Skip to content

Minor fixes and logging improvements to AzFilesHybrid debug cmdlet #299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
MaximeKjaer merged 8 commits into from
Feb 5, 2026
Merged

Minor fixes and logging improvements to AzFilesHybrid debug cmdlet #299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
f1b7a89
Improve CheckEntraObject error reporting
MaximeKjaer Feb 4, 2026
09fabae
Clean up Fiddler proxy error reporting
MaximeKjaer Feb 4, 2026
0fc0155
Fix Test-IsCloudKerberosTicketRetrievalEnabled for empty folder
MaximeKjaer Feb 4, 2026
96f5d6e
Fix syntax in CheckServerSupportedEncryptionTypes
MaximeKjaer Feb 4, 2026
12943b7
Fix color of single quote
MaximeKjaer Feb 4, 2026
85eccc3
Fix success message printing
MaximeKjaer Feb 5, 2026
0f08e0c
Fix indentation of Fiddler Proxy detected message
MaximeKjaer Feb 5, 2026
3313057
Refactor Test-IsCloudKerberosTicketRetrievalEnabled
MaximeKjaer Feb 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
159 changes: 87 additions & 72 deletions AzFilesHybrid/AzFilesHybrid/AzFilesHybrid.psm1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3885,51 +3885,51 @@ function Debug-AzStorageAccountEntraKerbAuth {
-Scopes "Application.Read.All" `
-TenantId $TenantId

$spn = "api://${TenantId}/cifs/${fileEndpoint}"

# Requires Microsoft.Graph.Applications
$Application = Get-MgApplication `
-Filter "identifierUris/any (uri:uri eq 'api://${TenantId}/CIFS/${fileEndpoint}')" `
-Filter "identifierUris/any (uri:uri eq '${spn}')" `
-ConsistencyLevel eventual

if($null -eq $Application)
{
Write-TestingFailed -Message "Could not find the application with SPN '$($PSStyle.Foreground.BrightCyan)api://${TenantId}/CIFS/${fileEndpoint}$($PSStyle.Reset)'"
$checks["CheckEntraObject"].Result = "Failed"
$checks["CheckEntraObject"].Issue = "Could not find the application with SPN ' api://${TenantId}/CIFS/${fileEndpoint}'."
}

# Requires Microsoft.Graph.Applications
$ServicePrincipal = Get-MgServicePrincipal -Filter "servicePrincipalNames/any (name:name eq 'api://$TenantId/CIFS/${fileEndpoint}')" -ConsistencyLevel eventual

[string]$aadServicePrincipalError = "SPN Value is not set correctly, It should be '$($PSStyle.Foreground.BrightCyan)CIFS/${fileEndpoint}$($PSStyle.Reset)'"
if($null -eq $ServicePrincipal)
if ($null -eq $Application)
{
Write-TestingFailed -Message $aadServicePrincipalError
Write-TestingFailed -Message "Could not find the application with SPN '$($PSStyle.Foreground.BrightCyan)${spn}$($PSStyle.Reset)'"
$checks["CheckEntraObject"].Result = "Failed"
$checks["CheckEntraObject"].Issue = "Service Principal is missing SPN 'CIFS/${fileEndpoint}'."
$checks["CheckEntraObject"].Issue = "Could not find Entra application with SPN '$spn'."
}
if(-not $ServicePrincipal.AccountEnabled)
{
Write-TestingFailed -Message "Service Principal should have AccountEnabled set to true"
$checks["CheckEntraObject"].Result = "Failed"
$checks["CheckEntraObject"].Issue = "Expected AccountEnabled set to true"
}
elseif(-not $ServicePrincipal.ServicePrincipalNames.Contains("CIFS/${fileEndpoint}"))
{
Write-TestingFailed -Message $aadServicePrincipalError
$checks["CheckEntraObject"].Result = "Failed"
$checks["CheckEntraObject"].Issue = "Service Principal is missing SPN ' CIFS/${fileEndpoint}'."
}

elseif (-not $ServicePrincipal.ServicePrincipalNames.Contains("api://${TenantId}/CIFS/${fileEndpoint}"))
else
{
Write-TestingWarning -Message "Service Principal is missing SPN '$($PSStyle.Foreground.BrightCyan)api://${TenantId}/CIFS/${fileEndpoint}$($PSStyle.Reset)'."
Write-Host "`tIt is okay to not have this value for now, but it is good to have this configured in future if you want to continue getting kerberos tickets."
$checks["CheckEntraObject"].Result = "Partial"
}
else {
Write-TestingPassed
$checks["CheckEntraObject"].Result = "Passed"
}
# Requires Microsoft.Graph.Applications
$ServicePrincipal = Get-MgServicePrincipal -Filter "servicePrincipalNames/any (name:name eq '$spn')" -ConsistencyLevel eventual

