What is the impact of enabling AES for Kerberos in ONTAP
Applies to
- ONTAP 9
- Kerberos
Answer
- AES encryption changes the encryption methods used during Kerberos authentication
- There should be no detrimental impact if the Vserver is in a healthy state
- There will be no detrimental impact to CIFS clients already connected to the SVM having an existing CIFS session
Additional Information
-
Best Practice: 1514688 CIFS AES should be on by default
- With AES, ONTAP will use LDAP to edit the computer object of the CIFS server to add the new encryption types
- After the encryption types are set, ONTAP will re-sync the machine password
- If LDAP is impacted, this process can fail
- If prompted for a service account to reset machine password and that service account does not have the proper prviligies, it can cause this process to fail
- Enable or disable AES encryption for Kerberos-based communication
- Can we enable AES encryption on CIFS server
- Can I disable RC4 encryption for Kerberos-based communication?
- What Kerberos Encryption Types are supported with NAS protocols for ONTAP 9?