AES encryption is enabled but only RC4 can be seen
Applies to
- ONTAP 9.11.1P6
- Active Directory (AD)
- Domain Controller (DC)
- CIFS
- Kerberos
- Advanced Encryption Standard (AES)
Issue
- AES has been disabled / re-enabled.
aes256is used by OntapSECD.Log:
Fri May 12 2023 11:51:36 +02:00 info : [krb5 context 08BBA000] Creating authenticator for <vserver>$@DOMAIN.DC-AD -> cifs/dcserver.01.dc-ad@, seqnum 681759282, subkey aes256-cts/9522, session key aes256-cts/F41E
Fri Fri May 12 2023 11:51:36 +02:00 debug: Adding new SMB2 session: serverName = dcserver.01.dc-ad, Uid = 251000707354133 { in AddNewSmb2SessionToGlobalSessionsMap() at src/FrameWork/ClientInfo.cpp:2665 }
Fri May 12 2023 11:51:36 +02:00 debug: SIGNING: Signing was negotiated { in LogOnUserExtBody() at src/Actions/ActionsONTAP.cpp:2669 }
Fri May 12 2023 11:51:36 +02:00 info : Successfully authenticated with DC dcserver.01.dc-ad { in connectToDomainController() at src/connection_manager/secd_connection.cpp:261 }
- On DC server vServer registered only with
RC4
PS H:\> Get-ADComputer <vserver> -properties *
...
KerberosEncryptionType : {RC4}
...
LastLogonDate : 16.05.2023 10:45:25
...
Modified : 16.05.2023 10:45:55
modifyTimeStamp : 16.05.2023 10:45:55
msDS-SupportedEncryptionTypes : 6
msDS-User-Account-Control-Computed : 0
Name : <vserver>
...
PasswordLastSet : 17.12.2019 12:56:01
...