing the Azure file share using identity-based authentication, access to the file share fails with the "Access is denied" error if share-level permissions are incorrect.

Validate that share-level permissions are configured correctly. See Assign share-level permissions. Share-level permission assignments are supported for groups and users that have been synced from AD DS to Microsoft Entra ID using Microsoft Entra Connect Sync or Microsoft Entra Connect cloud sync. Confirm that groups and users being assigned share-level permissions aren't unsupported "cloud-only" groups.

When you try to mount a file share from on-premises or a different datacenter, you might receive the following errors:

• System error 53 has occurred. The network path was not found.
• System error 67 has occurred. The network name cannot be found.
• System error 87 has occurred. The parameter is incorrect.

System error 53 or System error 67 can occur if port 445 outbound communication to an Azure Files datacenter is blocked. To see the summary of ISPs that allow or disallow access from port 445, go to TechNet.

To check if your firewall or ISP is blocking port 445, use the AzFileDiagnostics tool or the Test-NetConnection cmdlet.

To use the Test-NetConnection cmdlet, the Azure PowerShell module must be installed. See Install Azure PowerShell module for more information. Remember to replace <your-storage-account-name> and <your-resource-group-name> with the relevant names for your storage account.

$resourceGroupName = "<your-resource-group-name>"
$storageAccountName = "<your-storage-account-name>"

# This command requires you to be logged into your Azure account and set the subscription your storage account is under, run:
# Connect-AzAccount -SubscriptionId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
# if you haven't already logged in.
$storageAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroupName -Name $storageAccountName

# The ComputerName, or host, is <storage-account>.file.core.windows.net for Azure Public Regions.
# $storageAccount.Context.FileEndpoint is used because non-Public Azure regions, such as sovereign clouds
# or Azure Stack deployments, will have different hosts for Azure file shares (and other storage resources).
Test-NetConnection -ComputerName ([System.Uri]::new($storageAccount.Context.FileEndPoint).Host) -Port 445

If the connection was successful, you should see the following output:

ComputerName     : <your-storage-account-name>
RemoteAddress    : <storage-account-ip-address>
RemotePort       : 445
InterfaceAlias   : <your-network-interface>
SourceAddress    : <your-ip-address>
TcpTestSucceeded : True

Solution 1 — Use Azure File Sync as a QUIC endpoint You can use Azure File Sync as a workaround to access Azure Files from clients that have port 445 blocked. Although Azure Files doesn't directly support SMB over QUIC, Windows Server 2022 Azure Edition does support the QUIC protocol. You can create a lightweight cache of your Azure file shares on a Windows Server 2022 Azure Edition VM using Azure File Sync. This configuration uses port 443, which is widely open outbound to support HTTPS, instead of port 445. To learn more about this option, see SMB over QUIC with Azure File Sync.

Solution 2 — Use VPN or ExpressRoute By setting up a virtual private network (VPN) or ExpressRoute from on-premises to your Azure storage account, with Azure Files exposed on your internal network using private endpoints, the traffic will go through a secure tunnel as opposed to over the internet. Follow the instructions to setup a VPN to access Azure Files from Windows.

Solution 3 — Unblock port 445 with help from your ISP/IT admin Work with your IT department or ISP to open port 445 outbound to Azure IP ranges.

Solution 4 — Use REST API-based tools like Storage Explorer or PowerShell Azure Files also supports REST in addition to SMB. REST access works over port 443 (standard tcp). There are various tools that are written using REST API that enable a rich UI experience. Storage Explorer is one of them. Download and Install Storage Explorer and connect to your file share backed by Azure Files. You can also use PowerShell that also uses REST API.

System error 53 or system error 87 can occur if NTLMv1 communication is enabled on the client. Azure Files supports only NTLMv2 authentication. Having NTLMv1 enabled creates a less-secure client. Therefore, communication is blocked for Azure Files.

To determine whether this is the cause of the error, verify that the following registry subkey isn't set to a value less than 3:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa > LmCompatibilityLevel

For more information, see the LmCompatibilityLevel topic on TechNet.

Revert the LmCompatibilityLevel value to the default value of 3 in the following registry subkey:

HKLM\SYSTEM\CurrentControlSet\Control\Lsa

When mounting a file share from on-premises or another datacenter, you might see the following error:

System error 64 has occurred. The specified network name is no longer available.

This issue is likely caused by a proxy server or another type of Network Address Translation (NAT) device in the datapath that blocks the connection to map the Azure file share. In this case, the PowerShell cmdlet Test-NetConnection still might test connectivity on port 445 successfully.

This issue occurs when the Active Directory computer or user account corresponding to the Azure storage account that hosts the FSLogix user profiles can't process Kerberos authentications. The underlying reasons might include incorrect modifications to the msDS-SupportedEncryptionTypes attribute, or the rotation of the storage account's access keys without updating the new keys on the Active Directory account.

