Applies to ONTAP 9 CIFS No, it's not possible to view the Kerberos ticket's encryption type for a connected CIFS client after the ticket has been decrypted during the session setup. To see what encryp...Applies to ONTAP 9 CIFS No, it's not possible to view the Kerberos ticket's encryption type for a connected CIFS client after the ticket has been decrypted during the session setup. To see what encryption type is used for a ticket when the client submits the ticket to ONTAP, consider capturing a packet trace between the client and ONTAP To see what encryption types the client advertises to the DC when initially obtaining the ticket, consider capturing a packet trace between the client and the DC
In 9.11 and below, you cannot disable RC4 encryption for Kerberos-based communication Even when AES encryption for Kerberos-based communication is enabled on a vserver, advertising the RC4 encryption ...In 9.11 and below, you cannot disable RC4 encryption for Kerberos-based communication Even when AES encryption for Kerberos-based communication is enabled on a vserver, advertising the RC4 encryption type cannot be disabled The strongest encryption type is selected by the DC that provides the Kerberos ticket if multiple are available Configuring strong security for Kerberos-based communication by using AES encryption Enable or disable AES encryption for Kerberos-based communication
CIFS share is inaccessible after disabling RC4 encryption on 7-Mode and the Domain controller. Sun Apr 12 11:35:58 CEST [VFILER0@node1:cifs.trace.GSS:error]: AUTH: Unable to acquire filer credentials:...CIFS share is inaccessible after disabling RC4 encryption on 7-Mode and the Domain controller. Sun Apr 12 11:35:58 CEST [VFILER0@node1:cifs.trace.GSS:error]: AUTH: Unable to acquire filer credentials: (0x96c73a0e) KDC has no support for encryption type. Sun Apr 12 11:35:59 CEST [VFILER0@node1:cifs.trace.GSS:error]: AUTH: Unable to acquire filer credentials: (0x96c73a0e) KDC has no support for encryption type.
