Forum Discussion
Solved
Azure Files and Kerberos timeouts
Hi,
Really weird issue started to happen with our environment.
We have EntraID joined Session hosts, using Kerberos authentication for Azure files storage. All been working fine. However we find that after 60 minutes certain users FSLogix VHD's get dismounted.
All we then see in the logs is:
Failed to read WindowsSessionID (The system cannot contact a domain controller to service the authentication request. Please try again later.)
Anyone come across this?
Try below to address your issue:
- Renew Kerberos Tickets: You can manually renew the Kerberos tickets by running the klist command on the affected machines. This will refresh the tickets and may resolve the dismount issue.
- Configure Scheduled Task: Set up a scheduled task to automatically renew the Kerberos tickets at regular intervals. This can help ensure that the tickets are always valid during the session.
- Check Domain Controller Availability: Ensure that the session hosts have reliable network connectivity to the domain controllers. Sometimes, network issues can cause authentication requests to fail.
- Review Timeout Policies: If the session hosts are configured with extended timeout policies, consider adjusting them to reduce the risk of Kerberos ticket expiration.
- Update FSLogix and EntraID Settings: Make sure that FSLogix and EntraID are configured correctly and are up to date. Sometimes, updates or misconfigurations can cause unexpected issues.
Try below to address your issue:
- Renew Kerberos Tickets: You can manually renew the Kerberos tickets by running the klist command on the affected machines. This will refresh the tickets and may resolve the dismount issue.
- Configure Scheduled Task: Set up a scheduled task to automatically renew the Kerberos tickets at regular intervals. This can help ensure that the tickets are always valid during the session.
- Check Domain Controller Availability: Ensure that the session hosts have reliable network connectivity to the domain controllers. Sometimes, network issues can cause authentication requests to fail.
- Review Timeout Policies: If the session hosts are configured with extended timeout policies, consider adjusting them to reduce the risk of Kerberos ticket expiration.
- Update FSLogix and EntraID Settings: Make sure that FSLogix and EntraID are configured correctly and are up to date. Sometimes, updates or misconfigurations can cause unexpected issues.
Just to keep you updated. Lengthy conversation with the customer.
They were testing out a SSO application and set up a CA policy, this had a session limit of 60 minutes. Seems this was causing an issue with the Kerberos ticket for FSLogix profiles. We reversed that change and all is well.
