Skip to main content
NetApp Knowledgebase

Does ONTAP support SID compression for Kerberos tickets

Views:
89
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
cifs
Last Updated:

Applies to

  • ONTAP 9
  • Data ONTAP 8
  • Data ONTAP operating in 7-Mode 8.1.2P2 and higher

Answer

Data ONTAP supports Kerberos authentication when creating authenticated SMB sessions.

Additional Information

  • SID compression was first supported in Data ONTAP operating in 7-Mode 8.1.4 but back ported to 8.1.2P2
  • Kerberos is a protocol designed to provide strong authentication within a client/server environment. The basis of the protocol is a shared secret key cryptology system that provides secure authentication in a networked environment.
  • Kerberos is the primary authentication service for Active Directory. The Kerberos server, or Kerberos Key Distribution Center (KDC) service, stores and retrieves information about security principles in the Active Directory. Unlike the NTLM model, Active Directory clients who want to establish a session with another computer, such the CIFS server, contact a KDC directly to obtain their session credentials
  • The Key Distribution Center (KDC) can use the Resource SID Compression feature when Active Directory servers are hosted on Windows Server 2012.
  • Microsoft introduced an enhancement to its Kerberos implementation for Windows Server 2012 that was later called KDC Resource SID Compression, in which the KDC automatically compresses the group security identifiers (SIDs) in the resource domain. This compression can reduce the size of the service ticket and reduce application authentication failures caused by large ticket sizes. To compress resource SIDs, the KDC stores the SID of the resource domain of which the target resource is a member. The KDC inserts only the RID portion of each resource SID into the ResourceGroupIds portion of the authentication data.