are there any NAS appliances that support Azure AD authentication

richardroy · 2023-05-03T00:49:13.000Z

and before you suggest one, please I am NOT interested in Azure AD DS, if you do not know the difference then spend some time learning as there is difference. I have multiple domains to deal with and azure ad handles it out of the box. they also now allow for kerberos to their azure files. So I could go that route but we are also looking to multi purpose the nas to do a few other things internally.

so it is a basic requirement that the nas appliance be able to handle azure ad auth to the files that are on the nas. that is all and thanks to anyone that comes up with an idea.

i took a brief look at the sites for both synology and qnap but did not find any support for azure ad, both will do azure ad ds but that is not an option for this appliance need.

thomastheobald2 · 2023-05-04T10:31:01.000Z

If all you need is an LDAP-compliant client to interface with your AAD, Synology supports this out of the box.

5975d0c3-8057-4997-9be3-88c5bf166d38-Capture.PNG800×413 43.5 KB

Edit: P.S. - sounds like what you need is the SSO function there. Your AAD will supply the auth token, the Synology confirms the authenticity of the login with AAD using SSO. Here’s the interface for setting it up:

ebd3be7e-646c-4ba7-b7e2-69f539bbb7c8-Capture.PNG800×368 64.4 KB

jonathanyergo8120 · 2023-05-04T12:24:30.000Z

What you would specifically need to look for is SAML. Unfortunately, there just isn’t anything out there that will support this. You may be able to find something that integrates web login using SSO credentials from a SAML idp, but this will not affect file-level access of file shares. SMB shares require NTML/kerberos authentication. Azure AD is not any of those, which is why Microsoft has the supplemental Azure AD DS service to enable a hybrid approach but fully in the cloud.

Alternatively, you can use something like JumpCloud’s LDAP-as-a-Service product, which has the benefit of not needing a VPN tunnel to Azure like AADDS.

richardroy · 2023-05-04T12:24:39.000Z

thomastheobald2:

If all you need is an LDAP-compliant client to interface with your AAD, Synology supports this out of the box.

Edit: P.S. - sounds like what you need is the SSO function there. Your AAD will supply the auth token, the Synology confirms the authenticity of the login with AAD using SSO. Here’s the interface for setting it up:

Thanks. I am certain though when I looked at Synology, their documentation regarding SSO was requiring site to site vpn along with Azure AD DS which is NOT Azure AD. I know those things are confusing to some people but having run them both at multiple companies I understand the deltas. Guess I have to go reread their documentation at Synology.

thomastheobald2 · 2023-05-04T13:33:51.000Z

Yeah, almost every link searched generally refers to ADDS, but there’s a very limited section of one of the discussions that contained the following (the following text is not mine):

The basic outline is something like this for my implementation:

Ensure you have good AAD setup (i.e. it is healthy)
Have an on-prem classic AD Domain Controller (i recommend 2019)
1. Could you use AAD DS instead, maybe, but it sure expensive compared to running 2 DCs locally IMO; it may work as that is indeed what is in the docs, i chose this way due to control i need over DCs - like i want logons to work even if my link to the internet is down, have internal DNS etc. Also AAD DS is so feature constrained compared to norma DCs it isn’t much better than a toy IMHO (for example it is missing lots of default directory partitions etc making it incompatible with bunhc of stuff, can’t support syncing to other domains / forests, etc etc )
Have AD Connect syncing between the AAD and the on prem AD DC
Join the Synology to the Windows AD Domain on prem
setup AAD SSO between AAD and synology - this will allow you to logon to DSM but provide SSO to things like file shares. You have to get this working before proceeding with the next steps
Setup Windows Hello for Business in AAD7.
Join the client PCs to AAD using WhFB and make sure logon with passowrd or pin works
Setup a Certificate Authority and create a new KDC certificate type (its in the MS docs how to do this but its fragile).
distribute the root CA cert to the AAD joined client (i used intune to do this, but can be done manually)

If you got all those steps right (and it took me 2 weeks to figure it all out, getting clarifications from synology and MS docs changed online) then when you logon to the AAD joined windows 10 machine with any WhFB cred (password, pin, face) with a UPN from AAD and then access your synology via say an explorer UNC you will get seamless signed on…

To be clear there are different deployment topologies, mine was driven by the fact with on prem AD DCs i have more control over AD than i would with AAD DS. Also the SSO between the windows 10 PC and the NAS is using Keberos auth under the hood - thats why the DCs are important.

