How to ensure Kerberos connections to AltaVault data interfaces
Applies to
- NetApp Cloud Backup Service (formerly AltaVault)
- AltaVault
- AVA 400/800
Description
How to accomplish Kerberos-based connections to AltaVault data interfaces.
It is often found that AltaVault is joined to a domain using the management interface and that creates a DNS entry for the management interface. While backup applications can still connect to the data interfaces, close observation shows that this connection to data interfaces is using the NT LAN Manager (NTLM) protocol.
In some situations, connections over NTLM are considered undesirable:
Example:
- Federal Information Processing Standards (FIPS) mode prohibits the use of NTLM including NTLMv2
- Some customers may have deployed a domain policy that prohibits NTLM. Network Security: Restrict NTLM: NTLM authentication in this domain provides some details of how this is accomplished.
Assume the management interface is used to domain join. This creates a Domain Name System (DNS) entry for the management interface.
To enable Kerberos, for EACH data interface:
- You MUST manually add a DNS entry (for each data interface)
- You MUST manually add an Service Principal Name (SPN) (for each data interface)
- You MUST manually flush the Server Message Block (SMB) client cache (reboot the Windows client(s) or
- Logoff and logon (from the Windows client(s))