To resolve this issue, reproduce it and collect a network trace to get more information about the error's origin. In most cases, you must work with your network/firewall administrator to allow the content to pass through the network device.

Kerberos errors can be seen in a network trace, such as flows labeled as KRB Error in a netsh trace. To resolve them, enable Active Directory Domain Services authentication for Azure file shares to set up the authentication parameters properly.

When you try to mount an Azure file share, you receive the following error:

Error code: 0x800704b3
Symbolic Name: ERROR_NO_NET_OR_BAD_PATH
Error description: The network path was either typed incorrectly, does not exist, or the network provider is not currently available. Please try retyping the path or contact your network administrator.

This error can occur if any core Windows network related services are disabled as any service that explicitly depends on those network services will fail to start.

Check if any of the following services are in a Stopped state in the Windows VM:

• Network Connections
• Network List Service
• Network Location Awareness
• Network Store Interface Service
• DHCP Client
• TCP/IP NetBIOS Helper
• Workstation

If you find any, start the service(s) and retry mounting the Azure file share.

Drives are mounted per user. If your application or service is running under a different user account than the one that mounted the drive, the application won't see the drive.

Use one of the following solutions:

• Mount the drive from the same user account that contains the application. You can use a tool such as PsExec.

• Pass the storage account name and key in the user name and password parameters of the net use command.

• Use the cmdkey command to add the credentials into Credential Manager. Perform this action from a command line under the service account context, either through an interactive login or by using runas.

  cmdkey /add:<storage-account-name>.file.core.windows.net /user:AZURE\<storage-account-name> /pass:<storage-account-key>
  

• Map the share directly without using a mapped drive letter. Some applications might not reconnect to the drive letter properly, so using the full UNC path might be more reliable:

  net use * \\storage-account-name.file.core.windows.net\share

After you follow these instructions, you might receive the following error message when you run net use for the system/network service account: "System error 1312 has occurred. A specified logon session does not exist. It may already have been terminated." If this error appears, make sure that the username that's passed to net use includes domain information (for example: [storage account name].file.core.windows.net).

If you map an Azure file share as an administrator by using the net use command, the share appears to be missing.

By default, Windows File Explorer doesn't run as an administrator. If you run net use from an administrative command prompt, you map the network drive as an administrator. Because mapped drives are user-centric, the user account that is logged in doesn't display the drives if they're mounted under a different user account.

Mount the share from a non-administrator command line. Alternatively, you can follow this TechNet topic to configure the EnableLinkedConnections registry value.

The net use command interprets a forward slash (/) as a command-line option. If your user account name starts with a forward slash, the drive mapping fails.

You can use either of the following steps to work around the problem:

• Run the following PowerShell command:

  New-SmbMapping -LocalPath y: -RemotePath \\server\share -UserName accountName -Password "password can contain / and \ etc"
  

  From a batch file, you can run the command this way:

  Echo new-smbMapping ... | powershell -command –

• Put double quotation marks around the key to work around this problem--unless the forward slash is the first character. If it is, either use the interactive mode and enter your password separately or regenerate your keys to get a key that doesn't start with a forward slash.

You might see this error message if the file share isn't accessible. For example, port 445 is blocked or there's a DNS resolution issue.

Make sure port 445 is open and check DNS resolution and connectivity to your file share.

Linux clients can use AzFileDiagnostics to automate symptom detection and ensure that they have the correct prerequisites.

Common causes for this problem are:

• You're using a Linux distribution with an outdated SMB client. See Use Azure Files with Linux for more information on common Linux distributions available in Azure that have compatible clients.
• SMB utilities (cifs-utils) aren't installed on the client.
• The minimum SMB version, 2.1, isn't available on the client.
• SMB 3.x encryption isn't supported on the client. The preceding table provides a list of Linux distributions that support mounting from on-premises and cross-region using encryption. Other distributions require kernel 4.11 and later versions.
• You're trying to connect to an Azure file share from an Azure VM, and the VM isn't in the same region as the storage account.
• If the Secure transfer required setting is enabled on the storage account, Azure Files will allow only connections that use SMB 3.x with encryption.

To resolve the problem, use the troubleshooting tool for Azure Files mounting errors on Linux. This tool:

• Helps you to validate the client running environment.
• Detects the incompatible client configuration that would cause access failure for Azure Files.
• Gives prescriptive guidance on self-fixing.
• Collects the diagnostics traces.

For security reasons, connections to Azure file shares are blocked if the communication channel isn't encrypted and the connection attempt isn't made from the same datacenter where the Azure file shares reside. Unencrypted connections within the same datacenter can also be blocked if the Secure transfer required setting is enabled on the storage account. An encrypted communication channel is only provided if the user's client OS supports SMB encryption.