[snip]

This is the guide i used (though its CA instructions were shit) Configure single sign-on (SSO) for Microsoft Entra joined devices - Windows Security | Microsoft Learn it publishing instructions are spot on.

richardroy · 2023-05-04T15:13:37.000Z

thanks @thomastheobald2 but that is far too much work, infrastructure, and more for what we are going to do. On Prem AD is a non-starter as is AADS there is simply no need to add all kinds of infrastructure to support this in our set up. Sadly, from what I am seeing most are also limited to one auth domain, while 365/AAD is not for an organization. I am guessing we will end up having to cobble something together instead of a nice and clean OOB solution. thanks for the detail though it is helpful and likely may help another user in the future!

thomastheobald2 · 2023-05-04T17:20:45.000Z

Yeah, I agree, I won’t claim it’s an easy go. On the alternative side, why not just throw together a mid-tower or cube case with eight or ten 20Gb drives, a couple dual-SPF+ cards, and slap Windows Server on it?

richardroy · 2023-05-04T17:47:23.000Z

probably the way we will end up going. I was just not trying to do something with bubble gum, duct tape and rubber bands. Hoping for a COTS product and warranty and basically, someone else to blame when it fails.

supaplex-starwind · 2023-05-05T12:23:08.000Z

Unfortunately, the only thing that supports Azure AD in a usable way is Windows. That doesn’t mean, however, that you must drop the idea of purchasing an inexpensive NAS in favor of a fully-fledged server. Configuring Synology or QNAP as a primitive iSCSI box connected to a Windows Server virtual machine (even an existing one) that will serve as an Azure AD integrated file server (or NAS) is an absolutely valid and production-ready idea.

Even if you decide to go with a full-blown server, it is still preferred to use Linux for your foundation storage controller OS and let Windows handle other relevant stuff as a VM running on the same server or elsewhere.

thomastheobald2 · 2023-05-09T05:57:43.000Z

Now THAT is a great idea, don’t know why I didn’t think of it - must be getting senile. I’m running ISCSI on mine already in exactly that fashion for my own Hyper-V drives.

T

supaplex-starwind · 2023-05-09T16:13:45.000Z

If you have some older servers you can repurpose, an excellent idea is to install a pre-built Linux appliance specifically tailored to serve as a storage box, pretty much like Synology but with way more flexibility and upgrade/customization options. UnRAID https://unraid.net/ or SAN&NAS Free SAN and NAS Software from StarWind are great free options to start with. Adding docker into the equation basically allows you to do almost anything you can imagine.

artem-starwind · 2023-05-10T07:43:39.000Z

Appreciate the mention of our product!

Our StarWind SAN & NAS solution (available at https://www.starwindsoftware.com/san-and-nas ) can serve as an excellent traditional NAS software, provided the necessary hardware is available. It is delivered as a Linux-based virtual machine, easily deployed on your preferred hypervisor, or installed directly on bare metal using our standard installation ISO. The solution includes the same software-defined storage features as our flagship StarWind VSAN product, enabling you to fully leverage the power of hardware RAID, ZFS, or MDRAID and enhance them with our intelligent Intel Cache Acceleration Software. It also supports popular protocols such as iSCSI, SMB, NFS, and more.

Our lightweight software is easy to install and use, thanks to a user-friendly Installation Wizard and a comprehensive web-based user interface for storage management. The built-in storage profile wizard supports any storage (SATA, SAS, NVMe), automatically analyzes your hardware layout, and recommends the best configuration for your workload. Object-based storage and Azure AD integration with highly-available network shares (SMB and NFS) are coming soon.

Although StarWind SAN & NAS can be used for free, feel free to contact me directly via DM if you have any questions or need pricing ideas regarding support.