How does an SMB client identify which authentication style to use?
Applies to
- ONTAP 9
- SMB / CIFS Authentication
Answer
An SMB client chooses between Kerberos and NTLM authentication based on client and server capabilities, domain membership, Service Principal Name (SPN) registration, network configuration, and explicit settings.
Modern systems prefer Kerberos, a more secure protocol. Kerberos is used when:
- Both client and server support it.
- They are members of the same or trusted Active Directory (AD) domains.
- A valid SPN is registered for the target server.
In summary, an SMB client prefers Kerberos when supported and properly configured; otherwise, it uses NTLM authentication.
Additional Information
- To limit the SMB server to only use Kerberos, it is possible to limit it via the LM-COMPATABILITY setting.
- ONTAP Requirements for CIFS Kerberos
- How ONTAP handles SMB client authentication