To learn more, see Prerequisites for mounting an Azure file share with Linux and the cifs-utils package.

1. Connect from a client that supports SMB encryption or connect from a virtual machine in the same datacenter as the Azure storage account that's used for the Azure file share.
2. Verify the Secure transfer required setting is disabled on the storage account if the client doesn't support SMB encryption.

If virtual network (VNET) and firewall rules are configured on the storage account, network traffic will be denied access unless the client IP address or virtual network is allowed access. In addition, if your company or ISP blocks port 445 outbound, you won't be able to mount the share.

Verify that the VNET and firewall rules are configured properly on the storage account, and that port 445 is allowlisted. To test if virtual networks or firewall rules cause the issue, you can temporarily change the setting on the storage account to Allow access from all networks. To learn more, see Configure Azure Storage firewalls and virtual networks.

Azure Files only supports NTLMv2 (storage account key only) and Kerberos authentication for SMB file shares. NTLMv1 isn't supported. Kernel 3.3 and later versions default to NTLMv2 unless overridden with the sec mount option. Kernel 4.4 and later versions enable NTLMv2 by default and disable LANMAN. Under default configurations, NTLMv1 is kept as a negotiation only option. For more information, see your OS documentation.

Ensure that SMB mount commands don't override the default NTLMv2 authentication via the sec option. The sec option should never use ntlm or ntlmi when connecting to SMB Azure file shares. If you set global options in /etc/samba/smb.conf, ensure that you don't disable NTLMv2.

When storage account key access is disabled or disallowed for a storage account, SAS tokens and access keys won't work.

Use identity-based authentication instead. See Enable Active Directory authentication over SMB for Linux clients accessing Azure Files for prerequisites and instructions.

Some Linux distributions don't yet support encryption features in SMB 3.x. Users might receive a "115" error message if they try to mount Azure Files by using SMB 3.x because of a missing feature. SMB 3.x with full encryption is supported only on the latest version of a Linux distro.

The encryption feature for SMB 3.x for Linux was introduced in the 4.11 kernel. This feature enables the mounting of an Azure file share from on-premises or a different Azure region. Some Linux distributions may have backported changes from the 4.11 kernel to older versions of the Linux kernel that they maintain. To help determine if your version of Linux supports SMB 3.x with encryption, consult with Use Azure Files with Linux.

If your Linux SMB client doesn't support encryption, mount Azure Files using SMB 2.1 from a Linux VM that's in the same Azure datacenter as the file share. Verify that the Secure transfer required setting is disabled on the storage account.

A "112" mount error occurs on the Linux client when the client has been idle for a long time. After an extended idle time, the client disconnects, and the connection times out.

The connection can be idle for the following reasons:

• Network communication failures that prevent re-establishing a TCP connection to the server when the default "soft" mount option is used.
• Recent reconnection fixes that aren't present in older kernels.

This reconnection problem in the Linux kernel is now fixed as part of the following changes:

• Fix reconnect to not defer smb3 session reconnect long after socket reconnect
• Call echo service immediately after socket reconnect
• CIFS: Fix a possible memory corruption during reconnect
• CIFS: Fix a possible double locking of mutex during reconnect (for kernel v4.9 and later)

However, these changes might not be ported yet to all Linux distributions. If you're using a popular Linux distribution, you can check Use Azure Files with Linux to see which version of your distribution has the necessary kernel changes.

You can work around this problem by specifying a hard mount. A hard mount forces the client to wait until a connection is established or until it's explicitly interrupted. You can use it to prevent errors because of network time-outs. However, this workaround might cause indefinite waits. Be prepared to stop connections as necessary.

If you can't upgrade to the latest kernel versions, you can work around this problem by keeping a file in the Azure file share that you write to every 30 seconds or less. This must be a write operation, such as rewriting the created or modified date on the file. Otherwise, you might get cached results, and your operation might not trigger the reconnection.

In Windows, you might see the following errors.

One of the key purposes of a file share is that multiple users and applications may simultaneously interact with files and directories in the share. To assist with this interaction, file shares provide several ways of mediating access to files and directories.

When you open a file from a mounted Azure file share over SMB, your application/operating system requests a file handle, which is a reference to the file. Among other things, your application specifies a file-sharing mode when it requests a file handle, which specifies the level of exclusivity of your access to the file enforced by Azure Files:

• None: you have exclusive access.
• Read: others may read the file while you have it open.
• Write: others may write to the file while you have it open.
• ReadWrite: a combination of both the Read and Write sharing modes.
• Delete: others may delete the file while you have it open.

Although as a stateless protocol, the FileREST protocol doesn't have a concept of file handles, it does provide a similar mechanism to mediate access to files and folders that your script, application, or service may use: file leases. When a file is leased, it's treated as equivalent to a file handle with a file sharing mode of None.

