Skip to main content
NetApp Knowledge Base

Does ONTAP support SID compression for Kerberos tickets

  1. Last updated
  2. Save as PDF
Views:
471
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas
Last Updated:

Applies to

  • ONTAP 9
  • Data ONTAP 8
  • Data ONTAP operating in 7-Mode 8.1.2P2 and higher

Answer

Data ONTAP supports Kerberos authentication when creating authenticated SMB sessions.

Additional Information

  • SID compression was first supported in Data ONTAP operating in 7-Mode 8.1.4 but back ported to 8.1.2P2
  • Kerberos is a protocol designed to provide strong authentication within a client/server environment. The basis of the protocol is a shared secret key cryptology system that provides secure authentication in a networked environment.
  • Kerberos is the primary authentication service for Active Directory. The Kerberos server, or Kerberos Key Distribution Center (KDC) service, stores and retrieves information about security principles in the Active Directory. Unlike the NTLM model, Active Directory clients who want to establish a session with another computer, such the CIFS server, contact a KDC directly to obtain their session credentials
  • The Key Distribution Center (KDC) can use the Resource SID Compression feature when Active Directory servers are hosted on Windows Server 2012.
  • Microsoft introduced an enhancement to its Kerberos implementation for Windows Server 2012 that was later called KDC Resource SID Compression, in which the KDC automatically compresses the group security identifiers (SIDs) in the resource domain. This compression can reduce the size of the service ticket and reduce application authentication failures caused by large ticket sizes. To compress resource SIDs, the KDC stores the SID of the resource domain of which the target resource is a member. The KDC inserts only the RID portion of each resource SID into the ResourceGroupIds portion of the authentication data.

 

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.