if ($null -eq $ServicePrincipal)
{
Write-TestingFailed -Message "SPN Value is not set correctly, It should be '$($PSStyle.Foreground.BrightCyan)${spn}$($PSStyle.Reset)'"
$checks["CheckEntraObject"].Result = "Failed"
$checks["CheckEntraObject"].Issue = "Could not find Entra service principal with SPN '$spn'."
}
elseif (-not $ServicePrincipal.AccountEnabled)
{
Write-TestingFailed -Message "Service Principal should have AccountEnabled set to true"
$checks["CheckEntraObject"].Result = "Failed"
$checks["CheckEntraObject"].Issue = "Expected AccountEnabled set to true"
}
elseif(-not $ServicePrincipal.ServicePrincipalNames.Contains("CIFS/${fileEndpoint}") -and
-not $ServicePrincipal.ServicePrincipalNames.Contains("cifs/${fileEndpoint}") -and
-not $ServicePrincipal.ServicePrincipalNames.Contains("api://${TenantId}/CIFS/${fileEndpoint}") -and
-not $ServicePrincipal.ServicePrincipalNames.Contains("api://${TenantId}/cifs/${fileEndpoint}"))
{
Write-TestingFailed -Message $aadServicePrincipalError
$checks["CheckEntraObject"].Result = "Failed"
$checks["CheckEntraObject"].Issue = "Service Principal does not have the required SPNs."
}
else
{
Write-TestingPassed
$checks["CheckEntraObject"].Result = "Passed"
}
}
} catch {
Write-TestingFailed -Message $_
$checks["CheckEntraObject"].Result = "Failed"
Expand Down Expand Up @@ -4045,9 +4045,8 @@ function Debug-AzStorageAccountEntraKerbAuth {

if ($DefaultSharePermission -and $DefaultSharePermission -ne "None")
{
Write-TestingPassed
Write-TestingPassed "Access is granted via the default share permission"
$checks["CheckRBAC"].Result = "Passed"
Write-Host "`tAccess is granted via the default share permission"
}
elseif (-not $UserName)
{
Expand All @@ -4070,7 +4069,8 @@ function Debug-AzStorageAccountEntraKerbAuth {
-checkResult $checks["CheckRBAC"]
}
}
} catch
}
catch
{
Write-TestingFailed -Message $_
$checks["CheckRBAC"].Result = "Failed"
Expand Down Expand Up @@ -4141,47 +4141,44 @@ function Debug-AzStorageAccountEntraKerbAuth {
#
if (!$filterIsPresent -or $Filter -match "CheckFiddlerProxy")
{
Write-Host "Checking Fiddler Proxy"
try
{
Write-Host "Checking Fiddler Proxy"
try
{
$checksExecuted += 1;
$ProxysubFolder = Get-ChildItem `
-Path Registry::HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\ProxyMgr `
-ErrorAction SilentlyContinue

$success = $true
foreach ($folder in $ProxysubFolder)
{
$properties = $folder | Get-ItemProperty
if (($null -ne $properties.StaticProxy) -and ($properties.StaticProxy.Contains("https=127.0.0.1:")))
{
# If this is the first failure detected, print "FAILED"
if ($success)
{
Write-TestingFailed -Message "Fiddler proxy detected"
$checks["CheckFiddlerProxy"].Result = "Failed"
$success = $false
}

# Report the registry path every time a failure is detected
Write-Host "`tFiddler Proxy is set, you need to delete any registry nodes under $($PSStyle.Foreground.BrightCyan)'$($folder.Name)'$($PSStyle.Reset)."
$success = $false
Write-Host "`tFiddler proxy detected in '$($PSStyle.Foreground.BrightCyan)$($folder.Name)$($PSStyle.Reset)'."
}
}

if ($success)
{
Write-TestingPassed
$checks["CheckFiddlerProxy"].Result = "Passed"
Write-TestingPassed
}
else
{
Write-TestingFailed -Message "To prevent this issue from re-appearing in the future, you should also uninstall Fiddler."
$checks["CheckFiddlerProxy"].Result = "Failed"
$checks["CheckFiddlerProxy"].Issue = "Fiddler Proxy detected"
Write-TestingFailed -Message "Fiddler Proxy detected. Uninstall Fiddler and remove all registry entries listed above."
}
}
catch
{
Write-TestingFailed -Message $_
$checks["CheckFiddlerProxy"].Result = "Failed"
$checks["CheckFiddlerProxy"].Issue = $_
}
}
catch
{
Write-TestingFailed -Message $_
$checks["CheckFiddlerProxy"].Result = "Failed"
$checks["CheckFiddlerProxy"].Issue = $_
}
}