Although file handles and leases serve an important purpose, sometimes file handles and leases might be orphaned. When this happens, this can cause problems in modifying or deleting files. You might see error messages like:

• The process can't access the file because the file is being used by another process.
• The action can't be completed because the file is open in another program.
• The document is locked for editing by another user.
• The specified resource is marked for deletion by an SMB client.

The resolution to this issue depends on whether this is being caused by an orphaned file handle or lease.

A file handle is preventing a file/directory from being modified or deleted. You can use the Get-AzStorageFileHandle PowerShell cmdlet to view open handles.

If all SMB clients have closed their open handles on a file/directory and the issue continues to occur, you can force close a file handle.

To force a file handle to be closed, use the Close-AzStorageFileHandle PowerShell cmdlet.

A file lease is preventing a file from being modified or deleted. You can check if a file has a file lease with the following PowerShell commands. Replace <resource-group>, <storage-account>, <file-share>, and <path-to-file> with the appropriate values for your environment.

# Set variables 
$resourceGroupName = "<resource-group>"
$storageAccountName = "<storage-account>"
$fileShareName = "<file-share>"
$fileForLease = "<path-to-file>"

# Get reference to storage account
$storageAccount = Get-AzStorageAccount `
        -ResourceGroupName $resourceGroupName `
        -Name $storageAccountName

# Get reference to file
$file = Get-AzStorageFile `
        -Context $storageAccount.Context `
        -ShareName $fileShareName `
        -Path $fileForLease

$fileClient = $file.ShareFileClient

# Check if the file has a file lease
$fileClient.GetProperties().Value

If a file has a lease, the returned object should contain the following properties:

LeaseDuration         : Infinite
LeaseState            : Leased
LeaseStatus           : Locked

To remove a lease from a file, you can release the lease or break the lease. To release the lease, you need the LeaseId of the lease, which you set when you create the lease. You don't need the LeaseId to break the lease.

The following example shows how to break the lease for the file indicated in cause 2 (this example continues with the PowerShell variables from cause 2):

$leaseClient = [Azure.Storage.Files.Shares.Specialized.ShareLeaseClient]::new($fileClient)
$leaseClient.Break() | Out-Null

Linux clients can use AzFileDiagnostics to automate symptom detection and ensure that they have the correct prerequisites.

In Linux, you might see the following issues.

This issue typically occurs if the file or directory has an open handle.

If the SMB clients have closed all open handles and the issue continues to occur, perform the following:

• Use the Get-AzStorageFileHandle PowerShell cmdlet to view open handles.

• Use the Close-AzStorageFileHandle PowerShell cmdlet to close open handles.

Error 1816 happens when you reach the upper limit of concurrent open handles that are allowed for a file or directory on the Azure file share. For more information, see Azure Files scale targets.

Reduce the number of concurrent open handles by closing some handles, and then retry. For more information, see Microsoft Azure Storage performance and scalability checklist.

To view open handles for a file share, directory, or file, use the Get-AzStorageFileHandle PowerShell cmdlet.

To close open handles for a file share, directory, or file, use the Close-AzStorageFileHandle PowerShell cmdlet.

If you cache/hold a large number of open handles for a long time, you might see this server-side failure due to throttling reasons. When a large number of handles are cached by the client, many of those handles can go into a reconnect phase at the same time, building up a queue on the server which needs to be throttled. The retry logic and the throttling on the backend for reconnect takes longer than the client's timeout. This situation manifests itself as a client not being able to use an existing handle for any operation, with all operations failing with ERROR_UNEXP_NET_ERR (59).

There are also edge cases in which the client handle becomes disconnected from the server (for example, a network outage lasting several minutes) that could cause this error.

Don't keep a large number of handles cached. Close handles, and then retry. Use Get-AzStorageFileHandle and Close-AzStorageFileHandle PowerShell cmdlets to view/close open handles.

If you're using Azure file shares to store profile containers or disk images for a large-scale virtual desktop deployment or other workloads that open handles on files, directories, and/or the root directory, you might reach the upper scale limits for concurrent open handles. In this case, use an additional Azure file share and distribute the containers or images between the shares.

Linux clients can use AzFileDiagnostics to automate symptom detection and ensure that they have the correct prerequisites.

In Linux, you might receive an error message that resembles the following:

<filename> [permission denied] Disk quota exceeded

You've reached the upper limit of concurrent open handles that are allowed for a file or directory.

Azure Files supports 10,000 open handles on the root directory and 2,000 open handles per file and directory within the share.

Reduce the number of concurrent open handles by closing some handles and then retry the operation.

To view open handles for a file share, directory, or file, use the Get-AzStorageFileHandle PowerShell cmdlet.

To close open handles for a file share, directory, or file, use the Close-AzStorageFileHandle PowerShell cmdlet.