CONTAP-80033: NTLM authentication fails due to enforcement of Netlogon RPC sealing

Last updated
Save as PDF
Share
1. Share
2. Tweet
3. Share

Views:: 2,306

Visibility:: Public

Votes:: 0

Category:: ontap-9

Specialty:: nas

Last Updated:

Issue

CIFS shares not accessible using CIFS server IP address
CIFS Domain authentication using NTLM fails
Example:
secd.cifsAuth.problem
FAILURE: Pass-through authentication failed. (NT Status: NT_STATUS_NO_LOGON_SERVERS(0xc000005e))

Windows Domain Controller (DC) logs

Log Name: System
Source: NETLOGON
Date: 2/22/2023 3:17:28 PM
Event ID: 5838
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: dc1.demo.netapp.local
Description:
The Netlogon service encountered a client using RPC signing instead of RPC sealing.

Machine SamAccountName: CIFSSERVERNAME

Kerberos authentication is working
ONTAP features configured for domain authentication using NTLMv1 or NTLMv2 are affected (e.g. CIFS, Vscan, RBAC, domain tunnel, etc.):
::> set advanced
::*> vserver cifs session show -vserver <vserver> -fields auth-mechanism,address,windows-user
node vserver session-id connection-id address auth-mechanism windows-user
------------ --------- -------------------- ------------- ------------ -------------- ------------
netapp-01a <vserver> 17134789207261194186 2550496605 10.62.125.88 NTLMv2 DEMO\user6
netapp-01b <vserver> 17134789207261194188 2550496606 10.216.29.42 Kerberos DEMO\Administrator
2 entries were displayed.

Note: If Kerberos authentication attempt fails, NTLM (NTLMv1 or NTLMv2) is default fallback.