- ONTAP 9
- Microsoft Active Directory
- CIFS create or CIFS Modify returns Invalid Credentials with Additional info: comment: AcceptSecurityContext error
- Example of sample error as seen in SECD\EMS Logs:
**[ 4201] FAILURE: Unable to SASL bind to LDAP server using GSSAPI:
** Invalid credentials
[ 4201] Additional info: 80090346: LdapErr: DSID-0C090597,
comment: AcceptSecurityContext error, data 80090346, v4563
|WARNING: Regarding LdapEnforceChannelBinding, do not use enforce DWORD value 2 until support for 1136213 has been implemented.|
Active IQ System Risk Detection
- For customers who have enabled AutoSupport™ on their storage systems, the Active IQ Portal provides detailed System Risk reports at the customer and site and system levels. The reports show systems that have specific risks as well as severity levels and mitigation action plans. You may be reading this article as a result of one of those alerts. If AIQ detects the presence of the string described in this article 'AcceptSecurityContext error, data 80090346' then your system will be flagged appropriately.
- ONTAP does not support LDAP Channel Binding until 1136213 is implemented. Customers will need to ensure that the Domain Controller ONTAP is communicating with does not enforce, only allows LDAP Channel Binding as per the details in the article above.
- For more information - see KB: Microsoft Security Advisory: ADV190023 impact on NetApp appliance running CIFS\NFS utilizing Microsoft Active Directory LDAP servers