#
Expand All @@ -4196,14 +4193,18 @@ function Debug-AzStorageAccountEntraKerbAuth {
$status = Get-DsRegStatus
if ($status.AzureAdJoined -eq "YES")
{
Write-TestingPassed

if ($status.DomainJoined -eq "NO")
{
Write-Host "`tEntra Join confirmed"
Write-TestingPassed "Entra Join confirmed"
}
elseif ($status.DomainJoined -eq "YES")
{
Write-Host "`tHybrid Entra Join confirmed"
Write-TestingPassed "Hybrid Entra Join confirmed"
}
else
{
Write-TestingPassed "Unknown kind of Entra Join confirmed"
}
$checks["CheckEntraJoinType"].Result = "Passed"
}
Expand Down Expand Up @@ -4271,7 +4272,7 @@ function Debug-AzStorageAccountEntraKerbAuth {
Write-TestingPassed
}
else {
$disabledConfiguration = (-not $serverEncryption.SupportsKerberos) ? "Kerberos Authentication" : "AES-256 encryption"
$disabledConfiguration = if (-not $serverEncryption.SupportsKerberos) { "Kerberos Authentication" } else { "AES-256 encryption" }

$message = "Entra Kerberos requires $disabledConfiguration to be enabled on the storage account."
if (-not $serverEncryption.SupportsKerberos) {
Expand Down Expand Up @@ -4462,17 +4463,31 @@ function Get-DsRegStatus {
}

function Test-IsCloudKerberosTicketRetrievalEnabled {
$regKeyFolder = Get-ItemProperty -Path Registry::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters -ErrorAction SilentlyContinue
[CmdletBinding()]
param ()

if ($null -eq $regKeyFolder) {
$regKeyFolder = Get-ItemProperty -Path Registry::HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters -ErrorAction SilentlyContinue
}
$path = "HKLM:\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters"
$folder = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue

if ($null -eq $folder -or
$null -eq $folder.CloudKerberosTicketRetrievalEnabled)
{
Write-Verbose "CloudKerberosTicketRetrievalEnabled not found in ${path}."

if ($null -eq $regKeyFolder) {
return $false
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters"
$folder = Get-ItemProperty -Path $path -ErrorAction SilentlyContinue

if ($null -eq $folder -or
$null -eq $folder.CloudKerberosTicketRetrievalEnabled)
{
Write-Verbose "$path not found."
return $false
}
}

Write-Verbose "Found ${path}\CloudKerberosTicketRetrievalEnabled = $($folder.CloudKerberosTicketRetrievalEnabled)"

return $regKeyFolder.CloudKerberosTicketRetrievalEnabled -eq "1"
return $folder.CloudKerberosTicketRetrievalEnabled -eq "1"
}

function Debug-EntraKerbAdminConsent {
Expand Down
10 changes: 9 additions & 1 deletion AzFilesHybrid/AzFilesHybrid/AzFilesHybridUtilities.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,18 @@
function Write-TestingPassed(
[Parameter(Mandatory=$false, Position=0)]
[string]$Message = "",

[Parameter(Mandatory=$false)]
[int]$Indents = 1
) {
$indentation = "`t" * $Indents
$checkmark = [System.Char]::ConvertFromUtf32([System.Convert]::ToInt32("2713", 16))
Write-Host "$($PSStyle.Foreground.BrightGreen)${indentation}($checkmark) Passed$($PSStyle.Reset)"

if ($Message) {
Write-Host "$($PSStyle.Foreground.BrightGreen)${indentation}($checkmark) Passed:$($PSStyle.Reset) $Message"
} else {
Write-Host "$($PSStyle.Foreground.BrightGreen)${indentation}($checkmark) Passed$($PSStyle.Reset)"
}
}

function Write-TestingFailed(
Expand Down